I my line of work, every now and then I run into these unique situations. A few weeks ago we needed to do an application upgrade on a few of our systems. Once we started we got the following message:
“0x800b010e – The revocation process could not continue – the certificate(s) could not be checked.”
Okay, now what? Turns out that the combination of .Net or system hardening with a non-Internet connected system can trigger this error message. What happens is that the systems notices that the software is digitally signed. Because of its policies it tries to check the validity of the certificate and its revocation status. Since our systems are hardened its expected behavior. The software was digitally singed by Microsoft (signing is a good thing btw!), so it tried to reach the public Microsoft servers. Since it wasn’t allowed to go out and fetch the crl it failed. Luckily it’s a simple matter of switching a registry key to turn the revocation check on or off again. Since I can’t remember registry keys (and I seem to forget these kind of little tricks) I’ve written a PowerShell script to enable or disable the offline installation capabilities. Just in case you want to check the value on your system, use the setreg.exe tool from the SDK. In case you’re curious about the registry entry look at:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State (REG_DWORD)
The default value of state is 23c00 (Hex).
My script can be used with the following parameters:
Set-OfflineInstallationMode.ps1 [-On] [-Off] [-Force]
- On: Enables the offline installation of signed binary files.
- Off: Reset the system to the previous (or default) value.
- Force: Ignore the previous setting and execute anyway.
You can download the script here. Version 1.0
Set Registry Tool (Setreg.exe)
To enable logging for Secure Channel logging (Schannel), use the following guide.
Add the following registry key:
Set one of the following values:
0x0000 Do not log
0x0001 Log error messages
0x0002 Log warnings
0x0004 Log informational and success events
When troubleshooting I like to set it to 0x0007 (0x0001 + 0x0002 + 0x0004). Reboot your machine to start the logging process.
The data will end up in the “System” eventlog with the source name of “Schannel”. You would want to keep an eye out for event id 36880, indicating a succesful event. It would look something like:
A SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Protocol: TLS 1.2
Exchange strength: 256
To translate the CipherSuite use the following site:
In the example above this would translate to:
TLS/SSL Security Considerations
Cipher Suites in TLS/SSL (Schannel SSP)
Prioritizing Schannel Cipher Suites
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows