Microsoft TLS Handshake errors and connection timeouts? Maybe it’s the CTL engine….
Marius and Tolu from the Directory Services Escalation Team.
Today, we’re going to talk about a little twist on some scenarios you may have come across at some point, where TLS connections fail or timeout for a variety of reasons.
You’re probably already familiar with some of the usual suspects like cipher suite mismatches, certificate validation errors and TLS version incompatibility, to name a few.
Here are just some examples for illustration (but there is a wealth of information out there)
Recently we’ve seen a number of cases with a variety of symptoms affecting different customers which all turned out to have a common root cause.
We’ve managed to narrow it down to an unlikely source; a built-in OS feature working in its default configuration.
We’re talking about the automatic root update and automatic disallowed roots update mechanisms based on CTLs.
Starting with Windows Vista, root certificates are updated on Windows automatically.
When a user on a Windows client visits a secure Web site (by using HTTPS/TLS), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a certificate which chains to a root certificate not present in the root store, Windows will automatically check the appropriate Microsoft Update location for the root certificate.
If it finds it, it downloads it to the system. To the user, the experience is seamless; they don’t see any security dialog boxes or warnings and the download occurs automatically, behind the scenes.
Read the entire article here, TLS Handshake errors and connection timeouts? Maybe it’s the CTL engine….
Via the fine folks at Microsoft.