Cannot Connect to Web Sites That Require SSL 3.0 (318815)


The information in this article applies to:

  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows 2000 Datacenter Server
    • Microsoft Windows 2000 Professional
This article was previously published under Q318815

SYMPTOMS

When you use Internet Explorer on the operating systems listed at the beginning of this article, you cannot connect to some Web sites. For example, if you try to connect to https://www.microsoft.com, you may receive the following error message:
Page cannot be displayed
The bottom of the error page may display "Cannot find server or DNS error."

CAUSE

This problem may occur if the target Web site requires a Secure Sockets Layer (SSL) 3.0 connection. On a site that requires an SSL 3.0 connection, any try to connect that does not meet the requirements of SSL 3.0 is denied by the Web site.

MORE INFORMATION

When Internet Explorer initiates an SSL 3.0 connection it sends a ClientHello message to the server. Part of the ClientHello message includes a section named RandomData. The SSL 3.0 specification requires that the first four bytes of the RandomData section sent by Internet Explorer must contain the client time stamp in "Unix Time" format. In all versions of Internet Explorer on Windows versions before Microsoft Windows XP, the Schannel.dll file only passes random data instead of a time stamp.

To see SSL 3.0 and Transport Layer Security protocol (TLS) SSL 3.0 documentation, visit the following Netscape Web site:

http://wp.netscape.com/eng/ssl3/

The most recent Draft SSL 3.0 specification is an Internet Draft that is dated November 1996. It is a proprietary protocol and not an internet draft or standard. TLS 1.0 was an IETF draft and is a Proposed standard. To review information on the IETF's proposed timestamp standard, visit the following Web site and the locate section "7.4.1.2":

http://www.ietf.org/rfc/rfc2246.txt

Review the information on "Client hello" and "gmt_unix_time." Gmt_unix_time is the current time and date in standard UNIX 32-bit format (seconds since the midnight starting January 1, 1970, GMT) according to the sender's internal clock. Clocks are NOT REQUIRED to be set correctly by the basic TLS Protocol; higher level or application protocols may define additional requirements.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type:MinorLast Reviewed:9/30/2005
Keywords:kbHotfixServer kbQFE kbSecurity kbprb kbbug kbfix kbWin2000sp3fix KB318815
©2004 Microsoft Corporation. All rights reserved.