If the server negotiates a TLS1.2 connection with a Windows 7 or 8 schannel.dll-using client application, and it provides a certificate chain which uses the (weak) MD5 hash algorithm, the client will abort the connection (TCP/IP FIN) upon receipt of the certificate. Then, seemingly for no reason, IE restarts and sends a new client hello, this time using TLS 1.0, which of course fails and makes IE think that it can't connect to the website.Ĭould there be a bug in IE which makes it try the wrong protocol after the right protocol already has been successfully established? A bug which possibly only occurs if the server ONLY provides TLS 1.2 (which is probably quite uncommon)?Ĭheck whether you are using an MD5 certificate or not, since Internet Explorer 9/10/11 and Edge abort the connection if the server provides a certificate chain which uses MD5 algorithm, as mentioned at the end of this blog: Wireshark captures show that the IE in its first client hello tries TLS 1.2, shows its ciphers to the server and so on, and that the server's answer is correct, including the cipher chosen. Firefox and Chrome in the newest versions (as per the time of this writing) perfectly connect to the websites on this server.īut Internet Explorer 11 (running under Windows 7 圆4) in standard configuration is not able to connect to any of these websites.
I have configured Apache so that it only allows TLS 1.2 and only ciphers with DHE or ECDHE key exchange. Currently, I am trying to cut down the SSL configuration as far as possible to make it as secure as possible. I am running some small websites which are served by Apache / Linux.
0 kommentar(er)
