Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Foundation


Applications or services that use the Secure Channel (SChannel) security support provider, such as Internet Explorer, may incorrectly negotiate to non-Microsoft website hosts by using the Transport Layer Security (TLS) protocol. Therefore, the affected application may not establish a connection or may be instructed to negotiate the use of a less-secure protocol such as Secure Sockets Layer protocol version 3.0 (SSL 3.0).


This issue occurs because some third-party implementations of the TLS protocol do not correctly negotiate when empty TLS extensions are present at the end of the extension list.


To resolve this issue, install the February cumulative security update for Internet Explorer (MS15-009) or the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update. If you download and install updates manually, see the "Affected Software" table in Microsoft Security Bulletin MS15-009 for download links. For information about the most recent cumulative security update for Internet Explorer, go to the Security TechCenter.

Note This update is offered only as a companion package to Internet Explorer 11. The update changes the TLS protocol renegotiation and fallback behavior.

Known issue


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.