Friday, August 20, 2010

Fix: MS10-049 and SSL problems connecting to https:// sites or Google Talk

It's been a long time since I've run into a Microsoft patch that blew something up that I felt it warranted a quick poke and it also seems like the impact of the problem is incredibly limited (google searches on this as of today yielded only one useful link).

Problem


When connecting to Google Talk, or to some other SSL based sites using Internet Explorer or any browser that uses the operating system's SChannel libraries, the connection to the site fails.

Other things you might see


TLS v1.0 is turned off.
Wireshark shows a reset happening very shortly after the Client Hello for SSL.

The Fix


Use SCVS for TLS:
For non Windows 7 hosts, apply this fix (Reference)
Fire up RegEdit, navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create a new DWORD item called "UseScsvForTls" and set it equal to 1

I'm not sure if this was unique to our environment, but we discovered TLS 1.0 was disabled and the above fix didn't cover that. To enable TLS 1.0 in IE, select Tools|Internet Options|Advanced Tab. Scroll to the bottom and check the box that says TLS 1.0.

But why?


In at least some cases, a proxy server monitoring https traffic was interfering with the connection. If the proxy was bypassed, all was well with the world on Windows 7 and lower hosts. If the proxy was not bypassed, hosts failed without this registry key, and Windows 7 hosts failed at all times since the Windows 7 patch pays no attention to that registry key.
Obviously it's something related to the patch and the proxy server in my case, but I'm not sure what. I'll update this when I find out.

Other Posts on the Subject


Google Talk Support Forum Entry (No, I wasn't the original poster, but I replied)
Specific Incompatibility with Cisco VPN 3000 concentrators

No comments: