locked
How to force UAG2010 SP1 to attempt SSLv3 after failing TLS1.0 negotiation? RRS feed

  • Question

  • Folks,

    I recently hit into an issue which  confirms a behaviour described here. Directly accessing a back-end server website (Oracle SSO) directly via IE works with no problems, from a Windows 7 client machine and Windows 2008/R2 server (including that which UAG2010 is installed).

    The issue crops up only when accessing this website website published via UAG2010, the following error is produced:

     

    An unknown error occurred while processing the certificate.
    Contact the site administrator.

    Navigate back and follow another link, or type in a different URL.

     

    After spending ours looking into UAG trace, Event logs and network traces, I found that UAG2010 simply does not attempt to use SSLv3 when TLSv1.0 fails (with a "decryption_failed" exception). The reason why it works with IE is simply because IE attempts SSLv3 after the failing TLSv1.0. To confirm this, I disabled TLS 1.0 via registry on the UAG2010 box, voila, we can access the website via the portal.

    So short of disabling TLS1.0 which is not ideal, anyone out there have an idea on how to force UAG2010 mimic the behaviour of IE?

     

    *** Some logs to illustrate my point above:

    1. When IE access the Oracle SSO website directly, it works fine, though the following error consistently appears in Event log.

    Log Name:      System
    Source:        Schannel
    Date:          8/1/2011 10:43:31 AM
    Event ID:      36887
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      xxxxxx
    Description:
    The following fatal alert was received: 47.

    2. When accessing the the published website via UAG2010, the same Event above appears and error below is thrown:

    An unknown error occurred while processing the certificate.
    Contact the site administrator.

    3. Wireshark trace shows a TLSv1 Alert - Illegal parameter (47)

    4. UAG trace below:

    EventTrace
    [4]110c.1960 07/29/2011-12:34:43.328 [sslbox HandshakeServerAuthState::PerformNegotiationStep HandshakeServerAuthState.cpp@419] ERROR:Failed to initialize security context. Returned error: 0x80090326. GetLastError: 87
    [4]110c.1960 07/29/2011-12:34:43.328 [sslbox HandshakeServerAuthState::PerformNegotiationStep HandshakeServerAuthState.cpp@430] ERROR:Returned SEC_E_ILLEGAL_MESSAGE error: The message received was unexpected or badly formatted.
    [4]110c.1960 07/29/2011-12:34:43.328 [whlcspssl CCSPSSLDevice::SSLRead WhlCSPSSLDevice.cpp@2965] ERROR:SSLRead(2, 5788, internalwebsite.local:443, 0000000002D46840): m_pSSLMachine->Read() returned false
    [4]110c.1960 07/29/2011-12:34:43.328 [whlcspssl CCSPSSLDevice::WriteStateInternalRead WhlCSPSSLDevice.cpp@2299] ERROR:WriteStateInternalRead(2, 5788, internalwebsite.local:443, 0000000002D46840): SSLRead() returned CSP_SSL_FAIL
    [4]110c.1960 07/29/2011-12:34:43.328 [whlcspssl CCSPSSLDevice::AnalyzeReadOperation WhlCSPSSLDevice.cpp@1612] ERROR:AnalyzeReadOperation(2, 5788, internalwebsite.local:443, 0000000002D46840, InWriteState): WriteStateInternalRead() failed
    [4]110c.1960 07/29/2011-12:34:43.328 [whlfilter CExtECB::OnWrite WhlExt2IWS.cpp@6154] ERROR:OnWrite(internalwebsite.local:443, 0000000002D34890): received error <CSP_SSL_FAIL> details: <0>! (ExtECB=00000000051452D0), (PFC=000000000274D6C8)
    [4]110c.1960 07/29/2011-12:34:43.328 [whlfilter CExtECB::OnWrite WhlExt2IWS.cpp@6171] ERROR:OnWrite(0000000002D34890): status <512>.(ExtECB=00000000051452D0), (PFC=000000000274D6C8)
    [4]110c.1960 07/29/2011-12:34:43.328 [whlfilter CExtECB::OnRead WhlExt2IWS.cpp@5932] ERROR:OnRead(internalwebsite.local:443, 0000000002D34890): received error <CSP_SSL_FAIL> details: <0>! (ExtECB=00000000051452D0), (PFC=000000000274D6C8)
    [4]110c.1960 07/29/2011-12:34:43.328 [whlfilter CExtECB::OnRead WhlExt2IWS.cpp@5942] ERROR:OnRead(0000000002D34890): dwStatus <[!0x201!]>. (ExtECB=00000000051452D0), (PFC=000000000274D6C8)


    Monday, August 1, 2011 3:40 AM

Answers

  • UAG has certain code to handle SSL connections, and this is not something you can just configure or adjust. If this blocks your deployment, and the registry keys to ignore backend certificates do not help, please open a support case with Microsoft. Perhaps this can be handled with an update, or reported to the product group for investigation.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:53 PM
    Friday, August 26, 2011 10:53 PM

All replies

  • UAG has certain code to handle SSL connections, and this is not something you can just configure or adjust. If this blocks your deployment, and the registry keys to ignore backend certificates do not help, please open a support case with Microsoft. Perhaps this can be handled with an update, or reported to the product group for investigation.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:53 PM
    Friday, August 26, 2011 10:53 PM
  • Hi Norman,

    I'm hitting exactly the same problem as you, and was wandering if you ever got a "proper fix" for the issue.

    I can publish the applicaiton but only by disabling TLS 1.0 in the registry, which as you say "isn't ideal", so with fingers crossed, I'm hoping you have got a more desirable solution - well here's hoping at least :)

    Thanks,

    Ian.

    Thursday, March 28, 2013 12:20 PM