none
IE11 Selecting Unspecified Cipher after 3161608/3172605 RRS feed

  • Question

  • We have a Tomcat server that specifies a list of ciphers it accepts, but since the installation of either 3161608 or 3172605, IE keeps trying to use a different cipher, thus failing to reach the site. It keeps trying to use TLS_DHE_RSA_WITH_AES_128_SHA even though the Tomcat server expressly prohibits any DHE cipher unless it's one of the ECDHE ciphers. Chrome uses TLS_RSA_AES_128_SHA which is also in the cipher list the Tomcat server accepts. We can set group policy overriding the cipher order so that users can reach the site, but we can only do that for users within our organization and most of our users are outside the organization. Shouldn't IE be checking the server cipher suites offered and select one of those based upon the workstation's cipher order? Any ideas why this isn't happening, but IE decides to try the connection with the unacceptable cipher instead of one from the list the server provides?
    Thursday, August 4, 2016 5:14 PM

Answers

  • Hi,

     

    Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

     

    This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.

     

    For more information, please refer to the link:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

     

    In addition, for Tomcat server, you can also ask manufacturer for further help.

    http://www.tomcatexpert.com/popular/tomcat_support

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Tao

     


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, August 6, 2016 8:36 AM
    Moderator

All replies

  • Hi,

     

    Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

     

    This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.

     

    For more information, please refer to the link:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

     

    In addition, for Tomcat server, you can also ask manufacturer for further help.

    http://www.tomcatexpert.com/popular/tomcat_support

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Tao

     


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, August 6, 2016 8:36 AM
    Moderator
  • Hi,

    We haven't heard from you for a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 9, 2016 8:56 AM
    Moderator
  • This does not resove the issue. The issue has to do with IE\Edge selecting ciphers (specifically Diffie-Hellman ciphers) that the server does not list as supported.
    Thursday, August 25, 2016 5:08 PM