Issue Statement:

Intermittently getting Schannel Error Event 36888: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.

Cause:

Cipher suite being used was TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. There are some known issues with Cipher suites starting with TLS_DHE.

Resolution:

Issue resolved after disabling TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite by removing it from following registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

Alternatively, you can configure Cipher suites starting with TLS_DHE to be processed at the end by configuring following Group Policy:

To configure the SSL Cipher Suite Order group policy settings (Ref. Link)

  1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
  2. Expand Computer ConfigurationAdministrative TemplatesNetwork, and then click SSL Configuration Settings.
  3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
  5. Follow the instructions labeled How to modify this setting.

It is necessary to restart the computer after modifying this setting for the changes to take effect.

 

Leave a Reply

Your email address will not be published. Required fields are marked *