Schannel 36874 errors on Windows Server 2016Why does Window's SSL Cipher-Suite get restricted under certain...
Where is the fallacy here?
Can you 'upgrade' leather armor to studded leather armor without purchasing the new armor directly?
What am I? I am in theaters and computer programs
Must a tritone substitution use a dominant seventh chord?
Did 5.25" floppies undergo a change in magnetic coating?
Pure Functions: Does "No Side Effects" Imply "Always Same Output, Given Same Input"?
Multiplication via squaring and addition
I encountered my boss during an on-site interview at another company. Should I bring it up when seeing him next time?
What to do when being responsible for data protection in your lab, yet advice is ignored?
How to count occurrences of Friday 13th
Why do members of Congress in committee hearings ask witnesses the same question multiple times?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
Why does Starman/Roadster have radial acceleration?
How to avoid being sexist when trying to employ someone to function in a very sexist environment?
Which aircraft had such a luxurious-looking navigator's station?
How would we write a misogynistic character without offending people?
Pronunciation of powers
Can you use a beast's innate abilities while polymorphed?
How to deny access to SQL Server to certain login over SSMS, but allow over .Net SqlClient Data Provider
Skis versus snow shoes - when to choose which for travelling the backcountry?
You'll find me clean when something is full
Non-Italian European mafias in USA?
When was drinking water recognized as crucial in marathon running?
I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?
Schannel 36874 errors on Windows Server 2016
Why does Window's SSL Cipher-Suite get restricted under certain SSL certificates?How to identify SSL Cipher Suite (IDEA-CBC-MD5) issue?None of the cipher suites supported by the client application are supported by the serverSChannel SSL 3.0 error - OWA - Windows Server 2008 R2The client and server cannot communicate, because they do not possess a common algorithm on Windows Server Web 2008Schannel Error - RandomRemoving vulnerable cipher on Windows 10 breaks outgoing RDPWindows Sever 2016 - certificate cannot be verifiedSSLSTREAM - An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the serverAn unknown connection request was received from a remote client application, but none of the cipher … The SSL connection request has failed
I have been looking at this error all day and am really scratching my head now. We have a Windows Server 2016 Std that runs a .NET webservice. This in turn connects to our database server, same OS, in the same estate i.e. behind the same firewall. I should state before anything else that both servers have TLS1.2 ONLY enabled, and running a Qualys Labs test confirms SSL3 is not switched on.
What appears to be happening is that requests are coming through and are encountering ssl/tls issues as below which I have retrieved from the application log files:
The request was aborted: Could not create SSL/TLS secure channel.
Then between 59-61 seconds later, we get the sql error:
A network-related or instance-specific error occurred while
establishing a connection to SQL Server. The server was not found or
was not accessible.
i.e. these errors are occurring in pairs. It seems to have been happening for several months, but has become apparent now as we investigated another issue.
The .net application is now using the correct hostname for the db server as previously it was using a name that didn't exist but was in the local hosts file but this hasn't resolved things (I thought perhaps the hostname not matching what is on our wildcard certificate could cause issues). This application was coded by some CRM developers but unfortunately they are being quite uncooperative.
The windows event log (System) is full of Schannel 36874 errors which seem to correlate with the errors mentioned above:
An SSL 3.0 connection request was received from a remote client
application, but none of the cipher suites supported by the client
application are supported by the server. The TLS connection request
has failed.
As I have said I really don't know where to go next with this issue. I have seen some posts stating these errors in the event log can be suppressed but only if they aren't causing an issue, however I'd like to get to the bottom of things before I start doing that.
I have installed Wireshark on the server in question and have filtered for 443 traffic, however I'm not sure how to interrogate Wireshark's logs or if this is even possible.
Any help would be appreciated. I guess I really need to find out who/what the 'remote client' is in the event logs, does anyone have any pointers?
Many thanks
ssl asp.net windows-server-2016
New contributor
add a comment |
I have been looking at this error all day and am really scratching my head now. We have a Windows Server 2016 Std that runs a .NET webservice. This in turn connects to our database server, same OS, in the same estate i.e. behind the same firewall. I should state before anything else that both servers have TLS1.2 ONLY enabled, and running a Qualys Labs test confirms SSL3 is not switched on.
What appears to be happening is that requests are coming through and are encountering ssl/tls issues as below which I have retrieved from the application log files:
The request was aborted: Could not create SSL/TLS secure channel.
Then between 59-61 seconds later, we get the sql error:
A network-related or instance-specific error occurred while
establishing a connection to SQL Server. The server was not found or
was not accessible.
i.e. these errors are occurring in pairs. It seems to have been happening for several months, but has become apparent now as we investigated another issue.
The .net application is now using the correct hostname for the db server as previously it was using a name that didn't exist but was in the local hosts file but this hasn't resolved things (I thought perhaps the hostname not matching what is on our wildcard certificate could cause issues). This application was coded by some CRM developers but unfortunately they are being quite uncooperative.
The windows event log (System) is full of Schannel 36874 errors which seem to correlate with the errors mentioned above:
An SSL 3.0 connection request was received from a remote client
application, but none of the cipher suites supported by the client
application are supported by the server. The TLS connection request
has failed.
