SSL Client hello reset [Answered]RSS

4 replies

Last post Sep 12, 2019 12:29 PM by sarafidis

  • SSL Client hello reset

    Jun 27, 2019 07:52 AM|sarafidis|LINK

    Hi there,

    i have an IoT device posting data to a web app hosted to IIS 6.2.

    Posting with http is working perfectly. When i change it to https i am getting handshake error.

    Here is the wireshark communication

    wireshark

    and here are the SSL protocols available on server

    wireshark

    wireshark

    i am also attaching a report from ssllabs

    wireshark

    wireshark

    wireshark

    wireshark

    any ideas?

    Thanks in advance.

  • Re: SSL Client hello reset

    Jun 27, 2019 06:26 PM|lextm|LINK

    You posted significantly more information in your Stack Overflow question, so don't expect someone here can guess that out.

    https://stackoverflow.com/questions/56789501/ssl-client-hello-reset

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: SSL Client hello reset

    Jul 01, 2019 07:12 AM|sarafidis|LINK

    Thank you for your research.

    Was this significant more information capable to find a solution that might help me?

  • Rovastar Rovastar

    5468 Posts

    MVP

    Moderator

    Re: SSL Client hello reset

    Jul 01, 2019 03:53 PM|Rovastar|LINK

    I suspect it is your IOT device that doesn't like something with your valid setup.

    But I suspect you knew that already.

    It is possible that there are clues in the Windows Event log under security.

    https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/

    Log everything with the reg setting there might help. Hopefully something will be there. The internal error number should tell you more. Alarm bell ring out if it connects - at best! (How old is this device!!) - with RC4 and over TLS 1.2?! Maybe try running over TLS 1.0 to see if it works you might get more clues about what works and what is not.


    And what does SSLtest say for your IOT device client test

    https://dev.ssllabs.com/ssltest/viewMyClient.html

    compare the server and client results.

    It could be the IOT device cannot read the cert correctly or has something incompatible.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: SSL Client hello reset

    Sep 12, 2019 12:29 PM|sarafidis|LINK

    Hi Rovastar,

    thank you for your answer and for the late mark as answer but I was looking at it.

    I have enabled Schannel full log and figure out that the problem is not the cypher suites that are supported from the device and the server. The device offers TLS1.2 and a couple of common suites with the server. 

    What I noticed is that the device works from the same application from Azure with the same SSL certificate and the same security settings and not from our on premise server. I also noticed at SSL labs report that Azure returns 2 certificates (our certificate and their default self sign certificate). Our on premise server returns only ours certificate. I have changed our certificate with a self signed from IIS and it worked.

    Our certificate chain has an intermediate that requires SHA384 and both our and Azure self only requires SHA1.

    Thus I believe it is the problem with the certificate chain.

    In order to avoid certificate reissue I need to ask if you know whether it is possible to add 2 certificates for the same application to IIS 8.5 similar to Azure web app?

    Thanks in advance.