This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

schannel errors

0

I have a capture file of a network during the time schannel alerts were generated on an exchange server running outlook web access. What should I be looking at in the capture file to determine what is causing these schannel alerts? I marked down the times the schannel alerts were generated and looked at the capture file, but can't seem to get much from this. Please see the posts on stackexchange below for additional information.

http://serverfault.com/questions/586530/schannel-ssl-3-0-error-owa-windows-server-2008-r2/592369#592369

http://serverfault.com/questions/592408/schannel-errors-fatal-20-and-40

asked 30 Apr '14, 15:33

studentofsecurity's gravatar image

studentofsec...
11224
accept rate: 0%

edited 01 May '14, 05:39

One Answer:

0
Schannel Error 36874 "An TLS 1.0 connection was recieved from a remote client application, but dodne of the cipher suites supported by the client are supported by the server. The SSL connection request has failed."

Schannel Error 36888 "The following fatal alert was generated: 40. The internal error state is 1204"

So, the first error is quite ‘normal’. You’ll sometimes have TLS clients with either very new ciphers/options or clients with outdated ciphers/options.

The second error is different. Maybe you are able to see something unusual in the TLS handshake with Wireshark.

Regards
Kurt

answered 01 May ‘14, 07:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%