If you are an IT admin or a Network admin who is running a server then your users might complaint about the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error code. You might also see this error while visiting your website. This error will be presented with a message
“The webpage at *website address* might be temporarily down or it may have moved permanently to a new web address. “
This error will prevent you from accessing the website. The error usually happens for Chrome users but it might appear on Firefox as well. Internet Explorer and Microsoft Edge users won’t see this error.
This problem is happening because of the HTTP/2. This basically means that the site started a HTTP/2 connection but there was a blacklisted cypher negotiated. So the browser has prevented the access to the website. So, the usual solution for this is to reorder the cypher suites to meet the requirements of the HTTP/2.
Use the SSL Labs to check the configuration of your server. The results from SSL Lab can help you tweak the configuration even better. Click here to go to their official site and test the server. They also have a lot of good articles on TLS and SSL.
Method 1: Use IIS Crypto 2
IIS Crypto is a tool designed for administrators. It helps in enabling/disabling different protocols, cypher suites and hashes on your servers. It is also suitable for reordering SSL/TLS cipher suites. Since the problem is with the ordering of the cypher suites according the IIS, this tool can be used to solve the issue.
IIS Crypto 2 comes with the Best Practices option that helps in selecting the suitable cypher suites. When you select this option, it will automatically include or exclude the cyphers depending on the requirements of HTTP2. Here are the steps for using the IIS Crypto 2
- Click here and download the version suitable for you
- Once downloaded, install and open Crypto 2
- Simply click the Best Practices button
- Crypto 2 will automatically select and deselect the boxes from each column
- Once the Crypto 2 has selected the appropriate Protocols, Hashes, Cyphers and Key Exchanges, click Apply
- Reboot and that is it. It should fix the issue for you.
Note: If your cypher suites aren’t coming up on the Crypto then make sure you have the latest version of it. Older version won’t be able to detect everything.
Method 2: Reorder the Cypher Suites
Click here and check the requirements of the HTTP/2. Make sure you aren’t using any cypher that is in the blacklist. The problem is usually occurring because you must be negotiating a blacklisted cypher. So, its simply a matter of using the appropriate protocols and cyphers. Reordering the cypher suites should also be done as per the requirements of the HTTP/2.
Note: Don’t forget to reboot once you are done with the changes e.g. enabling and disabling cypher suites.