If you’ve recently upgraded an IIS web server to Windows Server 2016, you may come across a NS_ERROR_NET_INADEQUATE_SECURITY error in Firefox or an ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error in Google Chrome. There are a few reasons for this and the main one is that IIS in Windows Server 2016 turns on HTTP/2 by default and only falls back to the older HTTP/1.1 if the browser doesn’t support HTTP/2. While HTTP/2 is generally a good thing and most recent browser support it, it also has stricter requirements than HTTP/1.1 and the issue with these browser errors is that the Windows Server 2016 is trying to establish an HTTP/2 session with the browser but the server is configured with some weaker SSL Ciphers which aren’t supported by HTTP/2.
At the server level, there are a few options you have to resolve this issue. First, you can disable the weaker cipher suites, which is recommended for security purposes, and leave HTTP/2 enabled. The second option is to disable HTTP/2 in IIS and only use the older HTTP/1.1 standard. We’ll walk you through both options.
Disable Weak Cipher Suites
The easiest way to toggle cipher suites and SSL protocols is by using a utility called IISCrypto which you can download here. When you open IISCrypto, you can use the Best Practices button to automatically disable insecure protocols and weaker cipher suites. You’ll need to reboot to make the changes take effect. If you’re more advanced, you can fine tune these protocols and cipher suites manually using IISCrypto as well.
Disable HTTP/2 in IIS on Windows Server 2016
If you decide to disable HTTP/2 in IIS on Windows Server 2016 and only use HTTP/1.1, you can do so by adding two DWORD registry keys. You can copy the text in the box below into an empty Notepad file and save it as a .reg file. Then double-click the file to import the registry keys and reboot.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
“EnableHttp2Tls”=dword:00000000
“EnableHttp2Cleartext”=dword:00000000
If you decide to enable HTTP/2 at a later time, you can either delete the two registry keys or change their values to 1.
How to Disable HTTP/2 in Firefox
If you’re trying to browse to a website and you’re getting the error NS_ERROR_NET_INADEQUATE_SECURITY in Firefox and you’re not an administrator of the server, you can disable HTTP/2 in Firefox.
- Open Firefox and type about:config in the address bar
- Click on I Accept The Risk
- Search for network.http.spdy.enabled.http2
- Change the value to False
- Restart your browser
Nice info.
Thanks
HELP MAC USERS!!! Not sure what you’re saying or how to solve the error. Please use plain english. You are far too technical and I have no idea what a cipher is or where to find one. What does it do? What about mac users? I’m a mac user. How do I access a site with this error message.
If you’re the end user, scroll to the end of the article and follow the steps under “How to Disable HTTP/2 in Firefox”
Thank you sir, it worked. Not sure why this is happening so much as it never happened before. Nice of Firefox to not care about end users experiencing this problem or bothering to tell them about a fix. They just say you can’t visit the site.
Disabling the weaker cipher suites alone does not fix the problem. You can observe this with a chrome or firefox web browser and a windows 2016 server with hardened TLS: use wireshark or another network analyzer and observe the TLS version and cipher negotiation between the client and server. Even if the cipher is negotiated to a cipher not on the IETF org list of insecure ciphers (https://tools.ietf.org/html/rfc7540#appendix-A), the error will persist in both chrome and firefox.
Here are the results with Chrome as the browser. Wireshark shows the following Client Hello portion of the TLS negotiation:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303)
Random: 8c755b3f0487068d558135f5955d65979e29f835dcd53330…
Session ID Length: 32
Session ID: 923b00000f8e268999af3a409c9ae76648eb4f60d24edff9…
Cipher Suites Length: 34
Cipher Suites (17 suites)
Cipher Suite: Reserved (GREASE) (0x2a2a)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
And here is the Server Hello and Change Cipher Spec response
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 94
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 90
Version: TLS 1.2 (0x0303)
Random: 5db0ab4fb7f32b29de59ecb4a94409eb1c4c5a5905475eb0…
Session ID Length: 32
Session ID: 923b00000f8e268999af3a409c9ae76648eb4f60d24edff9…
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Compression Method: null (0)
Extensions Length: 18
Extension: application_layer_protocol_negotiation (len=5)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
[Expert Info (Note/Sequence): This session reuses previously negotiated keys (Session resumption)]
[This session reuses previously negotiated keys (Session resumption)]
[Severity level: Note]
[Group: Sequence]
If you can’t tell, the cipher negotiated is
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
which is not on the IETF list of insecure ciphers.
No Words
Just Thnx
No Words
Just Thnx
The below order of Cipher Suites in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
or in the Group Policy ( Network\SSL Configuration Settings\SSL Cipher Suite Order\SSL Cipher Suites )
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
Works fine with HTTP2