Windows 8.1 Cipher issues when mapping a WebDav drive

I'll do my best to explain our issue with the limited amount of information that was given to me. Apologies in advance.

We use Alfresco for document collaboration. We have 3 environments (servers) used for this:
-All are Apache servers-

1: Dev - used for programmatic changes
2: UT - Changes made on Dev are promoted to User Test (UT)
3:Prod - This is the production server utilized by our end users.

We use the following ciphers for encryption:
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) AES256-SHA
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) AES128-SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) -- used for fallback negotiation.

We use Checkpoint as a firewall and have tested with all 3 servers removed from the Checkpoint list. So we know it can't be caused by any of the rules. We did verify the rules are the same for all 3 servers as well.


I'm sure I am missing something else...

The problem:
Management decided they want to give the users the ability to utilize WebDav to map drives pointing to "Sites" they are members of. When testing, OS X and Windows 7 Enterprise (64-BIT) all successfully map to the 3 environments listed above using net use x: https://xxx.xxxxx.com/xxxx/webdav. However, when testing on a Windows 8.1 machine, we are only able to successfully map to Dev and UT. When we try to map to Prod we get the following error:
System error 67 has occurred.

The network name cannot be found.

There are no references in the Event Viewer so I can't provide any data there.

I ran Wireshark captures and when it fails it appears that it is trying to connect using SSL 2.0 which isn't even enabled on the Windows 8.1 client. I made sure the ssl.conf files are identical line by line on all 3 servers. I've researched this for days and have been unable to find anything. I've tested it on a basic Windows 8.1 install with nothing being touched to eliminate our platform image. This makes no sense to me at all.

We have been unable to find any difference when comparing the 3 servers. The ciphers listed above are the only ones we are using since they provide the best security. One other note, if we put "ALL" in the ssl.conf it will successfully map.

I'm at the point where I am ready to call Microsoft to see if they can assist, but I figured I would ask here first.

Again, I apologize for the lack of information. If you can think of any other information that will help please let me know. I will work with the admins to get whatever is needed.



SSLv2 and SSLv3 are insecure and disabled end of last year in any SSL-supporting product.
You must upgrade Alfresco (java under it?) to support at least TLS 1.0 (aka Java 7+)



SSLv2 and SSLv3 are insecure and disabled end of last year in any SSL-supporting product.
You must upgrade Alfresco (java under it?) to support at least TLS 1.0 (aka Java 7+)



Thanks for your reply, gheist. Each of the servers we use have all versions of SSL disabled in the conf file. I'm almost positive we are running the correct version of Java. I reached out to confirm. When I look at the Wireshark captures, it's the Windows 8.1 client that is requesting SSL 2.0 even though all versions of SSL are disabled on it.

Also, it maps successfully when testing on the Dev and UT server. Just not on Prod. As I stated above, we have checked and compared all 3 servers trying to find something, anything, that is configured differently but have been unsuccessful in doing so. There is obviously something different, but we can't find it.



With SSL disabled so well how comes you get SSLv2 anywhere?



All versions of SSL are disabled. It should be negotiating with a TLS Hello.



qualys browser check says my firefox sends SSLv2 hello

Share this

Related Posts

There was an error in this gadget