08-26-2016 08:46 AM
Has anyone noticed that the latest update of IE11 (11.545.10586.0) breaks https access to Finesse 10.5.1? I have only seen this version of IE11 on Windows 10 machines so far. I know the compatibility matrix for Finesse 10.5.1 only shows supporting IE11 under Windows 7 SP1.
Looks like IE11 (on Windows 10 machines at least) no longer supports TLS 1.0 which Finesse 10.5.1 tries to negotiate when IE initially tries with TLS 1.2. As a result it is unable to establish an https connection.
I know that Finesse 11.5 now supports TLS 1.2 but is there a workaround for older versions?
If this IE11 update eventually reaches Windows 7 machines I am guessing the same issue would occur.
08-26-2016 09:05 AM
Some additional information:
Even disabling TLS 1.2 and TLS 1.1 in IE does not work. It appears to attempt to negotiate TLS 1.0 and uses the following Cipher Suite but still no go. Fails with a Handshake Failure (40).
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Note this Cipher Suite is one of the 12 suites suggested by IE at the start of the handshake and Finesse responds selecting this one. But it then fails the handshake.
08-26-2016 10:12 AM
Hi,
I am not aware of this problem, but I will investigate to see if there is a workaround.
Thanx,
Denise
08-29-2016 02:09 PM
Hi,
I'm having some technical difficulties with my lab system, so it may take a little longer than I expected (trying to reproduce the issue and debug). Sorry for the delay.
Thanx,
Denise
08-30-2016 11:05 AM
Thanks Denise. Let me know what you find out. Here is some additional information I have been able to determine.
Note that I have also confirmed it happens with the IE11 version 11.0.9600.18426 update on Windows 7 Enterprise as well.
Looks like when the IE update is installed it breaks the TLS 1.0 negotiation within Windows itself. As stated above Finesse correctly selects one of the offered ciphers but then Windows appears to not continue with the negotiation (Key Exchange) causing Finesse to eventually respond with the Handshake Failure message.
Specifically prior to the latest IE11 update (using an older IE10 install), IE would offer a number of cipher candidates during the handshake including the following which Finesse would select. All would be happy.
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
After the IE11 update the following cipher is offered by Windows and is the one chosen by Finesse and that is when the failure occurs.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Note that using Chrome works and it negotiates the following cipher suite and this works fine.
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
So it looks like a possibly weak Diffe-Helman SSL cipher is being mistakenly offered by Windows (with IE11 update) and then rejected/ignored when it is selected by Finesse.
08-30-2016 12:16 PM
Thank you for the additional information. My stubborn Windows 7 VM is refusing to install the IE11 upgrade (I am on 11.0.9600.17843). I will continue to work on this and will update as soon as I have information.
Thanx,
Denise
08-30-2016 12:37 PM
Hi,
Actually, because 10.5 supports Windows 7 with IE11, this is a product issue and therefore you should open a TAC case. They will be able to work with the Finesse team and provide a workaround.
Before doing so, I want to make sure that you are on Windows 7 SP1 because that is the supported OS version: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/finesse/finesse_1051/release/notes/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse-1051/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse_chapter_00.html#CFIN_RF_HCB...
I highly doubt that would make a difference, but I want to make sure that you are on the supported OS.
Thanks,
Denise
08-30-2016 12:59 PM
Regarding opening a TAC issue, the problem is not affecting us directly just yet, it is just something we have observed in our lab. It did affect one of our customers when then applied Windows updates but they saw that those updates also broke a bunch of their other secure stuff (seems to affect more than just IE) so they rolled back the updates. So was posting it here to see if anyone at Cisco has seen it yet (giving you a heads up). We can reproduce it but the work around from our point of view is to not install the IE11 update at this point. And Windows 10 (with forced updates) is not supported by 10.5.1 so would not be supported anyway.
08-30-2016 01:27 PM
Hi,
Ok. I will let the Finesse team know. Thanks for all the information!
Thanx,
Denise
08-31-2016 10:58 AM
Denise I have some further information on this. Seems the issue is not specific to IE11 per se but rather to another KB update that also gets installed. This KB update is included in Microsoft's June and July Update Rollups so if they are installed the problem will also be seen. Found an interesting thread on a Microsoft forum that talks about it and specifically mentions Cisco Finesse and TLS issues (along with VOIP phones).
There is a workaround that involves removing the problematic ciphers. I have tested it and it appears to work for now. Not sure yet if there are other ramifications from removing the ciphers but Finesse is happy as well as applications that use the Finesse web APIs.
You can remove the following ciphers from the list contained in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Here is the Microsoft forum thread.
PROBLEMS WITH KB 3161608 AND KB 3161639 - Microsoft Community
08-31-2016 11:02 AM
Thank you for all of this information. It is definitely helpful. I have let the Finesse team know and they will take a look at it.
08-30-2016 12:50 PM
Is the issue that you are having high cpu being taken by svchost (the one hosting the wuauclt.exe) and the windows update not proceeding? If so Microsoft has a separate fix that you can apply outside of windows update to fix it. Windows updates will then work properly afterwards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide