I have an ASP application running in IIS 7.5. Due to the EoL of Windows 7 I had to upgrade to Windows 10 and to IIS 10. All seemed in place except that now the ASP site or any other website works except if https is used. So far Firefox gives me PR_CONNECT_RESET_ERROR, Chrome returns a ERR_SSL_PROTOCOL_ERROR and Edge returns a Hmmm can't reach this page.
Some answers point out to the ARR Rewrite module, which I uninstalled and after rebooting reinstall the updated version with the same results. I ended up uninstalling it (no need of it anymore) and rebooting. I re-install IIS eliminating Windows features rebooting and reinstalling IIS again and rebooting. I eliminate all the certificates and create a self-signed one and the same problem. Finally, I deleted all my web sites from that web server and create a new one on the default directory (wwwroot which contains an html file and two images) which is shown as long as http protocol used, but not https (same errors). I followed this guide for IIS 7 but no love. I also revoke and re-grant permissions to the folders to IUSR after re-installations. Finally, I disabled the SSL filtering from the antivirus, but no difference.
The certificate that was used originally was done in-house using openssl to generate a company-wide root certificate, an intermediate certificate, and the machine certificate which worked fine until the upgrade. Currently, as I said, even with the self-signed one does not work using any of the used browsers to serve the most simple content. I ran out of ideas of what to check.
This is the trace I got from IIS
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-01-20 20:12:22
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-01-20 20:12:22 192.168.1.100 GET / - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:73.0)+Gecko/20100101+Firefox/73.0 - 200 0 0 2687
2020-01-20 20:12:22 192.168.1.100 GET /iisstart.png - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:73.0)+Gecko/20100101+Firefox/73.0 http://devmachine.company.local/ 200 0 0 12
2020-01-20 20:12:22 192.168.1.100 GET /favicon.ico - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:73.0)+Gecko/20100101+Firefox/73.0 - 404 0 2 5
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-01-20 12:26:37
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-01-20 20:12:22 ::1 GET / - 443 - ::1 Microsoft+Windows+Network+Diagnostics - 200 0 0 996
2020-01-20 20:12:22 192.168.1.100 HEAD / - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/79.0.3945.130+Safari/537.36 - 200 0 0 19
2020-01-20 20:27:38 192.168.1.100 GET / - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/79.0.3945.130+Safari/537.36 - 200 0 0 8
2020-01-20 20:27:38 192.168.1.100 GET /iisstart.png - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/79.0.3945.130+Safari/537.36 http://devmachine.company.local/ 200 0 0 50
2020-01-20 20:27:38 192.168.1.100 GET /favicon.ico - 80 - 192.168.1.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/79.0.3945.130+Safari/537.36 http://devmachine.company.local/ 404 0 2 19
As you can see only http worked, (I changed the time in another attempt to see if there was an issue with the clock, but it wasn't. Chrome complained with http, so the clock was fine) but there is no trace for https.
Best Answer
I got the answer by myself. The problem was that over the years the ciphers has changed but only for Windows 2012 and 2016 servers has been proper updates, but not for older versions and Windows 10 already had those entries and updated accordingly. Consequently, there are some registry entries that does not exists that affect the way SSL is treated in IIS after the upgrade. To test if this is the case open a new tab in Firefox and type about:config and search security.tls.version.max and set it to 3 and save. If you try to go to the website it works or at least shows the usual warning that the certificate is not correct. If so then undo the change in Firefox and do the solution depicted here; which anyway I am going to describe just in case those pages be forgotten or deleted.
The whole problem is fixed updating the registry in the following entries that should be created or changed depending if you already had done part of the changes to strength security in your web server before.
Update WinHTTP
Enable TLS 1.2 if haven't done yet
If your application is a 32 bit on 64 bits OS one then also modify
Configure SCHANNEL protocols if you haven't done yet to enable TLS 1.2
Be sure that TLS 1.1 be the same as TLS 1.2 if you want to support it for legacy applications/browsers. It is advisable to disable weak ciphers such as SSL and if you can TLS 1.0 (DisableByDefault = dword:00000001 Enabled=00000001 for client and server. Those entries are located into TLS 1.0 which is at the same level of TLS 1.1 and TLS 1.2) and restart the computer.
If all goes well you application are going to work again or at least the usual message of security risk due to the self-signed certificate. Hope this work for you and please up vote if it helps you to solve the issue and thanks in advance.
Note: You can set/clear the proper regedit values by using the scripts provided here: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12