0

I recently upgraded my machine to Windows 11. Prior to the upgrade, I could connection via IIS and IIS Express to localhost using SSL.

After the upgrade, I can connect to localhost over standard HTTP, but not HTTPS.

I have tried the following:

  • flushed the DNS
  • netsh int ip reset
  • netsh winsock reset
  • deleting the binding(s) and adding them back in
  • checked the protocols used in inetcpl.cpl (TLS 1.2 and TLS 1.3 are enabled)
  • turned off the Firewall
  • turned off MalwareBytes

Nothing has worked so far. I keep getting:

The page cannot be reached. The connection was reset.

I opened up Chrome and the status is (failed)net::ERR_CONNECTION_RESET

I am at a total loss and cannot figure out what is going on. Any help is appreciated.

Improve this question
1

5 Answers 5

Reset to default
2

From your comment I understand that you are using SSL with client authentication. I ran into a similar issue on Windows Server 2022. I think the following applies to Windows 11 as well.

This thread on the IETF TLS mailing list sheds light on the issue and its relation to TLS 1.3 (emphasis mine):

Microsoft Windows Server 2022 supports post-handshake as default authentication method with TLS 1.3. It means, before we can use certificate base authentication with IIS and TLS 1.3 protocol, we must change default configuration from post-handshake authentication method to in-handshake authentication method. So, by default it affects all Microsoft customers who want to enable certificate based authentication with TLS 1.3 in IIS, because enabling certificate based authentication with TLS 1.3 leads us to err_connection_reset error.

Essentially, TLS 1.3 post-handshake authentication is analogous to client auth via renegotiation available with TLS <= 1.2. An important difference is that TLS 1.3 post-handshake authentication is optional, and major browsers chose not to support it.

This explains why disabling TLS 1.3 solves the problem.

A finer grained solution would be to keep TLS 1.3 enabled and use clientcertnegotiation=Enable on the IIS binding:

netsh http add sslcert 
      ipport=0.0.0.0:44325 certhash=[...] appid=[...] certstorename=MY 
      clientcertnegotiation=Enable

As I understand it, this is the aforementioned change from post-handshake to in-handshake authentication.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the detailed answer. I'm definitely going to have to try this on my machine.
1

I figured out the issue.

Apparently, the certificates I'm using to support SSL for my site and in IIS Express do not conform to TLS 1.3.

I had suspicion it was TLS 1.3 but couldn't figure out how to turn it off for IIS Express and IIS.

If you go into IIS and edit the bindings you have for your site, there is an option "Disable TLS 1.3 over TCP"

Once I set this setting and accessed the website on IIS, I found it connected and I got prompted for my PKI client certificate.

With IIS Express, I had to take a different tac.

I first deleted out the binding for one of the test sites in IIS Express:

netsh http delete sslcert ipport=0.0.0.0:44325

I then added it back in using: netsh http add sslcert ipport=0.0.0.0:44325 certhash= appid={214124cd-d05b-4309-9af9-9caa44b2b74a} verifyclientcertrevocation=disable certstorename=My disabletls13=enable

The key is the disabletls13 setting.

A list of these settings is available at Windows Server 2019 disable legacy TLS in IIS via certificate binding is unavailable

I am posting them here again to guard against link rot:

Usage: add sslcert hostnameport=<name:port> | ipport=<ipaddr:port> | ccs=<port>
appid=<GUID>
[certhash=<string>]
[certstorename=<string>]
[verifyclientcertrevocation=enable|disable]
[verifyrevocationwithcachedclientcertonly=enable|disable]
[usagecheck=enable|disable]
[revocationfreshnesstime=<u-int>]
[urlretrievaltimeout=<u-int>]
[sslctlidentifier=<string>]
[sslctlstorename=<string>]
[dsmapperusage=enable|disable]
[clientcertnegotiation=enable|disable]
[reject=enable|disable]
[disablehttp2=enable|disable]
[disablequic=enable|disable]
[disablelegacytls=enable|disable]
[disabletls12=enable|disable]
[disabletls13=enable|disable]
[disableocspstapling=enable|disable]

EDIT - 02/03/2023:

I confirmed the issue is TLS 1.3.

I could reproduce the issue by turning on/off the setting in IIS. In IIS Expression, apps for which I did not disable TLS 1.3 were not accessible and the single app for which I did disable TLS 1.3 was accessible.

Because I have a number of applications I test in Visual Studio and until I can find a solution for this issue, the most efficient way forward for me was to enable TLS 1.2 explicitly and disable TLS 1.3.

Here is a PowerShell script to disable TLS 1.3:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'Enabled' -Value 1 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Name 'Enabled' -Value 1 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD
Write-Host "Enabling TLSv1.3"

I am still hoping that someone might know what the cause of this issue is and how to resolve it. I hate this solution because it's not in line with best security practices of "always forward, never backward," but I don't know what else to do.

Improve this answer

5 Comments

@YurongDai will do. Apparently I have to wait a few days.
" the certificates I'm using to support SSL for my site and in IIS Express do not conform to TLS 1.3" - there is nothing special certificates need to be do for TLS 1.3. They are agnostic to the TLS version.
@SteffenUllrich ok, but can you explain why everything started working when I turned off TLS 1.3.
@DerHaifisch: I cannot explain this since I have too few insights in your setup. But maybe there are log data from IIS which might explain what happened. Have you tried enabling TLS 1.3 again and verified that it now stopped working again?
@SteffenUllrich it’s unlikely that IIS has anything logged. After some additional research, I’m wondering if Chrome, edge, Firefox had TLS enabled and whether we’re dealing with a protocol mismatch.
0

You are running IIS on your Windows 11 machine?

Have you tried restarting the IIS Service?

How about your firewall, is that turned on? For a test, try disabling it and see if you are able to reach 443, it may be blocking https traffic for some reason.

You aren't using an SSL cert for the traffic? Is it installed and valid still?

Can you setup a temporary test to see if that works (blank page) ?

Improve this answer

2 Comments

I guess that update to my answer didn't hit. I turned off MalwareBytes and the firewall just in case and still couldn't bring up the site(s). I'm requiring SSL for all of the sites and not getting prompted for a certificate. I rebooted my machine after running netsh winsock reset and netsh int ip reset. For clarification, I'm running IIS (I have a full website running) and I use IIS Express for debugging using Visual Studio.
No worries at all, glad it worked out- and that makes a lot more sense. I bet it was the MalwareBytes. I know even with Windows Defender, if something changes the way it behaves it goes to default block- which is what sounds like happened in your case. Have a great weekend!
0

Had the same error for .NET Framework Web App, but Core Web App worked well.

Reinstallation of IIS Express fixed the issue.

Improve this answer

Comments

0

For me it was simply that my HTTPS binding had been removed somehow during the upgrade (perhaps the self-hosted SSL certificate was deleted? I'm just guessing). I re-added the HTTPS binding and could connect again.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.