HOWTO: 12204 SSL Port Specified Is Not Allowed

ID: Q184028

The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY


SYMPTOMS

By default, the Web Proxy service on Microsoft Proxy Server versions 1.0 and 2.0 makes HTTPS connection requests on port 443 only. Connection requests for Web sites that contain a port number in the URL for ports other than port 443 will fail and produce the following error:

12204 SSL port specified is not allowed


CAUSE

For security reasons, only port 443 (HTTPS) and port 563 (SNEWS) are allowed to pass through the Web Proxy service by default.

Additional ports can be added to the registry; however, this is not recommended. Internet Web sites should always use port 443 for SSL (HTTPS) communications. Allowing additional ports through your Proxy Server may pose a security risk.

The following is an excerpt from Internet Draft: Tunneling SSL Through a WWW Proxy located at http://cgi.netscape.com/newsref/std/tunneling_ssl.html:

Security Considerations

CONNECT is really a lower-level function than the rest of the HTTP methods, kind of an escape mechanism for saying that the proxy should not interfere with the transaction, but merely forward the data. This is because the proxy should not need to know the entire URI that is being accessed (privacy, security), only the information that it explicitly needs (hostname and port number). Due to this fact, the proxy cannot verify that the protocol being spoken is really SSL, and so the proxy configuration should explicitly limit allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for SNEWS, as assigned by the Internet Assigned Numbers Authority).


WORKAROUND

To open additional ports for tunneling SSL on a computer running Microsoft Proxy Server, modify the following registry key using Regedt32.exe:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters

Value Name: SSLPortListMembers
Edit the SSLPortListMembers value, you will see a dialog box containing the following default port information: 

   443
   443
   563
   563
Simply append the desired new port in duplicate form here. For example, to add port 444: 

   443
   443
   563
   563
   444
   444

Additional query words: ssl tunneling tunnel port fail 


Keywords          : 
Version           : WINNT:1.0,2.0
Platform          : winnt 
Issue type        : kbhowto kbprb

Last Reviewed: August 12, 1999