Server 2019 no "Server Hello" when using TLS_RSA_WITH_AES_ ciphers (TLS1.2) schannel 36874

%3CLINGO-SUB%20id%3D%22lingo-sub-2767896%22%20slang%3D%22en-US%22%3EServer%202019%20no%20%22Server%20Hello%22%20when%20using%20TLS_RSA_WITH_AES_%20ciphers%20(TLS1.2)%20schannel%2036874%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2767896%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EHoping%20someone%20might%20have%20come%20across%20something%20similar%20as%20the%20support%20forum%20entries%20are%20filled%20with%20irrelevant%20responses%20and%20tumbleweed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20recently%20migrated%20CA%20cluster%20is%20not%20sending%20any%20TLS%20conversation%20completion%20when%20the%20client%20uses%20a%20cipher%20from%20the%20TLS_RSA_WITH_AES_*%20type%20(so%20%3CSPAN%3ETLS_RSA_WITH_AES_128_CBC_SHA256%20or%20similar).%20This%20also%20seems%20to%20be%20negatively%20impacting%20RPC%20certificate%20enrolment%20from%20Windows%207%20systems.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20Nartac%20tools%20and%20manually%20(double%2C%20triple%2C%20quadruple)%20checking%20the%20registry%20settings%20myself%20I%20can%20see%20that%20the%20ciphers%20are%20present%20in%20the%20list%20of%20supported%2Favailable%20ciphers.%20I%20can%20see%20that%20TLS1.2%20is%20working.%20As%20soon%20as%20a%20client%20offers%20TLS_ECDH_*%20the%20server%20responds%20like%20an%20enthusiastic%20puppy.%20using%20TLS_RSA_WITH_AES_%20it%20ignores%20the%20traffic%20(no%20server%20hello%20or%20attempt%20to%20negotiate)%20and%20logs%26nbsp%3BSchannel%20Errors%2036874%20in%20the%20server%20event%20log.%3C%2FP%3E%3CP%3EI%20have%20verified%20this%20using%20wireshark%20on%20client%20and%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhilst%20these%20are%20hosted%20in%20azure%20there%20shouldn't%20be%20any%20network%20layer%20kit%20interfering%20with%20the%20connection.%20There%20is%20a%20standard%20load%20balancer%20which%20single%20routes%20all%20traffic%20to%20the%20active%20AD%20CS%20cluster%20node.%20No%20inspection%20or%20TLS%20termination%20should%20be%20occurring.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20no%20GPOs%20controlling%20anything%20to%20do%20with%20TLS%20or%20communication%20security%20(checked%20with%20gpresult%20and%20gpmc%2C%20along%20with%20repeated%20verification%20of%20the%20registry%20settings)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehas%20anyone%20seen%20anything%20like%20this%20before%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyes%20I%20have%20been%20through%20the%20enabling%20TLS%201.2%20articles%20a%20bajillion%20times%20and%20know%20where%20to%20enable%20TLS%201.2%20for%20both%20schannel%20and%20.net%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20need%20of%20more%20straws%20to%20clutch%20at.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2767896%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAD%20CS%20Cluster%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecluster%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EClustering%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETLS%201.2%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi

Hoping someone might have come across something similar as the support forum entries are filled with irrelevant responses and tumbleweed.

 

A recently migrated CA cluster is not sending any TLS conversation completion when the client uses a cipher from the TLS_RSA_WITH_AES_* type (so TLS_RSA_WITH_AES_128_CBC_SHA256 or similar). This also seems to be negatively impacting RPC certificate enrolment from Windows 7 systems.

 

Using Nartac tools and manually (double, triple, quadruple) checking the registry settings myself I can see that the ciphers are present in the list of supported/available ciphers. I can see that TLS1.2 is working. As soon as a client offers TLS_ECDH_* the server responds like an enthusiastic puppy. using TLS_RSA_WITH_AES_ it ignores the traffic (no server hello or attempt to negotiate) and logs Schannel Errors 36874 in the server event log.

I have verified this using wireshark on client and server.

 

Whilst these are hosted in azure there shouldn't be any network layer kit interfering with the connection. There is a standard load balancer which single routes all traffic to the active AD CS cluster node. No inspection or TLS termination should be occurring.

 

There are no GPOs controlling anything to do with TLS or communication security (checked with gpresult and gpmc, along with repeated verification of the registry settings)

 

has anyone seen anything like this before? 

 

yes I have been through the enabling TLS 1.2 articles a bajillion times and know where to enable TLS 1.2 for both schannel and .net

 

In need of more straws to clutch at.

 

0 Replies
www.000webhost.com