SChannel error state 960 (TLS fatal error code 20)

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

If your web server fails to establish secure communication, your users will see certification. In the meantime, you may see “SChannel error state is 960” message in Event Viewer. Here is the full error message:

 

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

 

Cause

The root cause of this issue is that the different or incompatible chiper suites used in web server and load balancer. Cipher suites (chiper blocks) are encryption methods (RSA, DHE etc.).

 

If there is a conflict or mismatch in the chiper suites, web server cannot decrypt the encrypted request logs this error message: “The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.”

 

How to solve “SChannel error state is 960”

You can fix secure connection failures and Schannel by enabling custom chiper suite and editing the list of chiper suites in your web server. Here are steps to edit chiper suites:

  1. Log onto the server using an account that is in the Local Administrators group
  2. Go to “Start > Run“. Enter: gpedit.msc
  3. Expand “Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
  4. In the right pane, right click on “SSL Cipher Suite Order” and choose “Edit”
  5. Click “Enabled”
  6. Copy the content of “SSL Cipher Suites” text box and paste it notepad
  7. Make sure that this list matches the chipper suite list used in your load balancer. General recommendation:
    • Move TLS_RSA chiper suites to the top
    • Copy TLS_ECDHE ones after them
    • Remove these two chiper suites as they have known interoperability issues:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • In the “SSL Cipher Suite Order” window, click “OK”
    • Reboot the server

local.png

 

Note: The list you provide in the Step 7 cannot exceed 1023 characters. In order to reduce it, make sure to give priority to the ones at top in the default cipher list. This list is ordered from strongest chipper suites to the weakest ones. Additionally, you can remove the suites that are in the black list for HTTP/2. Here is more information about HTTP/2 black list.

 

If the error still occurs

A less likely cause of this issue is that a change in MAC (Message Authentication Code) (Source). Web servers use this code to determine that the request hasn’t changed on the way (request forgery or man-in-the-middle attack). If the web server finds out that the MAC has changed, it drops the connection. In order to solve it, make sure that your load balancer doesn’t make any changes to the MAC value.

 

Another possible cause is a Windows update (KB4457129) that reportedly breaks NLB (Network Load Balancer) Cluster. Uninstalling this update or installing the patch (KB4457133) solves the issue (Source).

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.