Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior


Applications or services that use the Secure Channel (SChannel) security support provider, such as Internet Explorer, may incorrectly negotiate to non-Microsoft website hosts by using the Transport Layer Security (TLS) protocol. Therefore, the affected application may not establish a connection or may be instructed to negotiate the use of a less-secure protocol such as Secure Sockets Layer protocol version 3.0 (SSL 3.0).


This issue occurs because some third-party implementations of the TLS protocol do not correctly negotiate when empty TLS extensions are present at the end of the extension list.


To resolve this issue, install the February cumulative security update for Internet Explorer (MS15-009) or the most recent cumulative security update for Internet Explorer. To do this, go to Microsoft Update. If you download and install updates manually, see the "Affected Software" table in Microsoft Security Bulletin MS15-009 for download links. For information about the most recent cumulative security update for Internet Explorer, go to the Security TechCenter.

Note This update is offered only as a companion package to Internet Explorer 11. The update changes the TLS protocol renegotiation and fallback behavior.

Known issue


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.