err_connection_reset if asking client certificate with Windows Server 2022
Hi!
Windows Server 2022, one way SSL works fine. But after requiring client certificate in IIS, err_connection_reset error appears immediately in client browser.
In server versions 2016 and 2019 everything works fine with the same configuration.
Any hints?
Thanks,
UV
Internet Information Services
-
Sam Wu-MSFT 7,211 Reputation points • Microsoft Vendor
2021-12-08T02:21:14.69+00:00 @UV This should be a problem between the site and the certificate, you can try to delete the https binding and recreate it. If it still doesn't work, you can refer to this link for troubleshooting: HTTPS Bindings and ERR_CONNECTION_RESET.
-
UV 6 Reputation points
2021-12-08T05:46:17.32+00:00 Hi!
One way SSL works fine, so there are no problems with binding.
Thanks,
UV
-
Sam Wu-MSFT 7,211 Reputation points • Microsoft Vendor
2021-12-08T09:35:18.97+00:00 @UV Have you tried it? Someone has got this problem before, and it works normally after rebinding.
-
UV 6 Reputation points
2021-12-08T09:45:59.027+00:00 Yes, I did many tests with different servers and different certificates and different configurations (including default configuration of course).
If I disable TLS 1.3 for server, everything starts to work (with TLS 1.2)! It seems that TLS 1.3 do not ask certificate from client, so something seems to be wrong with default TLS 1.3 implementation in Windows server 2022. Everything is OK with browsers (Firefox, Chrome) as I can connect to nginx and Apache sites with TLS 1.3.
Thanks,
UV
-
Sam Wu-MSFT 7,211 Reputation points • Microsoft Vendor
2021-12-09T02:02:53.937+00:00 @UV Windows server 2022 supports TLS1.3, It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com, one of our engineers will help find the root cause.
-
Joseph Vartanian 6 Reputation points
2022-05-25T16:09:31.14+00:00 @UV I can confirm what you are seeing here, so it's not just you. I also have Windows Server 2022 with the exact same problem as you described it. Disabling TLS 1.3 will clear it up, and enabling TLS 1.3 will bring the problem right back. Did MS support ever get you a solution for this?
-
Urmas Vanem 11 Reputation points
2022-05-27T07:07:55.597+00:00 Yes, I got answer: Microsoft implemented TLS 1.3 in most secure way by RFC. IIS wants to perform post-handshake authentication. Unfortunately common browsers do not support it in default configuration. You can enable it only with Firefox (when I last checked, maybe samething changed in near past). So, de facto IIS default configuration for two-way SSL with common browsers do not work with IIS when TLS 1.3 only is enabled.
You can enable IIS and TLS 1.3 only configuration by enabling in-handshake method for IIS instead on post-handshake method. -
Elena Shlykova 5 Reputation points
2024-03-13T14:21:45.31+00:00 @Urmas Vanem Could you please suggest where in IIS I can enable in-handshake method to fix this issue?
-
Kedar Sane 25 Reputation points • Microsoft Employee
2024-04-02T05:56:24.65+00:00 @Elena Shlykova that would be the "Require" certificates option in IIS or the "SslRequireCert" flag in the access element.
-
Nieb 0 Reputation points
2024-06-05T16:12:36.41+00:00 I am having a similar issue.
IIS Express works on Win10,
but fails on Win11 with
ERR_CONNECTION_RESET
.
Testing with OpenSSL:
openssl s_client -connect %Url% -tls1_3
on Win10 shows "no peer certificate available".openssl s_client -connect %Url% -tls1_3
on Win11 shows a certificate.
@Kedar Sane , using
SslRequireCert
did not correct the issue.applicationhost.config
<security> <!-- <access sslFlags="None" /> --> <!-- <access sslFlags="Ssl, SslNegotiateCert" /> --> <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /> <authentication> <anonymousAuthentication enabled="true" userName="" /> <basicAuthentication enabled="false" /> <clientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="false" /> <windowsAuthentication enabled="false"> <providers> <add value="Negotiate" /> <add value="NTLM" /> </providers> </windowsAuthentication> </authentication> ...
Other things I have tried:
- WebApp is configured to use wrong ports (44300-44399).
- Ports are correct.
- IIS Express can't access Computer-Certs.
- OpenSSL shows Certs on running WebApp.
- Force TLS 1.2.
- Configure IIS Express to do "during handshake" cert-negotiation.
- I've already read that TLS 1.3 does not allow post-handshake certificate negotiation nor certificate re-negotiation.
- ** As per this question-thread, this is what I'm trying to figure out now. As mentioned above, setting
SslRequireCert
did not work.
- WebApp is configured to use wrong ports (44300-44399).
Sign in to comment