2

I have been looking at this error all day and am really scratching my head now. We have a Windows Server 2016 Std that runs a .NET webservice. This in turn connects to our database server, same OS, in the same estate i.e. behind the same firewall. I should state before anything else that both servers have TLS1.2 ONLY enabled, and running a Qualys Labs test confirms SSL3 is not switched on.

What appears to be happening is that requests are coming through and are encountering ssl/tls issues as below which I have retrieved from the application log files:

The request was aborted: Could not create SSL/TLS secure channel.

Then between 59-61 seconds later, we get the sql error:

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible.

i.e. these errors are occurring in pairs. It seems to have been happening for several months, but has become apparent now as we investigated another issue.

The .net application is now using the correct hostname for the db server as previously it was using a name that didn't exist but was in the local hosts file but this hasn't resolved things (I thought perhaps the hostname not matching what is on our wildcard certificate could cause issues). This application was coded by some CRM developers but unfortunately they are being quite uncooperative.

The windows event log (System) is full of Schannel 36874 errors which seem to correlate with the errors mentioned above:

An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

As I have said I really don't know where to go next with this issue. I have seen some posts stating these errors in the event log can be suppressed but only if they aren't causing an issue, however I'd like to get to the bottom of things before I start doing that.

I have installed Wireshark on the server in question and have filtered for 443 traffic, however I'm not sure how to interrogate Wireshark's logs or if this is even possible.

Any help would be appreciated. I guess I really need to find out who/what the 'remote client' is in the event logs, does anyone have any pointers?

Many thanks

ajguk
  • 21
  • 1
  • 1
  • 2

1 Answers1

1

This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.

I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.

David O.
  • 124
  • 3
  • They are posting a SOAP xml request through to our endpoint. If I turn this endpoint off in IIS the errors stop, so I'm reasonably confident it's some traffic that is coming through this service. I'll look at the cmd line ssl client you suggested - have you any recommendations? Many thanks – ajguk Mar 05 '19 at 09:31
  • I would suggest using the defacto standard OpenSSL. Here is an example I read from a site: openssl s_client -connect www.google.com:443 -tls1_2 You should play with the parameters and see what happens server side. I believe a standard page should suffice for the test. If you REALLY want to test payload, use a tool like Postman or curl. – David O. Mar 05 '19 at 14:45