K
KeepSloanWeird
I have researched this one up and down and can't seem to get a 2012 R2 IIS server to respond with a TLS 1.2 handshake. I have run the NARTAC tool to verify all the right protocols and cipher suites are enabled. Using OpenSSL/TestSSl I can get TLS 1.0 and 1.1 to connect, just not 1.2.
Here's the Client Hello coming from the testing system:
Frame 136: 377 bytes on wire (3016 bits), 377 bytes captured (3016 bits) on interface 0
Ethernet II, Src: CiscoInc_07:be:7f (fc:5b:39:07:be:7f), Dst: Vmware_01:02:14 (00:50:56:01:02:14)
Internet Protocol Version 4, Src: 192.168.6.75, Dst: 10.22.163.219
Transmission Control Protocol, Src Port: 35836 (35836), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 311
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 306
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 302
Version: TLS 1.2 (0x0303)
Random
Session ID Length: 0
Cipher Suites Length: 176
Cipher Suites (88 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 85
Extension: ec_point_formats
Extension: elliptic_curves
Extension: SessionTicket TLS
Extension: signature_algorithms
Extension: Heartbeat
Followed by the reset:
137 2.086290 10.22.163.219 192.168.6.75 TCP 54 443 → 35836 [RST, ACK] Seq=1 Ack=312 Win=0 Len=0
Frame 137: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_01:02:14 (00:50:56:01:02:14), Dst: IETF-VRRP-VRID_19 (00:00:5e:00:01:19)
Internet Protocol Version 4, Src: 10.22.163.219, Dst: 192.168.6.75
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 35836 (35836), Seq: 1, Ack: 312, Len: 0
Source Port: 443
Destination Port: 35836
[Stream index: 3]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 312 (relative ack number)
Header Length: 20 bytes
Flags: 0x014 (RST, ACK)
Window size value: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x74ff [validation disabled]
Urgent pointer: 0
[SEQ/ACK analysis]
I've looked through all the theories on cipher mismatches but none of that appears to be the issue.
Thoughts?
Continue reading...
Here's the Client Hello coming from the testing system:
Frame 136: 377 bytes on wire (3016 bits), 377 bytes captured (3016 bits) on interface 0
Ethernet II, Src: CiscoInc_07:be:7f (fc:5b:39:07:be:7f), Dst: Vmware_01:02:14 (00:50:56:01:02:14)
Internet Protocol Version 4, Src: 192.168.6.75, Dst: 10.22.163.219
Transmission Control Protocol, Src Port: 35836 (35836), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 311
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 306
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 302
Version: TLS 1.2 (0x0303)
Random
Session ID Length: 0
Cipher Suites Length: 176
Cipher Suites (88 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 85
Extension: ec_point_formats
Extension: elliptic_curves
Extension: SessionTicket TLS
Extension: signature_algorithms
Extension: Heartbeat
Followed by the reset:
137 2.086290 10.22.163.219 192.168.6.75 TCP 54 443 → 35836 [RST, ACK] Seq=1 Ack=312 Win=0 Len=0
Frame 137: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_01:02:14 (00:50:56:01:02:14), Dst: IETF-VRRP-VRID_19 (00:00:5e:00:01:19)
Internet Protocol Version 4, Src: 10.22.163.219, Dst: 192.168.6.75
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 35836 (35836), Seq: 1, Ack: 312, Len: 0
Source Port: 443
Destination Port: 35836
[Stream index: 3]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 312 (relative ack number)
Header Length: 20 bytes
Flags: 0x014 (RST, ACK)
Window size value: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x74ff [validation disabled]
Urgent pointer: 0
[SEQ/ACK analysis]
I've looked through all the theories on cipher mismatches but none of that appears to be the issue.
Thoughts?
Continue reading...