Windows: Schannel error 40 and Internet Explorer

When I needed to access a secure page (HTTPS) from Internet Explorer 11 on a Windows 2008 R2 server, I always got a "Page cannot be displayed" error. I could, though, access that page from another machine or another browser on the same server.

Looking in the Event Viewer I saw:

Log Name: System
Source: Schannel
Date: 05.01.2015 12:11:58
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM

Description:
The following fatal alert was received: 40.

Schannel error 40 means: SSL3_ALERT_HANDSHAKE_FAILURE

So I checked with SSL Labs which Ciphers my browser offers:

https://www.ssllabs.com/ssltest/viewMyClient.html

It looks like it was offering very old ciphers first

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
...

I checked the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

It contained exactly the same old ciphers first!

So I looked at a Windows 7 client that was working and saw that there were the newer and more secure ciphers listed first:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
...

I copied the Registry entry of the working machine to the server, rebooted the server and - Bingo - I could now access the web page.

Leave a Reply

Your email address will not be published.