PROBLEMS WITH KB 3161608 AND KB 3161639

After installing KB 3161608 which includes KB 3161639 we started having problems with some web applications not negotiating a TLS connection.  Uninstalling the update and running a trace we see that it used Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f), which is still in the list of approved Ciphers in KB 3161639.

Anyone else experienced an issue with this?  I just issued  a removal through WSUS, but would like to figure out why this happened and how to fix it.

 

Question Info


Last updated December 6, 2019 Views 32,831 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

I have problem with KB3161308 installed on Windows 7 SP1 x64.  Unlike yours with TLS, my system exhibits serious memory leakage due to unknown process or service in the background.  It could eventually suck all available memory and the machine would be failure to shutdown or restart.  Uninstall it and my only option.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We have had the same issue, all 500 of our machines use SoftPhones and all of them were unable to connect to the Telephony server via a TLS connection after this update we also experienced issues with our web sites and machines generally running slow. Usually these would be tested beforehand but unfortunately this one was issued in error and caused a major issue. Typical! Only option was to schedule removal of KB3161608.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I am also experiencing the same problem with KB3161308. I had to uninstall it.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We are seeing problems with this and our Cisco Finesse application.  Can't find a work around other than to uninstall it.  Has anyone tried a re-ordering of the cipher suites via GPO?

rich.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

After installing KB 3161608 which includes KB 3161639 we started having problems with some web applications not negotiating a TLS connection...

@AaronMoore_IN => This is a Consumer-specific forum. You will find appropriate support for Win7 in the IT Pro-specific forums: https://social.technet.microsoft.com/Forums/windows/en-US/home?category=w7itpro

Note that KB3161608 is an Optional (vs. Recommended ) update rollup this month.

--
~Robear Dyer (PA Bear)
Microsoft MVP (Windows Client) since October 2002

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We had the same problem when using GE PACS Universal Viewer. My suggestions:

1 - Open Internet Explorer / Internet Options / Advanced tab; disable Use SSL 2.0; enable Use SSL 3.0; disable Use TLS 1.0; disable Use TLS 1.1; enable Use TLS 1.2.

2 - OR, Remove KB3161608 (target: Windows 7, Windows 7 64bit, Windows Server 2008 R2, Windows Server 2008 R2 64bit).

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Did that work well for you?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Uninstalling works, will try the ie setting change to tld
Bill Bacoyiannis

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I added the following reg entry to the client machines and it fixed our Cisco Finesse Web Application . Now runs OK in IE with patch KB3161608 installed on the client machines.  Connected to the minimum supported key length being changed by MS:- 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

111 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

KB 3161608 broke all my Cisco VOIP products.  I had to remove the new cipher keys introduced with this update.

New cipher suites in this update: 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

In my situation I took the default cipher order list in:

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

I removed the two new ciphers out of the cipher order and changed the cipher order in the following registry key:
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Restart after registry changes.

IIS Crypto helped with locating the registry keys:

https://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspx


Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.