err_connection_reset if asking client certificate with Windows Server 2022

Question

err_connection_reset if asking client certificate with Windows Server 2022

UV 1

Hi!

Windows Server 2022, one way SSL works fine. But after requiring client certificate in IIS, err_connection_reset error appears immediately in client browser.
In server versions 2016 and 2019 everything works fine with the same configuration.

Any hints?

Thanks,

UV

Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-08T02:21:14.69+00:00

@UV This should be a problem between the site and the certificate, you can try to delete the https binding and recreate it. If it still doesn't work, you can refer to this link for troubleshooting: HTTPS Bindings and ERR_CONNECTION_RESET.
UV 1 Reputation point

2021-12-08T05:46:17.32+00:00

Hi!

One way SSL works fine, so there are no problems with binding.

Thanks,

UV
Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-08T09:35:18.97+00:00

@UV Have you tried it? Someone has got this problem before, and it works normally after rebinding.
UV 1 Reputation point

2021-12-08T09:45:59.027+00:00

Yes, I did many tests with different servers and different certificates and different configurations (including default configuration of course).

If I disable TLS 1.3 for server, everything starts to work (with TLS 1.2)! It seems that TLS 1.3 do not ask certificate from client, so something seems to be wrong with default TLS 1.3 implementation in Windows server 2022. Everything is OK with browsers (Firefox, Chrome) as I can connect to nginx and Apache sites with TLS 1.3.

Thanks,

UV
Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-09T02:02:53.937+00:00

@UV Windows server 2022 supports TLS1.3, It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com, one of our engineers will help find the root cause.
Joseph Vartanian 6 Reputation points

2022-05-25T16:09:31.14+00:00

@UV I can confirm what you are seeing here, so it's not just you. I also have Windows Server 2022 with the exact same problem as you described it. Disabling TLS 1.3 will clear it up, and enabling TLS 1.3 will bring the problem right back. Did MS support ever get you a solution for this?
Urmas Vanem 6 Reputation points

2022-05-27T07:07:55.597+00:00

Yes, I got answer: Microsoft implemented TLS 1.3 in most secure way by RFC. IIS wants to perform post-handshake authentication. Unfortunately common browsers do not support it in default configuration. You can enable it only with Firefox (when I last checked, maybe samething changed in near past). So, de facto IIS default configuration for two-way SSL with common browsers do not work with IIS when TLS 1.3 only is enabled.
You can enable IIS and TLS 1.3 only configuration by enabling in-handshake method for IIS instead on post-handshake method.

Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-08T02:21:14.69+00:00

@UV This should be a problem between the site and the certificate, you can try to delete the https binding and recreate it. If it still doesn't work, you can refer to this link for troubleshooting: HTTPS Bindings and ERR_CONNECTION_RESET.
UV 1 Reputation point

2021-12-08T05:46:17.32+00:00

Hi!

One way SSL works fine, so there are no problems with binding.

Thanks,

UV
Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-08T09:35:18.97+00:00

@UV Have you tried it? Someone has got this problem before, and it works normally after rebinding.
UV 1 Reputation point

2021-12-08T09:45:59.027+00:00

Yes, I did many tests with different servers and different certificates and different configurations (including default configuration of course).

If I disable TLS 1.3 for server, everything starts to work (with TLS 1.2)! It seems that TLS 1.3 do not ask certificate from client, so something seems to be wrong with default TLS 1.3 implementation in Windows server 2022. Everything is OK with browsers (Firefox, Chrome) as I can connect to nginx and Apache sites with TLS 1.3.

Thanks,

UV
Sam Wu-MSFT 5,926 Reputation points Microsoft Vendor

2021-12-09T02:02:53.937+00:00

@UV Windows server 2022 supports TLS1.3, It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com, one of our engineers will help find the root cause.
Joseph Vartanian 6 Reputation points

2022-05-25T16:09:31.14+00:00

@UV I can confirm what you are seeing here, so it's not just you. I also have Windows Server 2022 with the exact same problem as you described it. Disabling TLS 1.3 will clear it up, and enabling TLS 1.3 will bring the problem right back. Did MS support ever get you a solution for this?
Urmas Vanem 6 Reputation points

2022-05-27T07:07:55.597+00:00

Yes, I got answer: Microsoft implemented TLS 1.3 in most secure way by RFC. IIS wants to perform post-handshake authentication. Unfortunately common browsers do not support it in default configuration. You can enable it only with Firefox (when I last checked, maybe samething changed in near past). So, de facto IIS default configuration for two-way SSL with common browsers do not work with IIS when TLS 1.3 only is enabled.
You can enable IIS and TLS 1.3 only configuration by enabling in-handshake method for IIS instead on post-handshake method.

err_connection_reset if asking client certificate with Windows Server 2022

Activity