Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
SSL/TLS communication problems after you install KB 931125
Article ID: 2801679 - View products that this article applies to.
After December 11, 2012, applications and operations that are dependent on TLS-based authentications fail may suddenly fail although they have no apparent configuration change. Some of the applications and operations that may fail include, but are not limited to, the following:
Collapse this tableExpand this table
These problems may occur if you updated your Third-party Root Certication Authorities by using the December 2012 KB 931125 update package. The KB 931125 package that was posted on December 11, 2012, was intended only for client SKUs. However, it was also offered for Server SKUs for a short time on Windows Update and WSUS.
This package installed more than 330 Third-party Root Certication Authorities. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
If you use WSUS, and you did not install the December 2012 KB 931125 update, you should sync your WSUS servers, and then approve the expirations so that your servers do not install the update.
If you installed the December 2012 KB 931125 update package, you should use the following resolution to remove additional Third-party Root Certication Authorities on all servers that now have a large amount of Third-party Root Certication Authorities.
Note This solution removes all Third-party Root Certication Authorities. If your server has connectivity to Windows Update, it will automatically add back Third-party Root Certication Authorities as needed, as also discussed in KB 931125. If an affected server is isolated or disonnected from the Internet, you must manually add the necessary Third-party Root Certication Authorities back as you would have done in the past. (Or, you can install them by using Group Policy.)
To have us fix this problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.
Fix it for me
To fix this problem automatically, click the Fix it button or link, click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Fix this problemNotes
Microsoft Fix it 50974
Let me fix it myself
Delete the following registry key:
To do this, follow these steps:
These problems may occur if a TLS/SSL server contains many entries in the trusted root certification list. The server sends a list of trusted certificate authorities to the client if the following conditions are true:
This list of trusted certificate authorities represents the authorities from which the server can accept a client certificate. To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server's list. This is because the client certificate is always the end-entity certificate at the end of the chain. The client certificate isn't part of the chain.
Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 KB in Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012.
Schannel creates the list of trusted certificate authorities by searching the Trusted Root Certification Authorities store on the local computer. Every certificate that is trusted for client authentication purposes is added to the list. If the size of this list exceeds 16 KB, Schannel logs Warning event ID 36855. Then, Schannel truncates the list of trusted root certificates and sends this truncated list to the client computer.
When the client computer receives the truncated list of trusted root certificates, the client computer may not have a certificate that exists in the chain of a trusted certificate issuer. For example, the client computer may have a certificate that corresponds to a trusted root certificate that Schannel truncated from the list of trusted certificate authorities. Therefore, the server cannot authenticate the client.
Article ID: 2801679 - Last Review: May 1, 2013 - Revision: 2.0