Cannot access HTTPS sites unless TLS 1.0 is now enabled, only on Windows XP, just started yesterday

V

*Vanguard*

I was running fine up until a day ago. I could access HTTP, HTTPS
(i.e., with SSL for a secure web site), do e-mail, do newsgroups, and
everything else on the Internet. Then, boom, everything worked except
HTTPS. I could no longer connect to secured web sites.

Rebooting didn't help. Disabling the firewall didn't help. Using
msconfig.exe so the firewall never loaded didn't help. In fact, I used
the "basic" setup selection in msconfig and found out that all network
connectivity got lost; no LAN connectoid, no ping, no TCP/IP loaded,
nothing. Okay, so then I used msconfig to perform a selective startup
that loads just the "System Services" but NOT the startup programs.
Still didn't help. Tried reinstalling IE. No help. Checked the
advanced options under Internet Options applet to ensure that SSL 2.0
and SSL 3.0 options were enabled. They were. Called my ISP who
couldn't think of anything more for me to do other than run "regsvr32
softpub.dll" (so now I have to figure out what that DLL does) but this
tech wouldn't bump up my call to a 2nd or 3rd level tech until after I
tried the IE reinstall. That didn't work but I started to do some
searchs in the newsgroups regarding SSL not working for secure web sites
before calling them back.

Besides no longer being able to connect to HTTPS web sites, I also
couldn't use http://windowsupdate.microsoft.com. When I clicked to do
the scan, it would bitch that my clock must be off far enough that SSL
won't work. Wrong. The time on my computer was okay. In fact, I
sync'ed it up again. I use SocketWatch to sync my time against a long
list of NTP servers to select whichever has the shortest delay. I also
happened to notice when double-clicking on the tray icon clock and
seeing an "Internet Time" tab panel, so I looked under there and
disabled the "Automatically sync..." option since I don't need 2 sources
trying to sync my computer's clock. In any case, the date and time were
okay on my computer and so was the time zone.

So at one point I ended up back in Internet Options looking at the SSL
settings. I happened to enable the "TLS 1.0" setting and, voila, now I
could connect to HTTPS web sites. Okay, what the hell is going on here?
TLS 1.0 should NOT be required for SSL to work. I found Microsoft's KB
article # 318815 (http://support.microsoft.com/?kbid=318815) which
discusses SSL 3.0 and TLS 1.0 but it doesn't explicitly state that I
need to use TLS and, in fact, alludes that TLS (and SSL 3.0) are still
just RFC drafts (i.e., not ratified). Yet I go to RFC 2246
(http://www.ietf.org/rfc/rfc2246.txt) and don't see "draft" as a status
on this document.

IE was working up until yesterday without TLS 1.0 enabled in it. Then I
noticed that I could not connect to any HTTPS web site. Lots of stuff
tried but nothing helped until TLS 1.0 was enabled (but which should not
be required). So my first suspicion was that my ISP (Comcast) changed
something that then required TLS so SSL would work. Yet, both TSL and
SSL are end-point protocols; i.e., it is the server to which you connect
that provides support for these protocols. Unless I missed it in RFC
2246, I don't see anything that mentions that TLS is something a carrier
provides along the route to an SSL host.

I have another host on my intranet which is running Windows 2000 Pro.
IE on that host does NOT have the TLS 1.0 option enabled in IE. I can
navigate just fine to HTTPS hosts on that Windows 2000 host. In fact,
with TLS 1.0 *not* enabled in IE, I can enable just SSL 2.0, just SSL
3.0, or both to connect to the same secure web sites (but disabling both
SSL 2.0 and SSL 3.0 gives me the same result of no connect that I get on
my Windows XP host if they are enabled but TLS 1.0 is not enabled). It
is on the Windows XP host where SSL died in the last day and I was
forced to enable the TLS 1.0 option in IE. I had not applied any
Windows updates in the last few days (been long enough that I don't
remember when was the last Windows Update on this host so it's been more
like a couple weeks since the prior update).

So I can now get my Windows XP host to connect to HTTPS web sites but
only if TLS 1.0 is enabled, and this just became a requirement within
the last day. On Windows XP Pro SP-1, SSL 2.0 and SSL 3.0 were enabled
in IE's advanced options but TLS 1.0 was not enabled. I believe TLS 1.0
*not* enabled is the default configuration. That's been working since I
installed Windows XP at the start of January. Then I lost connectivity
yesterday to HTTPS web sites and eventually found that enabling TLS 1.0
let me connect again to HTTPS sites. Worked for 2 months, then went
dead, and required TLS 1.0 which it never required before (and which is
NOT required on my Windows 2000 host).

Forget about male baldness syndrome. I'm ripping out my hair in clumps!
I'm really getting to miss use of my Windows 2000 host (another family
member got my old computer with Windows 2000). Since yesterday when
this began, I can now connect to HTTPS web sites after enabling TLS 1.0.
However, I still have problems getting the scan to work at
http://windowsupdate.microsoft.com but the problem changed from it
bitching my time was off with error code 0x800C0008 to now bitching the
page cannot be displayed with error code 0x800A138F (which says, "Check
the system time. SSL will not function if the system time is more than
100 days off" but my computer's time is correct). So although enabling
TLS fixed the problem of connecting to HTTPS sites, my system is still
****ed regarding SSL and still cannot run Windows Update.

