This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Win7, IE 8, Client Cert Auth with TLSv1.2 enabled NOT WORKING

0

Hi All,

I am troubleshooting the not working scenario in which we have sucessful client cert authentication from Win7, IE8 and TLS1.0 enabled - but as soon as in Advanced tab of Internet Options TLS v1.2 is also selected the communication if failing.

Client's machine has client certificate installed, and also the root CA is installed in Trusted Root store

The process is as follows (with TLS 1.2 enabled)

  1. Client connects to the SSL server - the initial handshake works fine , and in the ServerHello we can see certificate request all right.

  2. On the client side - there is a pop up with the list of client certs - user selects his cert and confirms OK

  3. At this stage user getting "Page canot be displayed" message on IE . At the same time, looking into the trace and the communication being done from the client - the very starange thing is that there is no "ClientHello" being sent by the client (10.4.103.130).

The initial TCP handshake looks ok, bu then client is finishing the connection, instead of staring SSL handshake by sending ClientHello....

10.4.103.130    TCP 110     x.15.226.18   49984 > https [SYN] Seq=2509215337 Win=32768 Len=0 MSS=1460 WS=1 TSval=4016368077 TSecr=0 SACK_PERM=1
x.15.226.18     TCP 92      10.4.103.130   https > 49984 [SYN, ACK] Seq=2329522121 Ack=2509215338 Win=8190 Len=0 MSS=1460
10.4.103.130    TCP 86      x.15.226.18   49984 > https [ACK] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
10.4.103.130    TCP 86      x.15.226.18   49984 > https [**FIN, ACK**] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
x.15.226.18     TCP 92      10.4.103.130   https > 49984 [FIN, ACK] Seq=2329522122 Ack=2509215339 Win=35688 Len=0
10.4.103.130    TCP 86      x.15.226.18   49984 > https [ACK] Seq=2509215339 Ack=2329522123 Win=33579 Len=0
  • this has been checked on known working user cert and the situation is the same ....

HAve anyone seen such a behaviour ?

What I am thinkg of is that TLS1.2 is not really enabled on the client machine.

Would this still apply ?: http://support.microsoft.com/kb/245030

http://derek858.blogspot.co.uk/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

Thanks for your input.

Andrzej

asked 28 Feb '13, 08:52

andrus's gravatar image

andrus
1223
accept rate: 0%

edited 28 Feb '13, 15:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

0

This has been solved now

Combination of SSLv2 + SSLv3 + TLS1.0 + TLS1.1 - works OK

Combination of SSLv2 + SSLv3 + TLS1.0 + TLS1.1 +TLS1.2 - does NOT WORK

if want to have TLS1.2 enabled you need to disable SSLv2!

it appears to be some sort of IE8 bug .....

answered 01 Mar '13, 03:15

andrus's gravatar image

andrus
1223
accept rate: 0%

edited 01 Mar '13, 03:17