Cloud365.in

A Website for IT Professionals

TLS protocol defined fatal error code is 20. SChannel error state is 960.

Issue Statement:

Intermittently getting Schannel Error Event 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

Cause:

Cipher suite being used was TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. There are some known issues with Cipher suites starting with TLS_DHE.

Resolution:

Issue resolved after disabling TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite by removing it from following registry:

Alternatively, you can configure Cipher suites starting with TLS_DHE to be processed at the end by configuring following Group Policy:

To configure the SSL Cipher Suite Order group policy settings (Ref. Link)

1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
2. Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
5. Follow the instructions labeled How to modify this setting.

It is necessary to restart the computer after modifying this setting for the changes to take effect.

Windows schannel error 960

Вопрос

We have a Ruby application that uses Tiny_tds and we have occasional sql adaptive server connection failures. These are essentially sql connection failures. When these errors occur we always get the schannel error shown below.

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

We have SQL 2012 on a windows 2012 server r2 machine.

Any ideas on what to check for or any guidance/ suggestions are appreciated.

Все ответы

You could look in the SQL Server errorlog for stackdumps or other messages that coincide with these errors. If there are no such thing, it may be an issue on your network. Or tiny_tds maybe does not have very good TLS support.

>>The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

Error code 20 can be translated to bad_record_mac. Based on what I know, the issue could be related to TLS implementation(which is Tiny_TDS in this case) or it’s related to your network.

In addition, I’ve also found a similar issue report for your reference.

If you have any other questions, please let me know.

TLS fatal error code 20. The Windows SChannel error state is 960 (Solved)

You may see “SChannel error state is 960” in Event Viewer when your web server fails to establish secure communication with clients. Users receive certification errors while you see the event log below in your server:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

Cause

This issue is caused by the different or incompatible chiper suites used in web server and load balancer. Cipher suites or chiper blocks are set of encryption methods such as RSA and DHE.

When there is a conflict or mismatch in the chiper suites used, web server cannot decrypt the encrypted request coming from load balancer and logs this error message: “The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.”

Looking for a way to redirect all HTTP requests to HTTPS? Check this post out.

How to solve “SChannel error state is 960”

You can fix secure connection failures and make Schannel errors disappear by enabling custom chiper suite and editing the list of chiper suites used in your web server. Follow the instructions below in Windows Server:

1. Log onto the server using an account that is a member of the Local Administrators group
2. Go to “Start > Run“. Enter: gpedit.msc
3. In the left pane, expand “Computer Configuration > Administrative Templates > Network > SSL Configuration Settings“
4. In the right pane, right click “SSL Cipher Suite Order” and choose “Edit”
5. Click “Enabled”
6. Copy the content of “SSL Cipher Suites” text box and paste it notepad
7. Edit this list to make sure it matches the chipper suite list used in your load balancer. As a general recommendation:
   • Move TLS_RSA chiper suites to the top
   • Copy TLS_ECDHE ones after them
   • Remove these two chiper suites as they have known interoperability issues:
   • In the “SSL Cipher Suite Order” window, click “OK”
   • Reboot the server

Note: The list you provide in the Step 7 cannot exceed 1023 characters. In order to reduce it, make sure to give priority to the ones at top in the default cipher list. This list is ordered from strongest chipper suites to the weakest ones. Additionally, you can remove the suites that are in the black list for HTTP/2. Here is more information about HTTP/2 black list.

It didn’t work?

A less likely cause of this issue is a change in MAC (Message Authentication Code) (Source). This code is used by web server to determine that the request hasn’t changed on the way (request forgery or man-in-the-middle attack). If the web server sees that the MAC has changed, it drops the connection. Make sure that your load balancer doesn’t edit MAC value.

Another possible cause is a Windows update (KB4457129) that reportedly breaks NLB (Network Load Balancer) Cluster. Uninstalling this update or installing the patch (KB4457133) solves the issue (Source).

Windows schannel error 960

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

Can Anyone tell me why I see this system entry? And what may be causing it?

Please suggest/advice at the earliest.

All replies

Also we have applied the below solution but still system throws schannel errors :

If you encounter connection issues from your Java application and SQL Server that are related to SSL, first check the Windows Server system event log if it contains SCHANNEL errors or warnings. If you see such entries, you can test if SCHANNEL is misconfigured by first exporting the current registry key and then delete the complete key.

Restart the DB Server and check if the JDBC connection works. If the connection works, ask your IT department, if they set these keys via group policy or if they use tools that configure SCHANNEL.

Based on your description, there is event id 36888(Schannel). It is not enough to identify the problem.

Please provide more information, such as:
1. OS version, run “msinfo32” to check the details.
2. Application, role service, or any other related application, server.
3. Related operation when problem happens, and prompted error message if any.
4. Changes before this problem happens.

Best Regards,
Eve Wang

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Thanks Melanie. We have Deleted the registry Entry and restarted the server. However the Windows Event Logs still shows the same Error.

Please provide more information, such as:
1. OS version, run “msinfo32” to check the details.

OS Name Microsoft Windows Server 2008 R2 Enterprise
Version 6.1.7601 Service Pack 1 Build 7601

2. Application, role service, or any other related application, server.

Can you please elaborate.
3. Related operation when problem happens, and prompted error message if any.

JBOSS Application is trying to establish a connection to the Database Server which in turn fails with the error » Error: «The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: «SQL Server returned an incomplete response. The connection has been closed.» in the server where JBOSS resides and creates a Schannel Error entry in the Windows Event Log of Database Server.
4. Changes before this problem happens.

VMWARE Tools upgraded and some regular Windows security patch updates installed.

Please suggest and let me know if you need any additional information.

Windows schannel error 960

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

General discussion

Have lots of 36888 error on DC:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

I rebooted the server a few times. Cannot find anything else.

Anyone can help?

All replies

I have the same issue with a Server 2012 Standard. I get this error in the event viewer (ID 3688 Error Schannel) every time I try to Remote Desktop to it, and my remote desktop client returns this error message:

«This computer can’t connect to the remote computer. Try connecting again, if the problem continues, contact the ower of the remote computer or your network administrator.»

The error on the server is:

Error | ID 3688 | Schannel | Log= System

«A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.»

All the replies I’ve found on TechNet regarding Error 36888 tells others to just ignore the event. I definitely have something configured incorrectly on this server because Remote Desktop used to work fine, then one day it just stopped.