I recently upgraded my machine to Windows 11. Prior to the upgrade, I could connection via IIS and IIS Express to localhost using SSL.
After the upgrade, I can connect to localhost over standard HTTP, but not HTTPS.
I have tried the following:
Nothing has worked so far. I keep getting:
The page cannot be reached. The connection was reset.
I opened up Chrome and the status is (failed)net::ERR_CONNECTION_RESET
I am at a total loss and cannot figure out what is going on. Any help is appreciated.
I figured out the issue.
Apparently, the certificates I'm using to support SSL for my site and in IIS Express do not conform to TLS 1.3.
I had suspicion it was TLS 1.3 but couldn't figure out how to turn it off for IIS Express and IIS.
If you go into IIS and edit the bindings you have for your site, there is an option "Disable TLS 1.3 over TCP"
Once I set this setting and accessed the website on IIS, I found it connected and I got prompted for my PKI client certificate.
With IIS Express, I had to take a different tac.
I first deleted out the binding for one of the test sites in IIS Express:
netsh http delete sslcert ipport=0.0.0.0:44325
I then added it back in using: netsh http add sslcert ipport=0.0.0.0:44325 certhash= appid={214124cd-d05b-4309-9af9-9caa44b2b74a} verifyclientcertrevocation=disable certstorename=My disabletls13=enable
The key is the disabletls13 setting.
A list of these settings is available at Windows Server 2019 disable legacy TLS in IIS via certificate binding is unavailable
I am posting them here again to guard against link rot:
Usage: add sslcert hostnameport=<name:port> | ipport=<ipaddr:port> | ccs=<port>
appid=<GUID>
[certhash=<string>]
[certstorename=<string>]
[verifyclientcertrevocation=enable|disable]
[verifyrevocationwithcachedclientcertonly=enable|disable]
[usagecheck=enable|disable]
[revocationfreshnesstime=<u-int>]
[urlretrievaltimeout=<u-int>]
[sslctlidentifier=<string>]
[sslctlstorename=<string>]
[dsmapperusage=enable|disable]
[clientcertnegotiation=enable|disable]
[reject=enable|disable]
[disablehttp2=enable|disable]
[disablequic=enable|disable]
[disablelegacytls=enable|disable]
[disabletls12=enable|disable]
[disabletls13=enable|disable]
[disableocspstapling=enable|disable]
EDIT - 02/03/2023:
I confirmed the issue is TLS 1.3.
I could reproduce the issue by turning on/off the setting in IIS. In IIS Expression, apps for which I did not disable TLS 1.3 were not accessible and the single app for which I did disable TLS 1.3 was accessible.
Because I have a number of applications I test in Visual Studio and until I can find a solution for this issue, the most efficient way forward for me was to enable TLS 1.2 explicitly and disable TLS 1.3.
Here is a PowerShell script to disable TLS 1.3:
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'Enabled' -Value 1 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Name 'Enabled' -Value 1 -PropertyType DWORD
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWORD
Write-Host "Enabling TLSv1.3"
I am still hoping that someone might know what the cause of this issue is and how to resolve it. I hate this solution because it's not in line with best security practices of "always forward, never backward," but I don't know what else to do.