Following errors are common because of this ongoing problem:
The request was aborted: Could not create SSL/TLS secure ChannelError 0x8009030fAn error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.?”
Which versions of Windows are affected with TLS Failures?
The vulnerability can give the attacker a chance to perform a man-in-the-middle attack. This was fixed by the update, and it resulted in TLS Failures, Timeouts in Windows systems. Microsoft pointed out that it only happens when the devices are trying to make TLS connections to devices without support for the Extended Master Secret extension. If the devices have the supported version, then it doesn’t occur. Here is the list of Windows versions affected as of now:
List of Windows Updates are affected because of the security update
Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019, or later for the affected platforms may experience this issue:
Workarounds for TLS Failures, Timeouts in Windows
According to Microsoft, there are three ways to fix TLS failures and timeouts. Be aware that there are drawbacks to the workarounds, especially from the security perspective.
1] Enable EMS on both client and server
As we know that if both sides have EMS installed, then the issue doesn’t occur, so the solution is obvious. While EMS has been enabled by default for any release after October 8, 2019, if not, make sure to Enable support for Extend Master Secret (EMS) extension. If you are an IT admin, make sure to support EMS resumption as defined by RFC 7627 fully.
2] Remove TLS_DHE_* cipher suites
If the operating system doesn’t support EMS, then the IT admin needs to remove TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. Complete documentation for Prioritizing Schannel Cipher Suites is available. That said, these are a temporary fix, and disabling them only means you are inviting a man-in-the-middle-attack
3] Enable/Disable EMS on Windows 10/Windows Server
If, for any TLS issue, you had disabled EMS on your computer, then make use of the registry settings on both server and client to enable it.
Open Registry EditorNavigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SchannelOn TLS Server: DisableServerExtendedMasterSecret: 0On TLS Client: DisableClientExtendedMasterSecret: 0
If they are not available, you can create them. I hope these workarounds were useful to fix the issue you are facing with TLS temporarily. Keep an eye on updates that will roll out to fix this problem. Read: Difference between TLS and SSL encryption methods.