Home > Net >  Cannot connect to localhost over SSL after Windows 11 Upgrade
Cannot connect to localhost over SSL after Windows 11 Upgrade

Time:02-03

I recently upgraded my machine to Windows 11. Prior to the upgrade, I could connection via IIS and IIS Express to localhost using SSL.

After the upgrade, I can connect to localhost over standard HTTP, but not HTTPS.

I have tried the following:

  • flushed the DNS
  • netsh int ip reset
  • netsh winsock reset
  • deleting the binding(s) and adding them back in
  • checked the protocols used in inetcpl.cpl (TLS 1.2 and TLS 1.3 are enabled)
  • turned off the Firewall
  • turned off MalwareBytes

Nothing has worked so far. I keep getting:

The page cannot be reached. The connection was reset.

I opened up Chrome and the status is (failed)net::ERR_CONNECTION_RESET

I am at a total loss and cannot figure out what is going on. Any help is appreciated.

CodePudding user response:

I figured out the issue.

Apparently, the certificates I'm using to support SSL for my site and in IIS Express do not conform to TLS 1.3.

I had suspicion it was TLS 1.3 but couldn't figure out how to turn it off for IIS Express and IIS.

If you go into IIS and edit the bindings you have for your site, there is an option "Disable TLS 1.3 over TCP"

Once I set this setting and accessed the website on IIS, I found it connected and I got prompted for my PKI client certificate.

With IIS Express, I had to take a different tac.

I first deleted out the binding for one of the test sites in IIS Express:

netsh http delete sslcert ipport=0.0.0.0:44325

I then added it back in using: netsh http add sslcert ipport=0.0.0.0:44325 certhash= appid={214124cd-d05b-4309-9af9-9caa44b2b74a} verifyclientcertrevocation=disable certstorename=My disabletls13=enable

The key is the disabletls13 setting.

A list of these settings is available at Windows Server 2019 disable legacy TLS in IIS via certificate binding is unavailable

I am posting them here again to guard against link rot:

Usage: add sslcert hostnameport=<name:port> | ipport=<ipaddr:port> | ccs=<port>
appid=<GUID>
[certhash=<string>]
[certstorename=<string>]
[verifyclientcertrevocation=enable|disable]
[verifyrevocationwithcachedclientcertonly=enable|disable]
[usagecheck=enable|disable]
[revocationfreshnesstime=<u-int>]
[urlretrievaltimeout=<u-int>]
[sslctlidentifier=<string>]
[sslctlstorename=<string>]
[dsmapperusage=enable|disable]
[clientcertnegotiation=enable|disable]
[reject=enable|disable]
[disablehttp2=enable|disable]
[disablequic=enable|disable]
[disablelegacytls=enable|disable]
[disabletls12=enable|disable]
[disabletls13=enable|disable]
[disableocspstapling=enable|disable]

CodePudding user response:

You are running IIS on your Windows 11 machine?

Have you tried restarting the IIS Service?

How about your firewall, is that turned on? For a test, try disabling it and see if you are able to reach 443, it may be blocking https traffic for some reason.

You aren't using an SSL cert for the traffic? Is it installed and valid still?

Can you setup a temporary test to see if that works (blank page) ?

  • Related