The TLS protocol defined fatal alert code is 70
I'm trying to access an SSL URL from a Windows browser to another machine running Tomcat and I am seeing error 36887 from Schannel in the System event log on the Windows machine with this description:
The TLS protocol defined fatal alert code is 70
According to MS documentation:
I've turned up Schannel logging (max=7) on the Windows machine and I can see that an SSL handshake was negotiated correctly, this from the event log:
An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows.
Protocol: TLS 1.2
CipherSuite: 0xC028
Exchange strength: 256
This seems to contradict the code 70 error.
Cipher suite 0xC028 is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. I've checked on the Tomcat machine and can see that this is available, and TLS1.2 is also enabled on both machines so the successful handshake makes sense.
The process ID associated with the code 70 error belonged to lsass.exe - my Windows knowledge is quite limited so I have no idea what that does.
I can find nothing in the catalina.out log on the Tomcat machine, the code 70 seems to be happening before the request is actuall sent. I am certain that the certs are all configured correctly as I can access the URL successfully from other machines.
How can I progress from here?
The issue turned out to be that one of our client apps was using .NET 4.5.2 and defaulting to TLS1.1, which had been disabled at the server end by some patching. Ultimately a .NET update to 4.7.2 fixed the issue.
- Send HTTP_1_1_REQUIRED from ASP.NET Core controller
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- openssl how to check server name indication (SNI)
- How to I deploy nextjs application in a production environment, using ssl?
- How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
- Is there a way to get the OpenSSL X509 certificate name that im sending to peer in C++?
- pip always fails ssl verification
- Trust Anchor not found for Android SSL Connection
- How to add self-signed generated certificate to trusted certificates from inside a Java keystore?
- How to force Laravel Project to use HTTPS for all routes?
- Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content
- Python SSL default context not including TLS 1.1 or SSL 2 ciphers
- How do I switch Docker containers with .NET Blazor applications from HTTP to HTTPS?
- Creating self signed certificate for domain and subdomains - NET::ERR_CERT_COMMON_NAME_INVALID
- javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
- How to simulate non-SNI browsers (without SNI support)?
- How to access phpmyadmin on DDEV Windows 10 pro localhost with SSL record too long error
- cURL with SSL certificates fails: error 58 unable to set private key file
- Specifying Arduino WiFiClientSecure Certificates
- maxscale cannot find gtid_binlog_pos
- FreeSWITCH TLS error in 'Client Hello' Request
- ASP.NET Core Development Certificates - error exporting the HTTPS developer certificate
- Get certificate's public key in the PKCS8 format
- Why is Firefox not trusting my self-signed certificate?
- Difference between pem, crt, key files
- Is it a good idea to distribute docker image containing my selfsigned certificate?
- PKIX path building failed: unable to find valid certification path to requested target on chaincode commit on Hyperledger Fabric production network
- enable https jenkin server on ubuntu 24.04
- OkHTTP (v3.0.0-RC1) Post Request with Parameters
- SSL handshake error (CERTIFICATE_VERIFY_FAILED) in grpc++