As I have said I really don't know where to go next with this issue. I have seen some posts stating these errors in the event log can be suppressed but only if they aren't causing an issue, however I'd like to get to the bottom of things before I start doing that.
I have installed Wireshark on the server in question and have filtered for 443 traffic, however I'm not sure how to interrogate Wireshark's logs or if this is even possible.
Any help would be appreciated. I guess I really need to find out who/what the 'remote client' is in the event logs, does anyone have any pointers?
Many thanks
ssl asp.net windows-server-2016
New contributor
add a comment |
I have been looking at this error all day and am really scratching my head now. We have a Windows Server 2016 Std that runs a .NET webservice. This in turn connects to our database server, same OS, in the same estate i.e. behind the same firewall. I should state before anything else that both servers have TLS1.2 ONLY enabled, and running a Qualys Labs test confirms SSL3 is not switched on.
What appears to be happening is that requests are coming through and are encountering ssl/tls issues as below which I have retrieved from the application log files:
The request was aborted: Could not create SSL/TLS secure channel.
Then between 59-61 seconds later, we get the sql error:
A network-related or instance-specific error occurred while
establishing a connection to SQL Server. The server was not found or
was not accessible.
i.e. these errors are occurring in pairs. It seems to have been happening for several months, but has become apparent now as we investigated another issue.
The .net application is now using the correct hostname for the db server as previously it was using a name that didn't exist but was in the local hosts file but this hasn't resolved things (I thought perhaps the hostname not matching what is on our wildcard certificate could cause issues). This application was coded by some CRM developers but unfortunately they are being quite uncooperative.
The windows event log (System) is full of Schannel 36874 errors which seem to correlate with the errors mentioned above:
An SSL 3.0 connection request was received from a remote client
application, but none of the cipher suites supported by the client
application are supported by the server. The TLS connection request
has failed.
As I have said I really don't know where to go next with this issue. I have seen some posts stating these errors in the event log can be suppressed but only if they aren't causing an issue, however I'd like to get to the bottom of things before I start doing that.
I have installed Wireshark on the server in question and have filtered for 443 traffic, however I'm not sure how to interrogate Wireshark's logs or if this is even possible.
Any help would be appreciated. I guess I really need to find out who/what the 'remote client' is in the event logs, does anyone have any pointers?
Many thanks
ssl asp.net windows-server-2016
New contributor
I have been looking at this error all day and am really scratching my head now. We have a Windows Server 2016 Std that runs a .NET webservice. This in turn connects to our database server, same OS, in the same estate i.e. behind the same firewall. I should state before anything else that both servers have TLS1.2 ONLY enabled, and running a Qualys Labs test confirms SSL3 is not switched on.
What appears to be happening is that requests are coming through and are encountering ssl/tls issues as below which I have retrieved from the application log files:
The request was aborted: Could not create SSL/TLS secure channel.
Then between 59-61 seconds later, we get the sql error:
A network-related or instance-specific error occurred while
establishing a connection to SQL Server. The server was not found or
was not accessible.
i.e. these errors are occurring in pairs. It seems to have been happening for several months, but has become apparent now as we investigated another issue.
The .net application is now using the correct hostname for the db server as previously it was using a name that didn't exist but was in the local hosts file but this hasn't resolved things (I thought perhaps the hostname not matching what is on our wildcard certificate could cause issues). This application was coded by some CRM developers but unfortunately they are being quite uncooperative.
The windows event log (System) is full of Schannel 36874 errors which seem to correlate with the errors mentioned above:
An SSL 3.0 connection request was received from a remote client
application, but none of the cipher suites supported by the client
application are supported by the server. The TLS connection request
has failed.
As I have said I really don't know where to go next with this issue. I have seen some posts stating these errors in the event log can be suppressed but only if they aren't causing an issue, however I'd like to get to the bottom of things before I start doing that.
I have installed Wireshark on the server in question and have filtered for 443 traffic, however I'm not sure how to interrogate Wireshark's logs or if this is even possible.
Any help would be appreciated. I guess I really need to find out who/what the 'remote client' is in the event logs, does anyone have any pointers?
Many thanks
ssl asp.net windows-server-2016
ssl asp.net windows-server-2016
New contributor
New contributor
New contributor
asked 6 hours ago
ajgukajguk
1
1
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.
I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
ajguk is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956733%2fschannel-36874-errors-on-windows-server-2016%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.
I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.
New contributor
add a comment |
This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.
I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.
New contributor
add a comment |
This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.
I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.
New contributor
This appears to be an issue with the server CIPHER suites that client is asking for before the handshake. Can you give us more information as to how the client side is establishing the connection? If you have access to a command line SSL client, you can initiate the handshake yourself and attempt to trip the error.
I would suggest just making sure the App Developer standardizes the handshake to use TLS 1.2 for the most compatible setting and TLS 1.3 if you can control the cipher suites server side.
New contributor
New contributor
answered 6 hours ago
David O.David O.
1
1
New contributor
New contributor
add a comment |
add a comment |
ajguk is a new contributor. Be nice, and check out our Code of Conduct.
ajguk is a new contributor. Be nice, and check out our Code of Conduct.
ajguk is a new contributor. Be nice, and check out our Code of Conduct.
ajguk is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956733%2fschannel-36874-errors-on-windows-server-2016%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown