Broken Web Apps

This is really a follow up to yesterdays post. I am a developer and do a lot of local debugging of web sites. IIS absolutely has to work for me and after upgrading to Windows 10, it stopped working. I could not get ANY local https site to work. http worked fine but it didn't work at all.

Opera and Edge told me the site was down and Chrome gave me the security error: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

One thing that really annoys me about this latest push to put TLS on all web sites and to set up the cipher suites and everything else is that the tools are hopelessly unusable. You get Windows where everything is in the registry and you have to use something like IIS Crypto which doesn't really help you that much (and you have to reboot!). You then get openssl on the command line with all its complexity and command line switches but most of all you get really terse unhelpful errors both in all of the browsers (some don't even give you a proper error!) and even in the command line, they are things like "connection reset", which doesn't really mean anything useful.

With errors like those, you have a whole pile of things to try before you even know you have a TLS setup problem. Things like upgrading to Windows 10 also gives you the assumption that "everything is where you left it" which is a half-truth because sites that used to work no longer do and this is on a machine where I DO have my SSL cipher suites set up to use secure versions.

What is the problem?

The problem is HTTP2 and/or SPDY, a precursor to HTTP2 which parallels up some of the loading of a web site, reuses connections etc to make the site load faster. It is implemented on various web servers and probably all new browsers, so that you don't need to write anything that differently on your web app to make it work - it just does (or doesn't in my case).

The actual problem is that the HTTP2 spec says that TLS1.2 should blacklist a load of cipher suites that are considered insecure. If they are blacklisted, however, Chrome appears to be the only browser (haven't tried Firefox) that actually shows a specific message to the user, the rest just fail in the same way as 100 other types of web site problems. Fortunately I know a little bit about IIS setup.

So you run up the fantastic Fiddler tool to see what errors you are getting back and, guess what? The site now works. This is one feature of Fiddler that I do not think is helpful but basically it runs as a proxy and sets up its own SSL connection to the server using a DIFFERENT protocol from the browser (or at least it forces the browser to use the lower protocols). In this case, SSLv3 and HTTP/1.1 which means everything is happy and the site loads.

Try it with openssl and firstly, you have to point it to a certificate bundle and then you just get the usual no peer certificate found, again, not helpful.

What did I try?

I thought, if the ciphers are blacklisted, surely I can just disable the blacklisted ones in the registry (and reboot), and this involved removing some relatively modern suites like the AES/GCM flavours but after a reboot, the site doesn't seem to support any ciphers at all and the app is now completely busted. So HTTP2 requires a set of cipher suites that Windows 10 doesn't seem to support at all causing this problem. I can't believe that Microsoft didn't spot this when they built IIS 10.

Workaround

I didn't really want to disable HTTP2 because it is a good thing for web site performance but this seemed the only fix for Windows. Opened the registry and added two new parameters:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext DWORD 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls DWORD 0

And now the site works fine - and it has only taken me a day!