One of the teams I support had run into some issues. Spending a lot of time investigating code and possible configuration problems. What they later suspected to be a policy issue, possibly a firewall, network issues turned out to be something entirely different.

Lets start with the symptoms:

  • Service request to a secured site stopped functioning, there were no know changes on the client (server) end. All attempts to connect to this site using the internet explorer failed.  However connections can be made to the site from the same network on other systems.
  • Windows updates did not resolve the issue
  • There was no proxy server or network firewall in the path from the client to the destination server hosting the services
  • Note: Port 80 (HTTP) web requests and even alternate ports listening on HTTP had all worked

 

Differential testing:

  • Attempted to access other known and popular SSL enabled sites and encountered the same issue
  • Attempted to connect to some SSL enabled sites which I had in a lab environment and they worked — OK, Good… SSL is working from this host.
  • But why?  I did some checking on the SSL Certificates, using some of the steps from one of my older posts: http://jermsmit.com/tech-short-lets-test-for-poodle-or-sslv3/

Example of the command used: openssl s_client -connect google.com:443

Discovery: I noticed that the Cipher types where different between those sites which worked using SSL and those that did not.

  • The sites that worked used SSL-Sessions with a Cipher of: AES128-SHA
  • The sites that no longer worked used SSL-Sessions with a Cipher of: ECDHE-RSA-AES128-GCM-SHA256, AES256-GCM-SHA384, etc.

It seems that all SSL sites using SHA2 256 or higher encryption where no longer supported.

 

Resolution: I started my search for a possible hotfix for this issue and I found it

The following KB post details this issue and provides the hotfix download to resolve the limitation on this older OS: https://support.microsoft.com/en-us/kb/968730

Note: Make sure to download the correct Platform version of the hotfix.