Shulou(Shulou.com)06/03 Report--

I haven't written a blog for a long time. In fact, I have accumulated something I can write about, and I'm ready to share it one after another. I recently encountered a very strange problem. I built a test environment for Exchange 2016 on Azure, not to mention the process of building it. There is not much difference between Exchange 2016 and 2013 installation.

The installation process was very smooth, but after the installation was completed, I suddenly found a problem, that is, ECP and OWA login in IE browser everything is normal, but on Chrome ECP and OWA can not log in normally, prompting ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

I am tired to wipe this thing, IE can be on, chrome can not, this question is really a little strange, normally, since IE can be connected, chrome should not have any problem, what is the reason?

Since IE can connect normally, then the problem should lie in chrome. We all know that google attaches great importance to security. Generally speaking, some innovations and measures in browser security are initiated by google, and then various companies follow the trend, such as the previous measures that no longer trust various illegal CA vendors, and I generally use a relatively new version of chrome, following this line of thinking. I'm going to try an older version. After downloading a version of Chrome 42, I found that I didn't encounter the previous problem again.

In this way, we can basically confirm that it is the Chrome version of the problem, and it is very likely that some security measures have taken place in google, which led to this problem. After that, we google the wrong code, and sure enough, we found a lot of things.

It turns out that Chrome has stopped supporting many outdated protocols and encryption algorithms, which leads to the fact that connections using these encryption algorithms will not be accepted by chrome, such as PCT 1.0 SSL 2.0 SSL 3.0 and RC2 128 RC2 56 RC2 128 and so on.

Now that the problem has been confirmed, how to solve it? first of all, Amway has some useful tools and websites.

1. Https://www.ssllabs.com/ssltest/

This website can also view the certificate information of the site, the encryption algorithm used, and will also rate it. It is very good to see the problems caused by the algorithm and protocol. If you are interested, you can try it. Here is a screenshot of the evaluation.

2.TestSSLServer

This is a local gadget where you can see the protocols and algorithms used by the local server

There are two ways to solve the final problem.

One of the solutions: disable the following protocols and encryption algorithms for a little bit of trouble

MultiProtocol Unified Hello

PCT 1.0

SSL 2.0

SSL 3.0

Preferred via registry like:

; Disable PCT 1.0

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ PCT 1.0\ Server]

"DisabledByDefault" = dword:00000001

"Enabled" = dword:00000000

; Disable SSL 2.0

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 2.0]

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 2.0\ Client]

"DisabledByDefault" = dword:00000001

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 2.0\ Server]

"Enabled" = dword:00000000

; Disable SSL 3.0

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 3.0]

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 3.0\ Client]

"DisabledByDefault" = dword:00000001

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL 3.0\ Server]

"DisabledByDefault" = dword:00000001

"Enabled" = dword:00000000

And

NULL Cipher

DES 56/56

RC2 (fully)

RC4 (fully)

Via

; Disable weak ciphers

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ DES 56max 56]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ NULL]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC2 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC2 40swab 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC2 56MB 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC2 56max 56]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4 40swab 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4 56MB 128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4 64x128]

"Enabled" = dword:00000000

The second solution is to introduce a powerful gadget. The following is the download address. This tool can support one-click setting of the server and automatically configure it to the state of best practice, saving a lot of time.

Https://www.nartac.com/Products/IISCrypto

Accept the user agreement after the download is completed

Then you can see the encryption algorithms and protocols used by the current server

Next, directly click best practices in the lower left corner, and then restart the server.

The chrome problem is solved after the restart. I just want to say that it is so fucking convenient.

Finally, the problem was solved and everyone was happy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.