the client and server cannot communicate, because they do not possess a common algorithm

freakedenough commented 8 months ago

Server: Win11 (SSL3.0 enabled in inetcpl) Client: Win95 IE4.0 (SSL3.0 enabled in inetcpl) SslProtocols=48 SHA1

when I try to access a HTTPS site using IE4.0, I just get the error "SSL handshake failed: the client and server cannot communicate, because they do not possess a common algorithm" grafik

Did I miss something?

atauenis commented 8 months ago

Does the IE 4.0 have 128-bit patch installed (or have 128-bit, not 40 or 56-bit cipher strength enabled)?

freakedenough commented 8 months ago

It wasn't installed and only 40bit. Now with 128bit installed, I still get the same error.

grafik grafik

Maybe something's wrong with my config file: webone.conf.txt

atauenis commented 8 months ago

At this moment tested on Win8.1 host & 95 client, all is working with default configuration. Except that it's not need to import root certificate as it breaks work (the known problem at this moment). 2024-03-25_13-51-41 2024-03-25_13-53-13

('Security protocol - SSL 3.0" on last screenshot).

I'll test on a newer host OS later.

atauenis commented 8 months ago

Try this registry tweak. Seems that Windows 11 have by default disabled SSL 3.0 server support.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
  "EventLogging"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
  "Enabled"=dword:ffffffff

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
  "Enabled"=dword:00000000
  "DisabledByDefault"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
  "Enabled"=dword:00000000
  "DisabledByDefault"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
  "Enabled"=dword:00000000
  "DisabledByDefault"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
  "Enabled"=dword:00000000
  "DisabledByDefault"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
  "DisabledByDefault"=dword:00000001
  "Enabled"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
  "Enabled"=dword:00000000
  "DisabledByDefault"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  "Enabled"=dword:ffffffff
  "DisabledByDefault"=dword:00000000

Probably it's a good idea to save a backup of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL hive before editing the registry.

freakedenough commented 8 months ago

It didn't help to fix the issue with Webone, it just broke RDP and NETSHARE from my other Win11 machine (probably because I would need to enable SSL3 client from there too). I would probably need to set up a Win8.1 Server to get it working.

However, I had to change "Enabled"=dword:ffffffff to dword:00000001 before importing, otherwise the values would have been incorrect (should be 1-enabled ("not null") or 0-disabled, but was ffffffff 4294967295) https://techcommunity.microsoft.com/t5/microsoft-365/tls++++-1-2-enabled-registry-value-quot-0xffffffff-quot-0r-1/m-p/324275

atauenis commented 8 months ago

Tested with Windows 10. Even on version 1507 SSL3 doesn't work at all, even if it's enabled via registry. However Microsoft saying that it is supported, but really seems that it is not. Probably need something more that one simple registry edit...

Exactly, the detailed error in system log explains that SSL3 seems to be supported, but not its default ciphers:

EventID 36874
Source Schannel
An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
EventID 36888
Source Schannel
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1204.
- TLS Error code 40 = handshake_failure

They're also can be enabled via registry, without any result (which is looking more stranger).

freakedenough commented 7 months ago

it got even worse with win11 as server recently. seems they killed tls 1.0 or whatever opera 12.02 and fox 10esr are using (win2k). both are unable to retrieve content now, get error "SSL handshake failed: the client and server cannot communicate, because they do not possess a common algorithm" too. they were known to work for me without having changed any configuration on 11, except for installing recent win updates. not sure if you would be able to natively implement ssl3.

atauenis commented 7 months ago

Tested with April 2024 update (KB5036893, 11 23H2 build 22631.3447), Opera 9 still able to connect via HTTPS. win11-april2024

There are good news on the initial topic (SSL 3 support). Googled that Windows 11 have some ciphers disabled via another folder of registry. https://security.stackexchange.com/questions/255387/why-doesnt-windows-send-all-enabled-cipher-suites-during-tls-handshake And that StackExchange question contained an very useful example of registry tweak...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256"

Tried it, and MSIE 4.0 is now working even when the server OS is Windows 11! Win11-IE4-SSL3

SSL 3.0 + 3DES-168 is still supported by Windows 11, but really disabled by default.

atauenis commented 7 months ago

Tested with a maximum possible set of cipher suites (https://learn.microsoft.com/ru-ru/windows/win32/secauthn/cipher-suites-in-schannel?redirectedfrom=MSDN) on 23H2, and even 40-bit edition of MSIE 4.01 SP2 successfully working with WebOne (via SSL 3.0 40-bit RC4 MD5).

So this is an only registry settings trouble.

freakedenough commented 7 months ago

hey @atauenis - thank you for your help so far. with the additional registry settings i could get opera 12.02 to work ssl.zip it displays sslv3 3des 168bit and loads websites such as https://lite.duckduckgo.com/lite with no issue.

yet msie6.0 (win2k, same pc as opera) with only ssl3.0 enabled returns a "page cannot be displayed" error. strangely https://www.orf.at works, but https://m.winfuture.de also doesnt. the webone console window displays no error, just connect-close-done. when also enabling tls1.0, i get "ssl handshake failed, the specified data could not be decrypted" grafik

i tried to enhance the functions entry in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 according to https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel already with no luck.

atauenis / webone

the client and server cannot communicate, because they do not possess a common algorithm #118