Can’t connect securely to this page. "site uses outdated or unsafe TLS security settings" "Your TLS security settings aren’t set to the defaults"

I have been asking the same question for over a month now. Neither Edge nor IE11 (I know! But I had to try) opens several HTTPS pages, including my institution's mailserver. The error message on Edge is the dreaded:

Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings.

If this keeps happening, try contacting the website’s owner.
Your TLS security settings aren’t set to the defaults, which could also be causing this error

The error message on IE11 is slightly different, but points to pretty much the same end result.

Firefox (54.0.1 32-bit) and Chrome (59.0.3071.115 64-bit) both open these HTTPS pages just fine. 

I have tried all the options I found on the net. Clearing SSL cache, resetting internet options to default, re-registering dlls, enabling/disabling SSL 2, 3, and TLS 1 (TLS 1.1 and 1.2 are always enabled) - all to no avail.

My windows version is 1703 (OS build 15063.483) 64-bit.

Not using any external antivirus other than Windows Defender in Windows 10. No external firewall either. I'm connected to the institutional network directly via LAN. No proxies.

Can someone please help? Anyone has any answers, advice, opinions? Please share. Thanks in advance.

UPDATE 1: I have established that if TLS1.0 is checked, the "Your TLS security settings aren’t set to the defaults, which could also be causing this error" part of the error message goes away. The problem of not connecting to HTTPS sites remains though.

UPDATE 2: Additional weirdness. Within my institution's HTTPS websites, not all are unreachable from Edge/IE. One specific TLD, j***s.edu (which hosts the mailserver), seems to be giving the problem. Edge/IE11 is unable to get to:

either https://login.j***s.edu (which is the landing point for all the institutional resources via a SSO mechanism)

or https://mobile.j***s.edu (which is the path to the mailserver and Outlook Web Access)

If I ping either of these sites from my computer using a CMD prompt, the ping works quite well and I see the corresponding IP address, too. So this appears not to be a DNS-related issue. 

To reiterate, I can reach https://mobile.j***s.edu/owa from Chrome/Firefox, but not Edge/IE11. The mailserver path is correct, too, because this is the path used to configure Outlook 2016 on my Windows 10 Pro 64-bit Laptop as well as the iOS Outlook mail app. It only doesn't seem to work from my Desktop.

UPDATE 3: I reimaged Windows 10 Pro x64 (v1703 = same as mine) on a colleague's laptop, and installed Outlook 2016 and other Office programs via Office 365 institutional subscription (= same as mine). In that laptop, Edge can reach the same website https://mobile.j***s.edu/owa with NO ISSUE, and I could configure Outlook 2016 to reach the institutional mailserver via Exchange with NO ISSUE either. So, the problem may be peculiar to how my Desktop machine handled the Creator's Update.

UPDATE 4 (FINAL): I took the extreme step, and reset my Windows 10 installation with the 'Keep my files' option. The process re-installed Windows and everything in it, including Edge. It was painful, because I had to manually reinstall all my software programs, including Office 2016, but at the end of it, EVERYTHING WORKS now. Edge connects to all websites it was previously unable to, Microsoft Outlook has no problem connecting to my institution's Exchange Server, and even the LONG-STANDING issue of the Xbox app on Windows 10 not recognizing my login and password has been resolved.

 

Question Info


Last updated February 14, 2020 Views 95,198 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hello,


This error on Edge and Internet Explorer 11 may arise for several reasons. To address your concern, apart from all the helpful information that you provided, we'll need to know a few more things:

  • When did the issue start to occur?
  • Were there any changes made prior to encountering the issue such as updates, upgrades, or installations?
  • If the issue started after a Windows Update, have you already tried to go back to the previous version? If not, you may refer to the instructions here under "Go back to your previous version of Windows".

We're looking forward to your response.

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Please see inline.

When did the issue start to occur?

After the June 2017 Creator's Update

Were there any changes made prior to encountering the issue such as updates, upgrades, or installations?

Creator's Update

If the issue started after a Windows Update, have you already tried to go back to the previous version? If not, you may refer to the instructions here under "Go back to your previous version of Windows".

Using the Recovery tool to revert to the previous version seemed an extraordinary step for solving a problem with an update that has been affecting many users. Therefore, I didn't want to take that trouble in the hope that Microsoft will come out with a fix of some kind.

Thanks,

Suirauqa.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Please also see the following response that I wrote to Forum Moderator Maria Fab's reply in another thread started by someone else about the same/similar issue (See Page 4 of that thread).

Marina Fab wrote:

This might be an indication of an SSL Certificate issue. For further investigation and to let our support engineers know about this, we encourage that you submit your issue using the Feedback Hub. You can either vote on an existing submission, or submit a new issue. When you submit a feedback item, we gather additional details and information about your issue, that will help determine what's causing it and address it. The feedback items regularly receive Microsoft responses on the submissions in the Feedback app, so that you can see what we are doing about your feedback. Please revisit frequently to see the status of your feedback items.

In order to submit a new feedback, please follow these steps:

  1. On a Windows 10 device, search for Feedback Hub in Cortana search, and then launch the app.
  2. Navigate to Feedback in the left menu, and then press + Add new feedback.
  3. Select the Problem, share any details you think are relevant, and then choose an appropriate category and subcategory.
  4. Important: If possible, reproduce the problem(s) after clicking Begin monitoring (or Start capture) near the end of the form; Stop monitoring when you're done.
  5. Once you've completed the form and monitoring, click Submit.
  6. Click Continue using Feedback Hub.
  7. Click My Feedback at the top, and then find the item you submitted (it may take a while to appear).
  8. Open the item you submitted, and then click Share.
  9. Click Copy link, and then paste the link in your response (it will look like https://aka.ms/<unique link>).

