I have a Windows Server 2012 R2 instance on Azure. For a new website I have ordered a certificate by GlobalSign. After getting the certificates from them I have completed the certificate request in IIS and installed the root certifcate.
I moved the website to a new instance, so I have exported the certificate with its private key and imported it on the new instance.
That was my installation and it seemed to work pretty well.
Now I am getting a lot SChannel errors. They are:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.
An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
It's the first time that I use SSL and to be honest, I have no idea what I am doing. For me it looks fine when I request the website (http://laola.biz).
I have already used the SSL Check by GlobalSign which gives me Grade C. https://sslcheck.globalsign.com/en_US/sslcheck?host=laola.biz#191.233.85.240-cert-ssl
Here a list of the certificates from mmc (my website is laola.biz):
Intermediate
Root
Personal
Any ideas what I could have done wrong here?
Best Answer
As different people (well meaning and otherwise) attempt to access your site from various devices running various browsers on various operating systems, depending on the protocol they choose to secure that communication, you will end up seen messages by the schannel source.
The following blog should help you understand some of the messages you see in your logs. http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx
The grade you got there is a little concerning. You wouldn't have SSL3 enabled if you published the site to Azure Websites directly.
You can disable SSL3 using guidance here http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx
If you can move the site from a VM to an Azure Website itself that would be better. It will save you having to patch and secure the VM(s) used to host the web site. You instead rely on Azure PaaS to provide the platform to host the website. You take care of the web site code while Azure secures and maintains the IIS/platform.
The upcoming changes to the platform from TLS perspective are reflected in https://testsslclient.trafficmanager.net/. You can test this to see the grading your website can get if you were to migrate the site to an Azure website directly.