In response to the recent SSL 3.0 vulnerabilities, we have been locking down SSL settings on IIS servers.   As a result (not surprisingly) we are seeing more schannel errors in the event log. 

I understand that many of these are just "noise" and that schannel logging can be disabled via a registry setting, however we are wondering if the error codes will tell us which cypher they were attempting to use, so we can determine if our SSL settings are acceptable, or too restrictive. 

I found a reference that describes what the fatal alert codes mean  (i.e. 40 = TLS1_ALERT_HANDSHAKE_FAILURE) - but I cannot find a reference code for the internal error states (1203, 1205, 1207).  Can anyone point me towards such a reference?

Alternatively, here is a sampling of the schannel errors - do any of them indicate a SSL configuration problem on the server side?

EVENT ID 36888

• The following fatal alert was generated: 40. The internal error state is 1207.
• The following fatal alert was generated: 40. The internal error state is 1205.
• The following fatal alert was generated: 10. The internal error state is 1203.
• The following fatal alert was generated: 20. The internal error state is 960.
  

EVENT ID 36874

• An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
• An TLS 1.1 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed
• An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
• An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
  

EVENT ID 36887

• The following fatal alert was received: 46.
  
  

• Edited by blaster789 Monday, October 27, 2014 2:46 PM removed footer message

Hiya,

There are two options;

1: The certificate you used to sign your site, is created on a server with a higher cryptographic standard, than the clients support. Meaning that it is signed using a newer cipher than what the client (XP/2003 or older) have available. You create a new certificate using a lower cryptographic standard. in order to support older browsers.

2: Some browsers might simply not support the required level of SSL/TLS configured on your server.

The below post has two good references for understanding this.

https://jesperarnecke.wordpress.com/2014/04/24/web-server-security-ssltls/

Bottomline: Do you have an TLS/SSL misconfiguration on your server? - it depends what you define as a misconfiguration. It's security vs compatibility.

• Proposed as answer by Vivian_WangMicrosoft community contributor, Moderator Monday, November 03, 2014 2:49 AM

Hi,

I would agree with Jesper Arnecke.

You can also test by setting the default Intranet zone security level to MEDIUM or lower to eliminate a security setting to prevent the handshake.

This is By design and you can ignore this warning.

http://www.eventid.net/display.asp?eventid=36888&eventno=10545&source=Schannel&phase=1

Regards.

Hi,

I just want to confirm what is the current situation.

Please feel free to let us know if you need further assistance.

Regards.

Vivian, I am afraid you misunderstood the question, your answers were relevant to client side errors - these errors are occurring on the sever side (IIS servers) after reconfiguring the SSL/TLS cyphers.

While Jesper's information was informational, it did not provide me with the specific information I am looking for.

I was actually looking for a Microsoft provided reference code for the internal error states listed in the errors above.

I am hoping those error states will tell me specifically which cypher is failing, so I can determine if its one we need to support or not. 

• Edited by blaster789 Monday, November 03, 2014 3:24 PM typo

Hiya,

I would probably go for two things. First enable some usages statistics from your site, so you can collect information about which browsers are visiting your site. That would give you a pretty fast information about which cipher suites you should be supporting for the majority of the users. Secondly you can start collecting network trace traffic, which will be a lot of data to analyze. The following KB will show you which cipher suites are used depending on TLS version.

https://support.microsoft.com/kb/299520?wa=wsignin1.0

Since schannel is smart enough to log an error with a specific error code, I was hoping I could derive that information from the errors generated by the event log. 

Jesper's recommendations about reviewing the browser usage on the sites in question and/or collecting network traffic is valid - I was just hoping I could derive that information from the event log because that (could) be much easier if I had a reference that explained what each numerical error state indicated.

I'm trying to determine if that methodology is possible or not.

Hiya,

I don't think the schannel will contain the information your looking for. The events seems not to go to that detail level.

http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx

• Edited by Jesper Arnecke Monday, November 03, 2014 7:42 PM

Thanks for the reply Jesper, I found that article previously .  I agree that the "fatal alert code" does not go into that detail level, it is entirely possible that the "error state" might. 

The different numerical error states must mean something , otherwise why do they bother differentiating between "Fatal Alert 40 with Error state 1207" vs "Fatal Alert 40 with Error state 1205".

