locked
IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1758580655 posted

    On an ASP.NET Web api, I receive ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue after like every 2-3 months, which I resolve by going to IIS Crypto, clicking 'Best practices' and reboot.

    I know that action disables all old protocols and ciphers, and best practices keep on changing in an effort to secure IIS. What I am after is a permanent solution to that problem. Will creating my own template selecting only a few cipher suites help?

    Tuesday, September 15, 2020 7:17 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User690216013 posted

    What I am after is a permanent solution to that problem.

    That's impossible. Browser vendors are evaluating security risks every day and pushing out new measures via frequent updates. So nobody can predict when a strong cipher today becomes weak and obsolete.

    best practices keep on changing in an effort to secure IIS.

    Accept that fact, and add extra steps in your server maintenance plan.

    Tuesday, September 15, 2020 3:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-2064283741 posted

    On an ASP.NET Web api, I receive ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue after like every 2-3 months, which I resolve by going to IIS Crypto, clicking 'Best practices' and reboot.

    Is your error coming back again every 2-3 months and you have run IISCrypto again?

    Wednesday, September 16, 2020 12:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-848649084 posted

    Hi,

    IIS 10 turns on HTTP/2 by default and only falls back to the older HTTP/1.1 if the browser doesn’t support HTTP/2. While HTTP/2 is generally good practice and most recent browser support it, it also has stricter requirements than HTTP/1.1 and the issue with these browser errors is that the iis is trying to establish an HTTP/2 session with the browser but the server is configured with some weaker SSL Ciphers which aren’t supported by HTTP/2.

    You have below option to resolve the issue:

    1)Disable the weaker cipher suites, which is recommended for security purposes, and leave HTTP/2 enabled

    2)Disable HTTP/2 in IIS and only use the older HTTP/1.1 standard

    set the registrikey setting as shown velow to disable the HTTP/2

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
    “EnableHttp2Tls”=dword:00000000
    “EnableHttp2Cleartext”=dword:00000000

    after that you could capture some network traffic by using the network monitor and check which cipher is causing the issue.

    Disbale HTTP/2 in brwoser:

    Chrome-

    Run it with the below parameter

    chrome.exe –disable-http2

    Firefox-


    Type about:config in the address bar

    Click on I Accept The Risk

    Search for network.http.spdy.enabled.http2

    Change the value to False

    Restart your browser

    Wednesday, September 16, 2020 6:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1758580655 posted

    Hi,

    Thanks for suggesting such detailed solutions.

    But I have a concern regarding option #1. If the strong ciphers become weak after sometime, the whole purpose of disabling weak ciphers would be defeated, won't it? Or, do you think there some ciphers that never become weak?

    Wednesday, September 16, 2020 12:18 PM