ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error when accessing Archer website using modern browsers
All versions of Archer
When modern web browsers access the Archer website, the following error may be generated and the website does not load: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
The client Operating System negotiates an HTTPS connection with the server Operating System using ciphers that they both have in common.
Many of the ciphers shipped with older versions of Operating Systems are no longer suitable to use for security reasons and it is industry practice to disable ciphers when they are determined to be insecure.
There are certain situations where the client Operating System and Windows Server operating system agree to establish an encrypted HTTPS connection. However, the web browser running on the user's PC determines the connection to be too insecure for use due to the cipher choice between the operating systems. In this situation, the web browser will return the following error to the user ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
Disable weak ciphers (Breach (CVE-2013-3587), Lucky13 (CVE-2013-0169),Null, RC2, RC4, DES, Triple DES 128, and all other Ciphers <128 bit length as per Archer Security Configuration Guide)
The below powershell script (also attached) needs to be run as a script file and will update the registry on a server to disable the known insecure ciphers. Be sure to test in Dev environment before moving them to Production. The script needs to be run on all Archer servers.
The powershell script creates cipher disablement registry entries in the Windows Server Registry at path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Rollback option: To undo the disablement of these insecure ciphers, delete the cipher disablement registry keys created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Note: As per Archer Security Configuration guide, CBC ciphers are also considered insecure and can be disabled in the same manner. However, CBC ciphers are currently (as of October 2021) allowed by all modern browsers for compatibility reasons and disabling these ciphers is outside the scope of this KB.
Note: If the server is enrolled in a group policy, the group policy may periodically overwrite the enablement/disablement of the ciphers with what is configured in the group policy. If these changes to the registry are being reverted, check to see if there is a conflicting group policy in regards to which ciphers the server has disabled.
Note: For the latest recommendations on which HTTPS ciphers should be disabled, please see the Archer Security Configuration guide for the version of Archer that you are running.