Article ID: 2541763 - Last Review: July 8, 2011 - Revision: 4.0

An update that enables Internet Explorer in Windows XP, in Windows Vista, or in Windows Server 2008 to parse fragmented TLS/SSL handshake messages is available

View products that this article applies to.

System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

INTRODUCTION

In certain situations, TLS/SSL handshake messages become too large to be contained in a single packet. In these situations, some third-party implementations of the TLS/SSL protocol fragment the messages before they are sent. However, the Microsoft implementation of the TLS/SSL protocol cannot parse fragmented messages. Therefore, Windows Internet Explorer on a computer that is running Windows XP, Windows Vista, or Windows Server 2008 cannot connect to servers that use a third-party TLS/SSL protocol. Additionally, you receive the following error message when you try to connect to such a server.

The page cannot be displayed.

Back to the top

MORE INFORMATION

Update information

This update enables the Microsoft implementation of the TLS/SSL protocol to successfully parse fragmented messages that are sent by a third-party implementation of the TLS/SSL protocol.

After you install the update, you can use registry keys to configure the maximum size of a fragmented message that the Microsoft implementation of the TLS/SSL protocol can parse. You can also use these registry keys to prevent the Microsoft implementation of the TLS/SSL protocol from processing fragmented messages.

To configure how the Microsoft implementation of the TLS/SSL protocol handles fragmented TLS/SSL messages, create the appropriate registry key for you environment under the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\Messaging\

On a client computer

Registry key: MessageLimitClient
Type: REG_DWORD
Value:
- Null
  
  If you do not create this registry entry, the maximum allowed size of a fragmented message is 0x8000 bytes.
- 0x0
  
  If you set the value to 0x0, fragmented message are not processed.
- Between 0x0 and 0x8000
  
  If you set a value between 0x0 and 0x8000, the value indicates the maximum allowed size (in bytes) of a fragmented message.
- Greater than 0x8000
  
  If you set a value greater than 0x8000, the maximum allowed size of a fragmented message is 0x8000 bytes.

On a server that does not use client authentication

Registry key: MessageLimitServer
Type: REG_DWORD
Value:
- Null
  
  If you do not create this registry entry, the maximum allowed size of a fragmented message is 0x4000 bytes.
- 0x0
  
  If you set the value to 0x0, fragmented message are not processed.
- Between 0x0 and 0x4000
  
  If you set a value between 0x0 and 0x4000, the value indicates the maximum allowed size (in bytes) of a fragmented message.
- Greater than 0x4000
  
  If you set a value greater than 0x4000, the maximum allowed size of a fragmented message is 0x4000 bytes.

On a server that uses client authentication

Registry key: MessageLimitServerClientAuth
Type: REG_DWORD
Value:
- Null
  
  If you do not create this registry entry, the maximum allowed size of a fragmented message is 0x8000 bytes.
- 0x0
  
  If you set the value to 0x0 and the value of the MessageLimitServer registry entry to 0x0, fragmented messages are not processed. Otherwise, the value of the MessageLimitServer registry entry indicates the maximum allowed size of a fragmented message.
- Between 0x0 and 0x8000
  
  If you set a value between 0x0 and 0x8000, the maximum allowed size of a fragmented message is calculated by using the following formula:
  max(MessageLimitServerClientAuth, MessageLimitServer)
- Greater than 0x8000
  
  If you set a value greater than 0x8000, the maximum allowed size of a fragmented message is 0x8000 bytes (if the MessageLimitServer registry entry is not set to be a value of 0x0).

How to obtain this update

The following files are available for download from the Microsoft Download Center:

Collapse this tableExpand this table

Operating system	Update
All supported x86-based versions of Windows XP	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f55fb271-3fcc-4127-88a6-0676eb3fe27f)
All supported x86-based versions of Windows Vista	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d5baaac9-85ae-43e4-95f5-15e16f94fb55)
All supported x64-based versions of Windows Vista	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=4602fe67-3bfd-4ff3-820e-9dae69399ec5)
All supported x86-based versions of Windows Server 2008	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=0d9047be-057d-4694-aac8-ce9b36413436)
All supported x64-based versions of Windows Server 2008	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=c8e56b4f-4589-4d2d-bc59-bc114fc7b73c)
All supported IA-64-based versions of Windows Server 2008	Collapse this imageExpand this image Download the update package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=012c9c86-7a6c-41f6-b5c1-5ac155fbc67c)

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running one of the following operating systems:

Windows XP Service Pack 3 (SP3)
Windows Vista Service Pack 1 (SP1)
Windows Vista Service Pack 2 (SP2)
Windows Server 2008
Windows Server 2008 Service Pack 2 (SP2)

For more information about how to obtain a Windows XP service pack, click the following article number to view the article in the Microsoft Knowledge Base:

322389 (http://support.microsoft.com/kb/322389/ ) How to obtain the latest Windows XP service pack

For more information about how to obtain a Windows Vista service pack, click the following article number to view the article in the Microsoft Knowledge Base:

935791 (http://support.microsoft.com/kb/935791/ ) How to obtain the latest Windows Vista service pack

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

968849 (http://support.microsoft.com/kb/968849/ ) How to obtain the latest service pack for Windows Server 2008

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

Back to the top