Unable to view secure web pages XP SP2

[Mike N]

I was unable to display any secure web pages on my laptop - XP SP2.
(Instant "This page cannot be displayed") I don't know when/how it
stopped working. Windows Update works.

I went through the troubleshooting steps at

http://support.microsoft.com/default.aspx?scid=kb;en-us;870700

Including disabling the Windows firewall completely. No luck.
The computer has been connected to the internet via a hardware
firewall and gone only to Microsoft.com so a worm/virus is unlikely.

NEXT - I used a packet sniffer and found that it did not start SSL
negotiation. I went back and actually read the error page, verified
that SSL 2.0, SSL 3.0 were already on. I turned on TLS 1.0. (PCT
1.0 does not show up as an option). Now I can reach some bank web
sites but not others. Other PCs on the same network can get to all
unreachable secure pages.

I repeated the steps in the above KB document, clearing and
resetting everything, setting up a new user, etc but no go.

Q1: I don't think PCT 1.0 is relevant anymore because there was a
recent exploit against it and it was replaced by SSL 3.0.

Q2: Why do I need TLS 1.0 on this system? I don't need to enable
TLS 1.0 on other systems.

Q3: How can I isolate the problem area and be able to reach all
secure sites? There are no relevant error messages in the event
viewer.

 

[Mike N]

http://support.microsoft.com/default.aspx?scid=kb;en-us;870700

Including disabling the Windows firewall completely. No luck.
The computer has been connected to the internet via a hardware
firewall and gone only to Microsoft.com so a worm/virus is unlikely.

NEXT - I used a packet sniffer and found that it did not start SSL
negotiation. I went back and actually read the error page, verified
that SSL 2.0, SSL 3.0 were already on. I turned on TLS 1.0. (PCT
1.0 does not show up as an option). Now I can reach some bank web
sites but not others. Other PCs on the same network can get to all
unreachable secure pages.

I repeated the steps in the above KB document, clearing and
resetting everything, setting up a new user, etc but no go.

Q1: I don't think PCT 1.0 is relevant anymore because there was a
recent exploit against it and it was replaced by SSL 3.0.

Q2: Why do I need TLS 1.0 on this system? I don't need to enable
TLS 1.0 on other systems.

Q3: How can I isolate the problem area and be able to reach all
secure sites? There are no relevant error messages in the event
viewer.

Dear Mike,

I think I finally have the answer for you. The answer was a
local security policy I had set: "System cryptography: Use FIPS
compliant algorithms for encryption, hashing, and signing". My
analysis is that I need that for 'much better' protection of local
accounts/SAM and EFS-encrypted files.

Now that I put in the right search terms, I see that this is a well
known problem; IE doesn't enable the stronger TLS by default and this
is required for FIPS compliance. Also, many sites cannot negotiate
TLS 1.0 and this explains the second part. That item should have
been listed in KB 870700 above.

THAT STILL DOESN'T EXCUSE Q3: What rotten diagnostics (or it's not
clear how to audit the cryptography chain).

Regards,

Mike