locked
Unable to connect to a specific SSL Web site because RC4 based Cipher Suite not sent by IE 11 in Client Hello request RRS feed

  • Question

  • Hello,

    I try to connect to https://vpn.par01.softlayer.com web site with IE 11 and I always get the same following error message :

    This page can’t be displayed
    Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://vpn.par01.softlayer.com  again. If this error persists, contact your site administrator.

    By clicking on the "Change settings" button associated with this error message, the IE Advanced option tab is displayed :

    from there, I can see that SSL 3.0 and all TLS versions are correctly checked ;

    When I do the same test from a colleague's PC with the same Windows 7 version and exactly the same IE 11 version,  there is not problem to reach this web page

    When comparing Wireshark traces taken on both PC, I can see the following differences in the SSL CLient Hello packet sent by IE :

    1) in the good case,  this Client hello includes 26 Cipher Suites, with TLS 1.2

    2) in the bad case, this Client hello includes 24 Cipher Suites, with TLS 1.2

    The 2 missing Cipher Suites in the bad case are the following ones :

    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

    In the good case, the Server hello sent by the server (in response to the Client hello) shows the TLS_RSA_WITH_RC4_128_SHA Cipher Suite is the one selected ;

    In the bad case, the Client hello is answered by the server by a packet showing the following message :

    TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)

    After this 1st failure, my IE 11 sends a 2nd Client hello with TLS 1.0 set and 10 Cipher Suites, but none of these 10 Suites includes an RC4 based one, and it is also rejected with the same failure message as the 1st Client Hello

    So, the problem seems due to the fact that my IE 11 never proposes an RC4 based Cipher Suite in the Client hello request and that the server seems to accept only an RC4 based Cipher Suite

    With Firefox, the 1st Client Hello has the same lack of RC4 base Suite, and is rejected the same wya,

    but the 2nd Client hello (TLS 1.0 based) includes the good RC4 Suite and is accepted in the Server Hello ;

    unfortunately, Firefox is not really working for the rest of the procedure to be run after the 1st steps

    and Chrome is not supported at all

    To fix this Cipher Suites List, I have tried to use gpedit.msc -> Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings. Open SSL Cipher Suite Order, but no success ;

    and, according to the help on this "Open SSL Cipher Suite Order" topic, the 2 missing RC4 based Cipher Suites are supposed to be used by default when using TLS 1.0

    I also compared the "Open SSL Cipher Suite Order" topic between the 2 PCs : no difference seen

    Any idea would be welcome

    Thursday, September 24, 2015 11:55 AM

Answers

  • Hi,   

    Did you perform any changes in the system recently? Please check the difference between the two computers, pay attention to the “Tools” > “Internet Options” > “Advanced” tab. Check the same SSL version and TLS version as the computer which can normally access.

    If you didn’t find the difference, I suggest you follow the steps in the link below to reset Internet Explorer settings.

    http://windows.microsoft.com/en-us/internet-explorer/reset-ie-settings#ie=ie-11

    Then follow the steps in the link below to troubleshoot.

    https://support.accessdata.com/hc/en-us/articles/205338728--Turn-on-TLS-1-0-TLS-1-1-and-TLS-1-2-

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Wish you will troubleshoot the issue smoothly.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 12, 2015 2:33 AM

All replies

  • hii Auro_Bindo

    you can use this free tool to fix this for you whether server side or client side (as your case)

    https://www.nartac.com/Products/IISCrypto/Download

    Thursday, October 8, 2015 4:58 PM
  • Hi,   

    Did you perform any changes in the system recently? Please check the difference between the two computers, pay attention to the “Tools” > “Internet Options” > “Advanced” tab. Check the same SSL version and TLS version as the computer which can normally access.

    If you didn’t find the difference, I suggest you follow the steps in the link below to reset Internet Explorer settings.

    http://windows.microsoft.com/en-us/internet-explorer/reset-ie-settings#ie=ie-11

    Then follow the steps in the link below to troubleshoot.

    https://support.accessdata.com/hc/en-us/articles/205338728--Turn-on-TLS-1-0-TLS-1-1-and-TLS-1-2-

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Wish you will troubleshoot the issue smoothly.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 12, 2015 2:33 AM
  • go to your bindings

    -> Edit your Https bindings and assign corresponding certificate to it

    Friday, January 18, 2019 4:56 AM