Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption

Applies to: Windows 10, version 1903Windows 10, version 1809Windows Server 2019, all versions

Symptoms


When attempting to connect, Transport Layer Security (TLS) might fail or timeout.  You might also receive one or more of the with the following errors:

  • "The request was aborted: Could not create SSL/TLS secure Channel"
  •  error 0x8009030f
  • An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​"

Cause


Due to security related enforcement for CVE-2019-1318, all updates for supported versions of Windows released on October 8, 2019 or later enforce Extended Master Secret (EMS) for resumption as defined by RFC 7627.  Connections to third-party devices and OSes that are non-compliant might have issues or fail.

Next Steps


Connections between two devices running any supported version of Windows should not have this issue when fully updated.  There is no update for Windows needed for this issue.  These changes are required to address a security issue and security compliance.

Any third-party operating system, device or service that does not support EMS resumption might exhibit issues related to TLS connections.  You should contact your administrator, manufacturer or service provider for updates that fully support EMS resumption as defined by RFC 7627.

Note Microsoft does not recommend disabling EMS. If EMS was previously explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0

Advanced information for administrators


1. A Windows device attempting a Transport Layer Security (TLS) connection to a device that does not support Extended Master Secret (EMS) when TLS_DHE_* cipher suites are negotiated might intermittently fail approximately 1 out of 256 attempts. To mitigate this issue, implement one of the following solutions listed in order of preference:

  • Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operating system. 
  • For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. For instructions on how to do this on Windows, see Prioritizing Schannel Cipher Suites.


2. Operating systems that only send certificate request messages in a full handshake following resumption are not RFC 2246 (TLS 1.0) or RFC 5246 (TLS 1.2) compliant and will cause each connection to fail. Resumption is not guaranteed by the RFCs but may be used at the discretion of the TLS client and server.  If you encounter this issue, you will need to contact the manufacturer or service provider for updates that comply with RFC standards.

3. FTP servers or clients that are not compliant with RFC 2246 (TLS 1.0) and RFC 5246 (TLS 1.2) might fail to transfer files on resumption or abbreviated handshake and will cause each connection to fail. If you encounter this issue, you will need to contact the manufacturer or service provider for updates that comply with RFC standards.

Affected Updates


Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019 or later for the affected platforms may experience this issue:

  • KB4517389 LCU for Windows 10, version 1903.
  • KB4519338 LCU for Windows 10, version 1809 and Windows Server 2019.
  • KB4520008 LCU for Windows 10, version 1803.
  • KB4520004 LCU for Windows 10, version 1709.
  • KB4520010 LCU for Windows 10, version 1703.
  • KB4519998 LCU for Windows 10, version 1607 and Windows Server 2016.
  • KB4520011 LCU for Windows 10, version 1507.
  • KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
  • KB4520007 Monthly Rollup for Windows Server 2012.
  • KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
  • KB4520002 Monthly Rollup for Windows Server 2008 SP2

The following Security Only released on October 8, 2019 for the affected platforms may experience this issue:

  • KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
  • KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
  • KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • KB4520009 Security-only update for Windows Server 2008 SP2