Knowledge Base

  1. Home
  2. Client Errors
  3. Connection closed - TLS - EMS
Created
Modified

Article 2766

Connection closed - TLS - EMS

Problem

After the installation of the October 8, 2019—KB4517389 (OS Build 18362.418) update, all TLS encrypted data connections to the affected FTP servers fail.

Cause

The KB4517389 addresses the following issue:

"Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don’t support Extended Master Secret (EMS) RFC 7627 to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don’t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates."

From the description we can assume that Windows's Schannel (the TLS implementation), as a security measure, enforces EMS starting with the October 8, 2019 update. If the server runs a TLS stack which is not compatible with this change, the FTP data connection fails (the server closes the connection).

OpenSSL, which is used by most servers, supports EMS since version 1.1.0 (released 25th August 2016).

Affected Servers

  • All FTP servers using OpenSSL older than version 1.1.0
    FileZilla Server prior to version 1.0. Upgrade to the latest FileZilla Server version.

Solution

Contact the server administrator, explain the situation and and request an upgrade of the FTP server software and of the installed OpenSSL version.

As a temporary workaround, the KB4517389 can be uninstalled.

Important: Upvote the feedback in the Microsoft Feedback Hub

Disabling EMS by setting the DisableClientExtendedMasterSecret registry value as described by MS15-121 does not fix the issue.

Keywords
KB4517389

Related Articles
icon TLS data session token error

What do you think about this topic? Send feedback!