IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issueRSS

4 replies

Last post Sep 16, 2020 12:18 PM by Zed02

  • IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue

    Sep 15, 2020 07:17 AM|Zed02|LINK

    On an ASP.NET Web api, I receive ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue after like every 2-3 months, which I resolve by going to IIS Crypto, clicking 'Best practices' and reboot.

    I know that action disables all old protocols and ciphers, and best practices keep on changing in an effort to secure IIS. What I am after is a permanent solution to that problem. Will creating my own template selecting only a few cipher suites help?

  • Re: IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue

    Sep 15, 2020 03:38 PM|lextm|LINK

    Zed02

    What I am after is a permanent solution to that problem.

    That's impossible. Browser vendors are evaluating security risks every day and pushing out new measures via frequent updates. So nobody can predict when a strong cipher today becomes weak and obsolete.

    Zed02

    best practices keep on changing in an effort to secure IIS.

    Accept that fact, and add extra steps in your server maintenance plan.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Rovastar Rovastar

    5473 Posts

    MVP

    Moderator

    Re: IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue

    Sep 16, 2020 12:39 AM|Rovastar|LINK

    Zed02

    On an ASP.NET Web api, I receive ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue after like every 2-3 months, which I resolve by going to IIS Crypto, clicking 'Best practices' and reboot.

    Is your error coming back again every 2-3 months and you have run IISCrypto again?

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue

    Sep 16, 2020 06:22 AM|Jalpa Panchal|LINK

    Hi,

    IIS 10 turns on HTTP/2 by default and only falls back to the older HTTP/1.1 if the browser doesn’t support HTTP/2. While HTTP/2 is generally good practice and most recent browser support it, it also has stricter requirements than HTTP/1.1 and the issue with these browser errors is that the iis is trying to establish an HTTP/2 session with the browser but the server is configured with some weaker SSL Ciphers which aren’t supported by HTTP/2.

    You have below option to resolve the issue:

    1)Disable the weaker cipher suites, which is recommended for security purposes, and leave HTTP/2 enabled

    2)Disable HTTP/2 in IIS and only use the older HTTP/1.1 standard

    set the registrikey setting as shown velow to disable the HTTP/2

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
    “EnableHttp2Tls”=dword:00000000
    “EnableHttp2Cleartext”=dword:00000000

    after that you could capture some network traffic by using the network monitor and check which cipher is causing the issue.

    Disbale HTTP/2 in brwoser:

    Chrome-

    Run it with the below parameter

    chrome.exe –disable-http2

    Firefox-


    Type about:config in the address bar

    Click on I Accept The Risk

    Search for network.http.spdy.enabled.http2

    Change the value to False

    Restart your browser

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: IIS Crypto best practices and ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY issue

    Sep 16, 2020 12:18 PM|Zed02|LINK

    Hi,

    Thanks for suggesting such detailed solutions.

    But I have a concern regarding option #1. If the strong ciphers become weak after sometime, the whole purpose of disabling weak ciphers would be defeated, won't it? Or, do you think there some ciphers that never become weak?