We've started encountering issues browsing to most https sites.
Examples include: https://technet.microsoft.com/, https://mail.google.com/, https://www.mozilla.org/en-US/firefox/new/, https://stackoverflow.com/
It appears that secure sites that we have visited previously work OK. Examples of these include: https://banking.westpac.com.au/, https://www.tppwholesale.com.au/login/, https://au.ingrammicro.com/
The errors we receive are:
- Chrome:
ERR_BAD_SSL_CLIENT_AUTH_CERT
- Firefox:
SSL_ERROR_ACCESS_DENIED_ALERT
- IE11/Edge: No helpful message, but Schannel 36887 errors are logged advising
The TLS protocol defined fatal alert code is 49.
(These are also logged for Chrome, but not Firefox as it uses the Mozilla NSS encryption library.)
We can prevent the problem by disabling TLS1.1 & TLS1.2 and enabling SSL2 & SSL3. As SSL2/3 have known vulnerabilities we want to resolve this issue properly.
Problem has been observed on Win7, Win8.1, Win10 WS2012R2 machines. It's affecting all our laptop computers except one that hasn't been in the office for over a month.
Extensive googling has failed to yield anything helpful - most SSL connection issues that are discussed seem to focus on the server certificate.
The above errors suggest it being an issue with the client certificate that our browsers are sending to the servers, so I have these questions:
- Do SSL2/3 have different client certificate requirements to TLS1.x?
- What client certificate do browsers use (we don't have any certificates listed in the user or computer Personal stores)?
I hope there's an SSL/TLS guru out there that can assist!