Isn't the default configuration for IE to *not* have TLS 1.0 enabled?
 
S

Steven L Umbach

Did you change any security settings?? That happened to me once on a XP Pro machine
after I enabled the security option to use fips in Local Security Policy setting for
System Cryptography. Make sure it is disabled [not just undefined] on your computer.
Sometimes booting into safe mode with networking is also worth a try. See the link
below for more details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;811834
http://support.microsoft.com/default.aspx?scid=kb;en-us;813444 -- general list of
things to try when you can not access secure sites.
 
V

*Vanguard*

"Steven L Umbach" said in news:Xu73c.505745$I06.5403689@attbi_s01:
Did you change any security settings?? That happened to me once on a
XP Pro machine after I enabled the security option to use fips in
Local Security Policy setting for System Cryptography. Make sure it
is disabled [not just undefined] on your computer. Sometimes booting
into safe mode with networking is also worth a try. See the link
below for more details. --- Steve

God damn me, I need a keylogger so I can check on everything I've done
on my computer! The one little thing I did that I didn't remember.
Bend over and say, "OWWWWW".

As soon as I saw "FIPS" in your response it triggered me to remember
that I had made a Group Policy change for FIPS after reading Microsoft's
recommendation to up the level of encryption from AES (Adv Encryption
Std) to 3DES in regards to the use of EFS
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.ms
px). Apparently SSL 2.0/3.0 supported by either Internet Explorer or
perhaps by the targeted hosts gets ****ed when changing the encryption
method. Argh!!! So upping encryption protection to use 3DES might be
okay for EFS but screws over SSL encryption.

Okay, now I'll start using Journal in Outlook to record all these
incidental changes that I make since apparently I only have 2 brain
cells left for remembering what I did just in the last day. Thanks for
the heads up. In trying to remember everything that I had done on the
computer in the last day I did not recall making this "recommended"
change. None of the KB articles regarding SSL and problems with it led
me back to the FIPS option. Disabling FIPS and applying the change will
now let me connect to HTTPS sites. Hallelujah!

I had a buddy that worked for almost a month on his mobo because it
wouldn't boot with the AGP card, sent it back, tested okay, got another,
and it still failed to boot. I walked over after listening for so long
regarding his tribulations when he decided to test it out in our alpha
lab at work. I noticed he wasn't pushing the AGP video card all the way
down into the slot (it requires more force to get past the 2nd indent).
System came up fine. I quickly walked away to avoid the nuclear blast.
For quite awhile after that, all I had to do was smile knowingly at my
buddy for which he would shout, "Shut up!". Hee hee hee hee hee. Okay,
some now I've done that dumb thing we all get caught at occasionally.
Don't know if I'm going to tell my buddy about this, though. I'll have
to lie about the red mark on my forehead where I whacked it when reading
your reply.
 
S

Steven L Umbach

Heh heh. Don't feel bad. I went a day before I sorted it out after an upgrade
install, etc. I finally found the solution after searching Google for about an hour
and completely forgot I made the change also. Nowadays I keep a couple Ghost working
images of the partition that has the operating system on it. --- Steve

*Vanguard* said:
"Steven L Umbach" said in news:Xu73c.505745$I06.5403689@attbi_s01:
Did you change any security settings?? That happened to me once on a
XP Pro machine after I enabled the security option to use fips in
Local Security Policy setting for System Cryptography. Make sure it
is disabled [not just undefined] on your computer. Sometimes booting
into safe mode with networking is also worth a try. See the link
below for more details. --- Steve

God damn me, I need a keylogger so I can check on everything I've done
on my computer! The one little thing I did that I didn't remember.
Bend over and say, "OWWWWW".

As soon as I saw "FIPS" in your response it triggered me to remember
that I had made a Group Policy change for FIPS after reading Microsoft's
recommendation to up the level of encryption from AES (Adv Encryption
Std) to 3DES in regards to the use of EFS
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.ms
px). Apparently SSL 2.0/3.0 supported by either Internet Explorer or
perhaps by the targeted hosts gets ****ed when changing the encryption
method. Argh!!! So upping encryption protection to use 3DES might be
okay for EFS but screws over SSL encryption.

Okay, now I'll start using Journal in Outlook to record all these
incidental changes that I make since apparently I only have 2 brain
cells left for remembering what I did just in the last day. Thanks for
the heads up. In trying to remember everything that I had done on the
computer in the last day I did not recall making this "recommended"
change. None of the KB articles regarding SSL and problems with it led
me back to the FIPS option. Disabling FIPS and applying the change will
now let me connect to HTTPS sites. Hallelujah!

I had a buddy that worked for almost a month on his mobo because it
wouldn't boot with the AGP card, sent it back, tested okay, got another,
and it still failed to boot. I walked over after listening for so long
regarding his tribulations when he decided to test it out in our alpha
lab at work. I noticed he wasn't pushing the AGP video card all the way
down into the slot (it requires more force to get past the 2nd indent).
System came up fine. I quickly walked away to avoid the nuclear blast.
For quite awhile after that, all I had to do was smile knowingly at my
buddy for which he would shout, "Shut up!". Hee hee hee hee hee. Okay,
some now I've done that dumb thing we all get caught at occasionally.
Don't know if I'm going to tell my buddy about this, though. I'll have
to lie about the red mark on my forehead where I whacked it when reading
your reply.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top