I understand that its entirely possible that the error states don't provide any meaningful information either, but without a reference guide as to what each error state code actually means - I don't think we can jump to that conclusion.

Somewhere there must be a list of what those error states mean.  I already tried searching for that information before posting to this group.  I was hoping that someone from Microsoft could enlighten us with some documentation that does not appear to have been published.

Hi,

However, there are many possible causes for this issue. In order to speed up the troubleshooting this issue, I strongly suggest you to submit a request to email support team for professional Services. They can help to collect and analyze available logs more efficient. They always focus on individual issue in each service request to make sure the troubleshooting more in timely.

For additional information about Microsoft Email Support Services, including how to engage, please refer to this Microsoft web page: 

http://support.microsoft.com/sasupport

Hope those information will be helpful for you.

Hello,

May I know if there is any update about this case? I think this case should capture the schannel traces, also there are many possible causes for this issue. In order to speed up the troubleshooting this issue, I strongly suggest you to submit a request to email support team for professional Services. They can help to collect and analyze available logs more efficient. They always focus on individual issue in each service request to make sure the troubleshooting more in timely.

For additional information about Microsoft Email Support Services, including how to engage, please refer to this Microsoft web page:

http://support.microsoft.com/sasupport

Hope those information will be helpful for you.

BR,

Steven Song

Hi Steven,

I'm not interested in performing packet captures end delving into the inner workings of schannel and I don't want to waste anyone's time opening a ticket on this.

Somebody at Microsoft took the time to log specific events to the error log when schannel errors occur, im just looking for documentation on what of what each error state means within each schannel event code.  That documentation is either available to the public or its not - that's the answer I'm looking for. 

Thanks

Hello,

Thanks for your reply. I find a blog that states that these alert codes have been defined precisely in TLS/SSL RFCs for all the existing protocol versions. For example lets consider the RFC 5246 (TLS 1.2). This RFC corresponds to the latest protocol version and it defines the alert messages.

Follow this link: http://tools.ietf.org/html/rfc5246#appendix-A.3

You can find this blog for reference:

http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx

Hope it is helpful.

Best Regards,

Steven Song

Hi,

Please let me know the update.

Hope you have a nice day!

Thank you.

Best regards,

Steven Song

This is exactly the question. What does a 1207 mean?

So, the 40 is handshake failure, but the "Internal error state is 1207" would mean something or, as you mention, it wouldn't be logged.

Something has broken badly inside Microsoft - we get generic answers to the question, and sycophantic "mark as answer" spams with duplicate message but the original answer is rarely actually addressed.

The question is pretty simple. What does "The internal error state is 1207" actually mean?

I am getting 2-3 of these PER MINUTE on our TMG firewall server, and would really, really like to know, SPECIFICALLY, what "The internal error state is 1207" means.

Packet tracing would be mostly useless as there is 15Meg of data that flows through this firewall per second.

Contacting support shouldn't be required, if someone wrote code to log this, someone in MS should have documented what that log entry means.

== John ==

Steven, that was useful for the error code (thank you) but not useful at all for the Internal Error state, so it's not really an answer.

What are the various internal error states?

"The internal error state is 1207.".

I have to throw my hat into this ring as well...

What do these error state values mean?

I don't want any explaination, or other information, just tell us what an error state 1207 is. Or error state 1205, or error state 1203...or error state 960.

What do these mean?

It doesn't make sense to have different values for an error state if they do not have meaning!

I'm resonding to the "Proposed as AnswerThis is not an answer - it's a general statement of some use (thank you), but is not an answer.

We need to know what the internal state error codes mean.  THAT would be a real answer.

Thank you,

I hope that this might help someone:

EventID 36888 Description: Schannel, 10 1203
If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged. This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site.

EventID 36888 Description: Schannel, 40 1204
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection.

EventID 36874 Description: Schannel, TLS 1.0
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

EventID 36888 Description: Schannel, 40 1205
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection.

EventID 36874 Description: Schannel, SSL 3.0
An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Man it must be frustrating to spend this amount of time and effort and STILL no one can answer the basic question!  There are some very bright people here who possess not a lick of smarts!