Microsoft confirms Transport Layer Security (TLS) connections bug on cumulative update

Microsoft confirmed in the Windows 10 support page that the latest cumulative update may cause a secure connection timeout for some clients that do not support extended master keys. This problem is actually caused by Microsoft’s repair of the CVE-2019-1318 security vulnerability, which can be exploited by attackers to launch a man-in-the-middle attack to steal data. Strictly speaking, this problem is not independent, but there may be compatibility issues after Microsoft fixes the vulnerability, resulting in the system not being able to connect properly.

Windows Server Insider Preview Build 18945

Any latest cumulative update (LCU) or Monthly Rollups released on October 8, 2019 or later for the affected platforms may experience this issue:

  • KB4517389 LCU for Windows 10, version 1903.
  • KB4519338 LCU for Windows 10, version 1809 and Windows Server 2019.
  • KB4520008 LCU for Windows 10, version 1803.
  • KB4520004 LCU for Windows 10, version 1709.
  • KB4520010 LCU for Windows 10, version 1703.
  • KB4519998 LCU for Windows 10, version 1607 and Windows Server 2016.
  • KB4520011 LCU for Windows 10, version 1507.
  • KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
  • KB4520007 Monthly Rollup for Windows Server 2012.
  • KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
  • KB4520002 Monthly Rollup for Windows Server 2008 SP2

The following Security Only released on October 8, 2019 for the affected platforms may experience this issue:

  • KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
  • KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
  • KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • KB4520009 Security-only update for Windows Server 2008 SP2

Solution

Connections between two devices running any supported version of Windows should not have this issue when fully updated.  There is no update for Windows needed for this issue.  These changes are required to address a security issue and security compliance.

Any third-party operating system, device or service that does not support EMS resumption might exhibit issues related to TLS connections.  You should contact your administrator, manufacturer or service provider for updates that fully support EMS resumption as defined by RFC 7627.

Note Microsoft does not recommend disabling EMS. If EMS was previously explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0