IIS 5 & IIS 6
SSL Client hello reset
Last post Sep 12, 2019 12:29 PM by sarafidis
Jun 27, 2019 07:52 AM|sarafidis|LINK
i have an IoT device posting data to a web app hosted to IIS 6.2.
Posting with http is working perfectly. When i change it to https i am getting handshake error.
Here is the wireshark communication
and here are the SSL protocols available on server
i am also attaching a report from ssllabs
Thanks in advance.
Jun 27, 2019 06:26 PM|lextm|LINK
You posted significantly more information in your Stack Overflow question, so don't expect someone here can guess that out.
Jul 01, 2019 07:12 AM|sarafidis|LINK
Thank you for your research.
Was this significant more information capable to find a solution that might help me?
Jul 01, 2019 03:53 PM|Rovastar|LINK
I suspect it is your IOT device that doesn't like something with your valid setup.
But I suspect you knew that already.
It is possible that there are clues in the Windows Event log under security.
Log everything with the reg setting there might help. Hopefully something
will be there. The internal error number should tell you more. Alarm bell ring out if it connects - at best! (How old is this device!!) - with RC4 and over TLS 1.2?! Maybe try running over TLS 1.0 to see if it works you might get more clues about what works
and what is not.
And what does SSLtest say for your IOT device client test
compare the server and client results.
It could be the IOT device cannot read the cert correctly or has something incompatible.
Sep 12, 2019 12:29 PM|sarafidis|LINK
thank you for your answer and for the late mark as answer but I was looking at it.
I have enabled Schannel full log and figure out that the problem is not the cypher suites that are supported from the device and the server. The device offers TLS1.2 and a couple of common suites with the server.
What I noticed is that the device works from the same application from Azure with the same SSL certificate and the same security settings and not from our on premise server. I also noticed at SSL labs report that Azure returns 2 certificates (our certificate
and their default self sign certificate). Our on premise server returns only ours certificate. I have changed our certificate with a self signed from IIS and it worked.
Our certificate chain has an intermediate that requires SHA384 and both our and Azure self only requires SHA1.
Thus I believe it is the problem with the certificate chain.
In order to avoid certificate reissue I need to ask if you know whether it is possible to add 2 certificates for the same application to IIS 8.5 similar to Azure web app?