A recent Windows Update for Windows 7, 8, Server 2008R2 & 2012R2 (KB3161639) has broken SSL/HTTPS connectivity to certain Apache/Tomcat web servers (CUCM, UCCX). This issue is caused by the addition of two new Cipher Suites "TLS_DHE_RSA_WITH_AES_128_CBC_SHA & TLS_DHE_RSA_WITH_AES_256_CBC_SHA". See this link for more details on the error and options on how to fix:
If possible can you check (and remove/replace) this optional update (Note: KB3161608 with contains KB3161639) then try again, the following page provides more details:
Also, Microsoft just published new patches in its place, there are a pair of new patches, KB 3172605 for Windows 7, and KB 3172614 for Windows 8.1, if you can try applying those patches it should resolve the issue.
If you are still having issues it is possible to directly modify the affected cipher suite used by Windows by modifying the local policy through gpedit.msc Windows module. Navigate to Computer Configuration >Administrative Tools >Network >SSL Configuration Settings >SSL Cipher Suite Order.
If the suite order is set to Disabled or Not Configured then the default order is used and block access to UCCX/Finesse. Instead, this should be set to Enabled and the cipher suite order should be modified to exclude the two ciphers mentioned above. Note the restriction that the list of ciphers are to be used, as they cannot exceed 1023 characters in length. The cipher list known to work with UCM is as these:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
Note: When entering the above Cipher Suite it needs to be a single string on one row (no carriage returns)
Comments
1 comment
I found even with KB3172605 applied, PhoneView wasn't working. Removed identified ciphers per above (manually) as the stated list in the above article did not match my list identically. Also, had to perform a reboot after editing GPO to get things working again.
Please sign in to leave a comment.