Home / server / Questions / 516329
Accepted
MGOwen
Asked: 2013-06-18 04:44:58 +0800 CST

None of the cipher suites supported by the client application are supported by the server

  • 772

I am getting this error in my server's windows event log:

An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

When I try to connect to a web service on a windows 7 box from a windows server 2003 box.

How do I add a cipher suite to one that the other supports?

(fixing clients is ideal, but failing that a server solution is fine - I have access to all boxes involved, I just want some basic encryption between them for privacy).

Along with hours of googling and reading, I have tried:

  • Checked server windows event viewer (found cipher suite error)
  • Added cipher suites to test1 from http://support.microsoft.com/kb/948963 (didn't help)
  • Added TLS 1.0 to protocols in cipher suites in the server's windows registry (no change)
  • Install IIS tools hoping that adds more protocols to Schannel (it doesn't)
  • Export certificate for clients, again, but with private key included (no change)
  • Check that installed cipher suites match on server and client (can't find where win2k3 lists them)
  • Add TLS_RSA_WITH_AES_256_CBC_SHA (installed by above hotfix) to server's cipher suites (nope, already on there)
windows-server-2003

2 Answers

  1. Windows 7 uses the new CNG (Cryptography Next Generation) API when choosing ciphers. CNG for Windows 2003 is not available as far as I know.

    You can however, install these AES based cipher suites for use on Windows 2003:

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA

    These are the first suites Windows Vista and Windows 7 clients will try to negotiate for use with TLS 1.0 and above, and are also supported by OpenSSL clients.

    In order to use these, install KB948963

    • 5
  2. Best Answer

    The solution was to generate my certificate again, this time forcing RSA and SHA1 (though SHA1 is the default anyway). For some reason Win Server 2k3 couldn't or wouldn't use the right ciphers with a default makecert certificate. Here is the command line that worked for me:

    makecert -pe -r -ss my -sr localMachine -n "CN=domainnameoripaddressgoeshere.com" -e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

    For details see http://mgowen.com/2013/06/19/cipher-suites-issue/ and http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx .

    • -1