AnsweredAssumed Answered

Schannel Errors

Question asked by Th@tGuy on Nov 21, 2013
Latest reply on Aug 17, 2015 by jnelson

As of recently, I have seen a problem cropping up in a very small number of servers.  Confirmed cases are coincidentally web servers (IIS on WS 2008).

The following errors are generated on the affected servers when a standard, full vuln scan runs:

 

Error 36874: An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server.  The SSL connection request has failed.

 

Error 36888: The following fatal error was generated: 40.  The internal error state is 1205

 

Error 36888 will appear over 100 times (I believe i clocked about 200 errors, back to back).  Occasionally, Schannel will break, and the server will lose domain controller connection, dropping it from the domain.  However, this has only happened to a few machines.  To complicate the situation even further, these affected machines appear to be identical to other web servers with similar configurations all around (ciphers and certificates included) that do not experience this issue.

 

Through translating the 36888 error, it was determined that this is happening due to a failed handshake.  Testing revealed that this only occurs when scans occur on the msrdp protocol.  I am able to avoid this error if i disable any cipher/ssl related plugins for the msrdp service, but this drops identifyication of any related issues.  In addition, as the origin of this issue is still unknown, other servers could experience this issue and not be noticed until it already happens (not ideal when this could affect important systems).

 

Qualys Support was contacted, but were unable to determine the origin of the problem.  It was recommended to check with Microsoft, but due to political issues involved (giving MS access to a qualys account with access to confidential scan data), this was not a desirable option. 

 

 

With all of this said, is there anyone out there who has had a similar issue?  And if so, any idea what could be causing this issue?

Outcomes