My response:

Here is the link to the feedback: https://aka.ms/Nucd4u - hope it helps you solve this severe issue.

Another interesting observation: check the link to this New York Times story: https://nyti.ms/2voLo1p

This loads fine in Chrome, resolving the short URL correctly. In Edge, however, this link doesn't resolve and Edge returns an error message. However, if I change the https to http leaving the rest of the URL the same (i.e. http://nyti.ms/2voLo1p), Edge can immediately open it. 

 

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

check the link to this New York Times story: https://nyti.ms/2voLo1p

https://www.nytimes.com/2017/07/15/opinion/sunday/please-prove-youre-not-a-robot.html 

Using  

PS>Get-Process *Edge*CP | Select -First 1 | ft FileVersion -HideTableHeaders
11.00.15063.483 (WinBuild.160101.0800)

Used PowerShell because nothing else was as accurate or capturable.

BTW here is a thread where another user is having inexplicable difficulties using Edge and IE.  It may give you some diagnostic ideas for your case.

https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows_10/internet-explorer-and-edge-cant-find-this-page-for/59eb8ddb-34c0-47a7-ac1d-8c3e2b8d9422?page=6#LastReply 

 

FYI

Robert Aldwinckle
---

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thank you for taking the time to reply, Robert, but unfortunately, I am not sure how this applies to my situation. A few observations:

  1. Using PowerShell Get-Process as you did, your Edge version is identical to mine.
  2. With Invoke-WebRequest, the shortened https URL for the NY Times story does show the expanded URL in the Links: section. 
  3. However, my default browser currently is set as Chrome (which has NONE of these issues). So, I am not sure if the WebRequest actually Invokes Edge or uses Chrome (or Chrome settings).
  4. Meanwhile, in Edge, the https URL continues to not work. 

Please note (as I mentioned earlier) that changing the typed URL from https to http makes this shortlink work in Edge with no issues. 

I tried the Invoke-WebRequest in PowerShell to see if it would load my institution's mailserver (my original issue, mentioned in the OP) - NO JOY.

PS C:\> Invoke-WebRequest -URI "https://mobile.j**s.edu/owa"
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

At least this tells me that the PowerShell is likely looking at Edge, and not Chrome/Firefox (thereby answering my point 3 above) - because the mailserver URL loads just fine in Chrome/Firefox. 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I tried the Invoke-WebRequest in PowerShell to see if it would load my institution's mailserver

Good idea!  However, in order to use it you need to create a credential for Invoke-WebRequest  -Credential  to use.

Ref

https://stackoverflow.com/questions/27951561/use-invoke-webrequest-with-a-username-and-password-for-basic-authentication-on-t 

(BING search for
    invoke-webrequest credential
)
<quote>

$cred = Get-Credential
Invoke-WebRequest -Uri 'https://whatever' -Credential $cred
</quote>

 

Good luck

Robert
---

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I'm curious about this, Robert. Ordinarily, in a browser, using that mailserver URL in the address bar brings me to the  institutional SSO Login and Password page requesting user input.

Why should the PowerShell method be any different, and ask for the credentials beforehand? I welcome your thoughts on this.

-- S

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Why should the PowerShell method be any different, and ask for the credentials beforehand

If you need protected content then it needs to be encrypted before being transmitted.  Now I'm wondering if you have a "man-in-the-middle" scenario that Edge would be protecting you from.

OMG.   What protocols are your other browsers allowing?

http://blog.trendmicro.com/trendlabs-security-intelligence/poodle-more-potent-now-affects-tls/ 

(BING search for
    TLS Man-in-the-middle poodle
)

<quote>

some transport layer security (TLS) implementations may be vulnerable to a variant of the same POODLE attack
</quote>

Perhaps you should try checking your problem host here

https://www.ssllabs.com/ssltest/ 

HTH

Robert
---

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Three observations, Robert.

  1. According to the TrendMicro post (Thanks for sharing!), SSL3 is vulnerable to POODLE attacks. In my internet options, I have left the "Use SSL3.0" unchecked/disabled. Then why would Edge/IE11 try to use SSL3 (& then 'protect' my PC by refusing to connect)?
  2. More importantly, there are PCs and laptops in the same network, configured exactly in the same way, and with no problem in reaching the problem host HTTPS site. How is this possible?
  3. Why/how does Google and Firefox bypass this issue and correctly reach/load the HTTPS site in question?

Thoughts?

-- S

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thoughts?

I'm thinking Edge may be detecting something it doesn't like and telling you that.  Notice the option that Trend Micro would provide its users if a site was vulnerable?  "Too Many TLS Alert Messages In TLS Traffic"

So, perhaps the main difference with the other browsers is that they aren't doing such a detection step.

Have you tried the SSLTEST to see what it thinks about your problem host?

Otherwise, if you want to have more clues about what is happening I think you will need to trace your different cases and compare them.  That's something that is going on now in that other thread I pointed out.

BTW your description about upgrading other machines could include the possibility of them not yet having the same level of patching, in which case you may yet see them doing the same thing as yours.  Etc.

 

Good luck

Robert
---

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.