Common Windows TLS/SSL Security Error Codes and Resolutions
Windows security error codes in the 0x800903xx range typically occur during TLS/SSL operations and are commonly related to protocol mismatches, certificate configuration, or system-level security restrictions. The sections below summarize frequent causes and practical resolutions for these errors.
Errors
- 80090302
- 8009030D
- 8009030E
- 80090304
- 80090308
- 80090325
- 80090326
- 80090327
- 80090331
- 8009035D
- 8009030F or 80090321
80090302
Occurs when the client and server do not share a compatible TLS version (e.g., TLS 1.0 vs TLS 1.2).
Resolution
This can be done on any of the components that support SSL by using the SSLEnabledProtocols configuration setting.
icharge1.Config("SSLEnabledProtocols=4032");
Please note that the linked documentation applies to current .NET editions; for other editions or older versions, refer to the help file included with the product.
8009030D
Indicates invalid or unrecognized credentials, often when using PEM-based certificates.
Resolution
- Convert PEM to PFX:
openssl pkcs12 -export -passout pass:"" -in cert_key_pem.txt -out cert_key_out.pfx -name "My Certificate"
- Ensure private key access and proper permissions
- Enable Load User Profile in IIS if applicable
- Verify certificate is exportable
8009030E
This error translates to "No credentials are available in the security package".
Resolution
- Ensure certificate includes private key
- Grant access to: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
- Verify correct certificate store placement
80090304
This error translates to "The Local Security Authority cannot be contacted ".
Resolution
- Refer to Microsoft KB 3061518 for details. In summary, set the ClientMinKeyBitLength DWORD value at:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman to 00000200. A restart is required after making this change.
- Additional causes and solutions are described in Microsoft KB 813550
80090308
This error translates to "The token supplied to the function is invalid ".
Common Causes / Fixes
- The server may be using a certificate with an outdated signature algorithm. See this MSDN Article
- The server may not expect SSL over the current port; set SSLStartMode to sslExplicit if needed.
- Some FTP servers (e.g., FileZilla) require a PROT P command for data connections when using implicit SSL; set UseProtWhenImplicit to true.
- The server may return a large number of CA certificates during the handshake.
Also see: SSL: Error During Handshake: 80090308
80090325
This error translates to "The certificate chain was issued by an authority that is not trusted."
Resolution
- Ensure full certificate chain is available
- Configure CA directory (Linux) or proper Windows store
- Verify issuer certificates are accessible
80090326
This error translates to "The message received was unexpected or badly formatted.", often due to protocol or cipher mismatch.
Resolution
- This error may also happen if the server and client don't possess a common supported cipher suite. This can be the case if you're connecting from Windows XP to a site that has recent/strict security requirements. Here is a list of ciphers supported in XP. Setting UseInternalSecurityAPI to true may help with this error as it supports many newer protocols not supported on older systems.
- Ensure the correct protocols are enabled using SSLEnabledProtocols.
- Disable SSL session reuse if unsupported (ReuseSSLSession / ReuseSSLSessionInDI).
- Enable broader protocol support if needed:
component.Config("UseInternalSecurityAPI=true");
- Verify that client authentication is properly configured if required.
80090327
This error translates to "An unknown error occurred while processing the certificate."
Resolution
- Verify client certificate requirements
- Check SSLStatus event/logs for details
80090331
This error translates to "The client and server cannot communicate, because they do not possess a common algorithm".
Resolution
- This is commonly seen on older systems (e.g., Windows XP/Windows Server 2003) that do not support modern cipher suites required by the server.
- Refer to the list of ciphers supported in XP
8009035D
This error translates to "One or more of the parameters passed to the function was invalid."
Resolution
- This may be related to Windows rejecting weak security settings. Refer to Microsoft KB 3061518. In summary, set the ClientMinKeyBitLength DWORD value at: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman to 00000200, then restart the system.
- Some Windows updates have been associated with this issue (e.g., KB3172605, KB3175024, KB3177186, KB3184122, KB3185911).
- Additional causes and solutions are described in Microsoft KB 813550
8009030F or 80090321
Known issue on Windows 8.1 / Server 2012 R2 with specific DHE cipher suites.
Workarounds
- Use internal security API:
component.Config("UseInternalSecurityAPI=True");
- Disable affected cipher suites
- Disable TLS 1.2 (if acceptable)
- Upgrade Windows
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.