Known issues with this security update
After you install this security update, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers.
To temporarily disable or re-enable this security update, click the
Fix it button or link under the
Disable the security update or
Re-enable the security update heading. Click
Run in the
File Download dialog box, and then follow the steps in the Fix it wizard.
Disable the security update | Re-enable the security update |
---|
| |
Notes- These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
- If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem.
The following table shows the values that are applied by these Fix it solutions to the
SendExtraRecord registry DWORD entry:
Heading | Value applied to SendExtraRecord entry |
---|
Disable the security update | 2 |
Re-enable the security update | 0 |
Note The
SendExtraRecord setting will be included in future releases of Windows.
Known issues and additional information about this security update
The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link:
- 2585542 MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012
- 2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012
Registry information
Not recommended We do not recommend that you use the following procedure to disable this security update. However, we provide this procedure for scenarios in which you may be using applications that are incompatible with this security update, which enables split SSL records for all applications.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
By default, this security update sets the Opt-in mode at the schannel level, because of application compatibility issues. To disable this security update for all applications system-wide, you must add a DWORD value that's named
SendExtraRecord and that has a value of 2 to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
To add this schannel registry entry registry entry, follow these steps:
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- On the Edit menu, point to New, and then click DWORD Value.
- Type SendExtraRecord for the name of the DWORD value, and then press Enter.
- Right-click SendExtraRecord, and then click Modify.
- In the Value data box, type 2 to disable the split record in schannel, and then click OK.
- Exit Registry Editor.
This registry entry can have three values, and each value provides different modes of operation:
Reg-key Value | Description |
---|
0 | By default, schannel is included in "Optin Mode." This means that this security update will work for all the callers who send the Secure flag to schannel. The "SendExtraRecord" schannel registry entry will not be created by the security package. Therefore, no schannel registry entry means the system is running this mode. If someone creates this registry key and set the value to 0, schannel will again run in this mode.
This setting has the same effect as not creating this registry entry at all. Applications that send a Secure flag to schannel during session initialization will only exercise the fixed secure code path. For other applications, there will be no change in schannel behavior.
This security update also fixes the application layers that are involved in web browsing by using Internet Explorer to send the Secure flag, in order to help secure the browser usage scenarios.
Note In Windows Server 2003, security update 2638806 must be installed to help secure HTTP client applications that use WinHTTP APIs. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012 |
1 | Setting the value to 1 means "enabled for all." This means callers do not have to send the flag, and the schannel will split all SSL records. With this value set, applications do not have to take any change. A customer who is very concerned about system security can help make their system safer by enabling this registry key. |
2 | Setting the value to 2 means "disabled for all." This means that the schannel will not split the records for any encryption call that the application makes. This mode does not honor the Secure flag that an application sends. |
Based on internal testing, we found that you cannot feasibly set the registry value to 1 because it can break too many scenarios in an enterprise. Therefore, we discourage users from using it.
Known issues with enabling the SendExtraRecord registry entry
- Setting the SendExtraRecord registry value to 1 enforces record-splitting in every call to encrypt data in schannel. This occurs regardless of whether the caller sent the Secure flag during session initialization.
- Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications.
- Broken applications include Microsoft products and in-box components. The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:
- All SQL products, and applications that are built onto SQL.
- Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows.
- Some Routing Remote Access Service (RRAS) scenarios.
Setting the SendExtraRecord registry value to 1 enforces the secure record-splitting for all applications that use Windows TLS/SSL. However, this setting is likely to have application compatibility issues. Therefore, we recommend that customers configure TLS 1.1 and TLS 1.2 instead of using this registry setting. TLS 1.1 and TLS 1.2 are not vulnerable to this issue.
If a user intends to use this registry setting, we recommend that they extensively test application compatibility testing before they implement it. Some common products that are known to be affected by this setting include Microsoft SQL products, Windows Terminal Server, and Windows Remote Access Server.