Fix: MS10-049 and SSL problems connecting to https:// sites or Google Talk
Friday, August 20, 2010Problem
When connecting to Google Talk, or to some other SSL based sites using Internet Explorer or any browser that uses the operating system's SChannel libraries, the connection to the site fails.
Other things you might see
TLS v1.0 is turned off.
Wireshark shows a reset happening very shortly after the Client Hello for SSL.
The Fix
Use SCVS for TLS:
For non Windows 7 hosts, apply this fix (Reference)
Fire up RegEdit, navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create a new DWORD item called "UseScsvForTls" and set it equal to 1
I'm not sure if this was unique to our environment, but we discovered TLS 1.0 was disabled and the above fix didn't cover that. To enable TLS 1.0 in IE, select Tools|Internet Options|Advanced Tab. Scroll to the bottom and check the box that says TLS 1.0.
But why?
In at least some cases, a proxy server monitoring https traffic was interfering with the connection. If the proxy was bypassed, all was well with the world on Windows 7 and lower hosts. If the proxy was not bypassed, hosts failed without this registry key, and Windows 7 hosts failed at all times since the Windows 7 patch pays no attention to that registry key.
Obviously it's something related to the patch and the proxy server in my case, but I'm not sure what. I'll update this when I find out.
Other Posts on the Subject
Google Talk Support Forum Entry (No, I wasn't the original poster, but I replied)
Specific Incompatibility with Cisco VPN 3000 concentrators
Subscribe to:
Posts
(
Atom
)