No communication between RES ONE Workspace Relay Server and RES ONE Workspace Agents after installing Security Updates mentioned in Microsoft Security Bulletin MS16-111 and MS17-010

Version 1

    Problem

    Consider the following scenario:
    • A RES ONE Workspace / RES Workspace Manager Agent is connecting to RES Relay Server installation version 2015 or lower.
    • The security updates mentioned in Microsoft Security Bulletin MS16-101, MS16-111, MS17.010, MS16-124 or MS16-126 are installed on a device with the RES ONE Workspace Agent installed or the RES ONE Workspace Agent is installed on Microsoft Windows 10.
    • A GPO setting the priority of SSL Cipher Suites to be used for communication encryption is applied on the RES ONE Workspace Relay Server.
    In this Scenario the RES ONE Workspace Agent is being displayed as "out of date" in the RES ONE Workspace Console (the last synchronization has taken place before the updates from the Microsoft Security Bulletin were applied).

    In the Windows System Eventlog on the Agent entries for EventID 36888 – Source: Schannel containing "The following fatal alert was generated: 40. The internal error state is 813." are
    being generated. 

    Tracing on the RES ONE Workspace Agent returns “clsRelayServer.mIPPortS_Connected; Host:<hostname.domain.local> / 276 - error during handshake[2]: 0x8009035d.


     

    Cause

    RES ONE Workspace Relay Server version 2015 and earlier uses a certificate length of 512 bits for securing communication between RES ONE Workspace Agent and RES ONE Workspace Relay Server. 
    In this scenario the RES ONE Workspace Agent does not accept certificate lengths less than 1024 bits.

    Therefore the handshake between RES ONE Workspace Agent and RES ONE Workspace Relay Server can not be completed and the RES ONE Workspace Agent can not connect to the RES environment. 


     

    Solution

    One of the following steps can be taken to resolve this issue:
    • Upgrade the RES ONE Workspace Relay Server to version RES ONE Workspace 2015 SR1 or above.
    • Enable the following registry key on the RES ONE Workspace Relay Server: 
    32-bit:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\RES\Workspace Manager\RelayServer
    Value: CertificateKeyLength
    Type: REG_DWORD
    Data (Decimal): 1024

    64-bit:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\RES\Workspace Manager\RelayServer
    Value: CertificateKeyLength
    Type: REG_DWORD
    Data (Decimal): 1024

    This registry key is available from RES Workspace Manager Relay Server 2012 SR3
    • As a last resort the KB articles could be uninstalled from the device the RES ONE Workspace Agent is installed on.