Thursday, February 28, 2013 4:36 PM
I am troubleshooting the not working scenario in which we have sucessful client cert authentication from Win7, IE8 and TLS1.0 enabled - but as soon as in Advanced tab of Internet Options TLS v1.2 is also selected the communication if failing.
Client's machine has client certificate installed, and also the root CA is installed in Trusted Root store
The process is as follows (with TLS 1.2 enabled)
1. Client connects to the SSL server - the initial handshake works fine , and in the ServerHello we can see certificate request all right.
2. On the client side - there is a pop up with the list of client certs - user selects his cert and confirms OK
3. At this stage user getting "Page canot be displayed" message on IE . At the same time, looking into the trace and the communication being done from the client - the very starange thing is that there is no "ClientHello" being sent by the client (10.4.103.130).
The initial TCP handshake looks ok, bu then client is finishing the connection, instead of staring SSL handshake by sending ClientHello....
62527 08:58:03.541 10.4.103.130 TCP 110 x.15.226.18 49984 > https [SYN] Seq=2509215337 Win=32768 Len=0 MSS=1460 WS=1 TSval=4016368077 TSecr=0 SACK_PERM=1
62528 08:58:03.541 x.15.226.18 TCP 92 10.4.103.130 https > 49984 [SYN, ACK] Seq=2329522121 Ack=2509215338 Win=8190 Len=0 MSS=1460
62529 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18 49984 > https [ACK] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
62530 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18 49984 > https [FIN, ACK] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
62531 08:58:03.541 x.15.226.18 TCP 92 10.4.103.130 https > 49984 [FIN, ACK] Seq=2329522122 Ack=2509215339 Win=35688 Len=0
62532 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18 49984 > https [ACK] Seq=2509215339 Ack=2329522123 Win=33579 Len=0
* this has been checked on known working user cert and the situation is the same ....
HAve anyone seen such a behaviour ?
What I am thinkg of is that TLS1.2 is not really enabled on the client machine.
Thanks for your input.
Friday, March 01, 2013 6:41 AMModerator
Check following article. Hope it helps.http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
TechNet Community Support
Friday, March 01, 2013 8:27 AM
the above article does not really give solution, but the trobuleshooting which can be done in order to find out why the IE cant display te webpage
I have done that already by listening the traffic via Wireshark and cant see any Errors from SSL server - and in fact, one important thing I forgot to mention is that during that test SSL server was not enabled for TLS at all - just for SSLv3 - so after enabling TLS 1.2 in IE ( and having SSL3, TLS1 enabled as well at the same time) the browser / client should fallback and retry the connection over protocol they both support !
but in this scenation we can see that there even no ClientHello at all... (client 10.4.103.130)
Friday, March 01, 2013 11:15 AM
This has been solved now
Combination of SSLv2 + SSLv3 + TLS1.0 + TLS1.1 - works OK
Combination of SSLv2 + SSLv3 + TLS1.0 + TLS1.1 +TLS1.2 - does NOT WORK
if want to have TLS1.2 enabled you need to disable SSLv2
it appears to be some sort of IE8 bug .....
Friday, March 01, 2013 11:30 AM
in additional to the above from Microsoft blogs
If TLSv1.2 is enabled, even if you have manually enabled SSLv2 (it's been off-by-default since IE7), the SSLv3+ format handshake will be used.
This was not the case here ! IE BUG ?