Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption (2024)

Symptoms

When attempting to connect, Transport Layer Security (TLS) might fail or timeout. You might also receive one or more of the with the following errors:

• "The request was aborted: Could not create SSL/TLS secure Channel"

• error0x8009030f

• An error logged in the System Event Log forSCHANNEL event 36887 with alert code 20 and the description, "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​"

Cause

Due to security related enforcement forCVE-2019-1318, all updates for supported versions of Windows released on October 8, 2019 or later enforce Extended Master Secret (EMS) for resumption as defined byRFC 7627. Connections to third-party devices and OSes that are non-compliant might have issues or fail.

Next Steps

Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance.

Any third-party operating system, device or service that does not support EMS resumption might exhibitissues related to TLS connections. You should contact your administrator, manufacturer or service provider for updates that fully support EMS resumption as defined byRFC 7627.

Note Microsoft does not recommend disabling EMS. If EMS was previously explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0

Advanced information for administrators

1. A Windows device attempting a Transport Layer Security (TLS) connection to a device that does not supportExtended Master Secret (EMS) when TLS_DHE_* cipher suites are negotiated might intermittently fail approximately 1 out of 256 attempts. To mitigate this issue, implement one of the following solutions listed in order of preference:

• Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operating system.

• For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS ofthe TLS client device. For instructions on how to do this on Windows, seePrioritizing Schannel Cipher Suites.

Affected Updates

Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019 or later for the affected platforms may experience this issue:

• KB4517389LCU forWindows 10, version 1903.

• KB4519338LCU forWindows 10, version 1809 and Windows Server 2019.

• KB4520008LCU forWindows 10, version 1803.

• KB4520004LCU forWindows 10, version 1709.

• KB4520010LCU forWindows 10, version 1703.

• KB4519998LCU forWindows 10, version 1607 and Windows Server 2016.

• KB4520011LCU forWindows 10, version 1507.

• KB4520005Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.

• KB4520007Monthly Rollup for Windows Server 2012.

• KB4519976Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.

• KB4520002Monthly Rollup for Windows Server 2008 SP2

The following Security Only released on October 8, 2019 for the affected platforms may experience this issue:

• KB4519990Security-only update for Windows 8.1 and Windows Server 2012 R2.

• KB4519985Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.

• KB4520003Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1

• KB4520009Security-only update forWindows Server 2008 SP2