Windows 10, version 1903, all editions Windows 10, version 1809, all editions Windows Server 2019, all editions Windows 10, version 1803, all editions Windows 10, version 1709, all editions Windows 10, version 1703, all editions Windows 10, version 1607, all editions Windows Server 2016, all editions Windows 10 Windows 8.1 Windows Server 2012 R2 Windows Server 2012 Windows 7 Service Pack 1 Windows Server 2008 R2 Windows Server 2008 Service Pack 2 Windows Embedded 8 Standard Windows Embedded Standard 7 Service Pack 1 Windows Embedded POSReady 7 More...Less
Symptoms
When attempting to connect, Transport Layer Security (TLS) might fail or timeout. You might also receive one or more of the with the following errors:
-
"The request was aborted: Could not create SSL/TLS secure Channel"
-
error0x8009030f
-
An error logged in the System Event Log forSCHANNEL event 36887 with alert code 20 and the description, "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20."
Cause
Due to security related enforcement forCVE-2019-1318, all updates for supported versions of Windows released on October 8, 2019 or later enforce Extended Master Secret (EMS) for resumption as defined byRFC 7627. Connections to third-party devices and OSes that are non-compliant might have issues or fail.
Next Steps
Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance.
Any third-party operating system, device or service that does not support EMS resumption might exhibitissues related to TLS connections. You should contact your administrator, manufacturer or service provider for updates that fully support EMS resumption as defined byRFC 7627.
Note Microsoft does not recommend disabling EMS. If EMS was previously explicitly disabled, it can be re-enabled by setting following registry key values:
HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel
On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0
Advanced information for administrators
1. A Windows device attempting a Transport Layer Security (TLS) connection to a device that does not supportExtended Master Secret (EMS) when TLS_DHE_* cipher suites are negotiated might intermittently fail approximately 1 out of 256 attempts. To mitigate this issue, implement one of the following solutions listed in order of preference:
-
Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operating system.
-
For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS ofthe TLS client device. For instructions on how to do this on Windows, seePrioritizing Schannel Cipher Suites.
2. Operating systems that only send certificate requestmessages in a full handshake following resumption are not RFC 2246 (TLS 1.0)orRFC 5246 (TLS 1.2) compliant and will cause each connection to fail. Resumption is not guaranteed by the RFCs but may be used at the discretion of the TLS client and server. If you encounter this issue, you will need to contact the manufacturer or service provider for updates that comply with RFC standards.
3. FTP servers or clients that are not compliant with RFC 2246 (TLS 1.0)andRFC 5246 (TLS 1.2)might fail to transfer files on resumption or abbreviated handshake and will cause each connection to fail.If you encounter this issue, you will need to contact the manufacturer or service provider for updates that comply with RFC standards.
Affected Updates
Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019 or later for the affected platforms may experience this issue:
-
KB4517389LCU forWindows 10, version 1903.
-
KB4519338LCU forWindows 10, version 1809 and Windows Server 2019.
-
KB4520008LCU forWindows 10, version 1803.
-
KB4520004LCU forWindows 10, version 1709.
-
KB4520010LCU forWindows 10, version 1703.
-
KB4519998LCU forWindows 10, version 1607 and Windows Server 2016.
-
KB4520011LCU forWindows 10, version 1507.
-
KB4520005Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
-
KB4520007Monthly Rollup for Windows Server 2012.
-
KB4519976Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
-
KB4520002Monthly Rollup for Windows Server 2008 SP2
The following Security Only released on October 8, 2019 for the affected platforms may experience this issue:
-
KB4519990Security-only update for Windows 8.1 and Windows Server 2012 R2.
-
KB4519985Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
-
KB4520003Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
-
KB4520009Security-only update forWindows Server 2008 SP2
SUBSCRIBE RSS FEEDS
Need more help?
Want more options?
Discover Community
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Microsoft 365 subscription benefits
Microsoft 365 training
Microsoft security
Accessibility center
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.