Hi,

I am not aware of this problem, but I will investigate to see if there is a workaround.

Thanx,

Denise

Hi,

I'm having some technical difficulties with my lab system, so it may take a little longer than I expected (trying to reproduce the issue and debug). Sorry for the delay.

Thanx,

Denise

Thanks Denise. Let me know what you find out. Here is some additional information I have been able to determine.

Note that I have also confirmed it happens with the IE11 version 11.0.9600.18426 update on Windows 7 Enterprise as well.

Looks like when the IE update is installed it breaks the TLS 1.0 negotiation within Windows itself. As stated above Finesse correctly selects one of the offered ciphers but then Windows appears to not continue with the negotiation (Key Exchange) causing Finesse to eventually respond with the Handshake Failure message.

Specifically prior to the latest IE11 update (using an older IE10 install), IE would offer a number of cipher candidates during the handshake including the following which Finesse would select. All would be happy.

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

After the IE11 update the following cipher is offered by Windows and is the one chosen by Finesse and that is when the failure occurs.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

Note that using Chrome works and it negotiates the following cipher suite and this works fine.

TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

So it looks like a possibly weak Diffe-Helman SSL cipher is being mistakenly offered by Windows (with IE11 update) and then rejected/ignored when it is selected by Finesse.

Thank you for the additional information. My stubborn Windows 7 VM is refusing to install the IE11 upgrade (I am on 11.0.9600.17843). I will continue to work on this and will update as soon as I have information.

Thanx,

Denise

Hi,

Actually, because 10.5 supports Windows 7 with IE11, this is a product issue and therefore you should open a TAC case. They will be able to work with the Finesse team and provide a workaround.

Before doing so, I want to make sure that you are on Windows 7 SP1 because that is the supported OS version: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/finesse/finesse_1051/release/notes/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse-1051/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse_chapter_00.html#CFIN_RF_HCB...

I highly doubt that would make a difference, but I want to make sure that you are on the supported OS.

Thanks,

Denise

Regarding opening a TAC issue, the problem is not affecting us directly just yet, it is just something we have observed in our lab. It did affect one of our customers when then applied Windows updates but they saw that those updates also broke a bunch of their other secure stuff (seems to affect more than just IE) so they rolled back the updates. So was posting it here to see if anyone at Cisco has seen it yet (giving you a heads up). We can reproduce it but the work around from our point of view is to not install the IE11 update at this point. And Windows 10 (with forced updates) is not supported by 10.5.1 so would not be supported anyway.

Hi,

Ok. I will let the Finesse team know. Thanks for all the information!

Thanx,

Denise

Denise I have some further information on this. Seems the issue is not specific to IE11 per se but rather to another KB update that also gets installed. This KB update is included in Microsoft's June and July Update Rollups so if they are installed the problem will also be seen. Found an interesting thread on a Microsoft forum that talks about it and specifically mentions Cisco Finesse and TLS issues (along with VOIP phones).

There is a workaround that involves removing the problematic ciphers. I have tested it and it appears to work for now. Not sure yet if there are other ramifications from removing the ciphers but Finesse is happy as well as applications that use the Finesse web APIs.

You can remove the following ciphers from the list contained in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Here is the Microsoft forum thread.

PROBLEMS WITH KB 3161608 AND KB 3161639 - Microsoft Community

Thank you for all of this information. It is definitely helpful. I have let the Finesse team know and they will take a look at it.

Is the issue that you are having high cpu being taken by svchost (the one hosting the wuauclt.exe) and the windows update not proceeding? If so Microsoft has a separate fix that you can apply outside of windows update to fix it. Windows updates will then work properly afterwards.