You may see “SChannel error state is 960” in Event Viewer when your web server fails to establish secure communication with clients. Users receive certification errors while you see the event log below in your server:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.
Cause
This issue is caused by the different or incompatible chiper suites used in web server and load balancer. Cipher suites or chiper blocks are set of encryption methods such as RSA and DHE.
When there is a conflict or mismatch in the chiper suites used, web server cannot decrypt the encrypted request coming from load balancer and logs this error message: “The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.”
Looking for a way to redirect all HTTP requests to HTTPS? Check this post out.
How to solve “SChannel error state is 960”
You can fix secure connection failures and make Schannel errors disappear by enabling custom chiper suite and editing the list of chiper suites used in your web server. Follow the instructions below in Windows Server:
- Log onto the server using an account that is a member of the Local Administrators group
- Go to “Start > Run“. Enter:
gpedit.msc - In the left pane, expand “Computer Configuration > Administrative Templates > Network > SSL Configuration Settings“
- In the right pane, right click “SSL Cipher Suite Order” and choose “Edit”
- Click “Enabled”
- Copy the content of “SSL Cipher Suites” text box and paste it notepad
- Edit this list to make sure it matches the chipper suite list used in your load balancer. As a general recommendation:
- Move TLS_RSA chiper suites to the top
- Copy TLS_ECDHE ones after them
- Remove these two chiper suites as they have known interoperability issues:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA - In the “SSL Cipher Suite Order” window, click “OK”
- Reboot the server
Note: The list you provide in the Step 7 cannot exceed 1023 characters. In order to reduce it, make sure to give priority to the ones at top in the default cipher list. This list is ordered from strongest chipper suites to the weakest ones. Additionally, you can remove the suites that are in the black list for HTTP/2. Here is more information about HTTP/2 black list.
It didn’t work?
A less likely cause of this issue is a change in MAC (Message Authentication Code) (Source). This code is used by web server to determine that the request hasn’t changed on the way (request forgery or man-in-the-middle attack). If the web server sees that the MAC has changed, it drops the connection. Make sure that your load balancer doesn’t edit MAC value.
Another possible cause is a Windows update (KB4457129) that reportedly breaks NLB (Network Load Balancer) Cluster. Uninstalling this update or installing the patch (KB4457133) solves the issue (Source).
Reference:
- Schannel Error Codes for TLS and SSL Alerts
- A tool to edit chipers and protocols: IIS Crypto
4 thoughts on “TLS fatal error code 20. The Windows SChannel error state is 960 (Solved)”