X
Tap here to go to the mobile version of the site.

Support Forum

"Security Connection Failed" when connecting to IIS web server over HTTPS that only has TLS 1.2 enabled

Posted

Using Firefox 62.0.2 in Windows 10. Trying to connect to our IIS webserver that only has TLS 1.2 enabled but encounter the following error:

"Secure Connection Failed. The connection to the sever was reset while the page was loading"

If I enabled TLS 1.1, TLS 1.0 on the server, the connection via TLS 1.2 works fine. Chrome and IE browser don't have this issue and can connect when TLS 1.2 is exclusively enabled.

Our security group frowns on enabling TLS 1.1 / TLS 1.0. Please advise on how to get TLS 1.2 (exclusive) working with latest Firefox for Windows 10.

Using Firefox 62.0.2 in Windows 10. Trying to connect to our IIS webserver that only has TLS 1.2 enabled but encounter the following error: "Secure Connection Failed. The connection to the sever was reset while the page was loading" If I enabled TLS 1.1, TLS 1.0 on the server, the connection via TLS 1.2 works fine. Chrome and IE browser don't have this issue and can connect when TLS 1.2 is exclusively enabled. Our security group frowns on enabling TLS 1.1 / TLS 1.0. Please advise on how to get TLS 1.2 (exclusive) working with latest Firefox for Windows 10.

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

More Information

AnnaSycamore 8 solutions 95 answers

Helpful Reply

What version of IIS server you use? It's TLS 1.2 enabled on your server? On the other side this error may occur due to a certificate issue. It's your certificate ok ? (configuration, validity, authority) You can verify it at: https://www.ssllabs.com/ Hope this help!

What version of IIS server you use? It's TLS 1.2 enabled on your server? On the other side this error may occur due to a certificate issue. It's your certificate ok ? (configuration, validity, authority) You can verify it at: https://www.ssllabs.com/ Hope this help!

Question owner

IIS 7.5

Cert is fine in Chrome / IE, not Firefox.

Attaching screen shot of TLS configuration on server that causes HTTPS connection error in Firefox.

IIS 7.5 Cert is fine in Chrome / IE, not Firefox. Attaching screen shot of TLS configuration on server that causes HTTPS connection error in Firefox.
AnnaSycamore 8 solutions 95 answers

Helpful Reply

Try this Firefox

1. In the address bar, type “about:config” and hit enter.

2. In the “Search” field, enter TLS. Find and double-click the entry for "security.tls.version.min"

3. Set the integer value to “2” to force a minimum protocol of TLS 1.1 (entering "3" would force TLS 1.2).

4. This configuration will now show the new value and will take effect immediately (don’t forget to clear your cache).

Hope this help! Let's me know if work!

Try this Firefox 1. In the address bar, type “about:config” and hit enter. 2. In the “Search” field, enter TLS. Find and double-click the entry for "security.tls.version.min" 3. Set the integer value to “2” to force a minimum protocol of TLS 1.1 (entering "3" would force TLS 1.2). 4. This configuration will now show the new value and will take effect immediately (don’t forget to clear your cache). Hope this help! Let's me know if work!

Question owner

old (Secure Connection Failed) security.tls.min = 1 security.tls.max = 4

new (Secure Connection Failed) security.tls.min = 3 security.tls.max = 4

old (Secure Connection Failed) security.tls.min = 1 security.tls.max = 4 new (Secure Connection Failed) security.tls.min = 3 security.tls.max = 4
AnnaSycamore 8 solutions 95 answers

But what happened if you maintain TLS 1.1 not 1.0? (change min to 2 check 1.1) just a suggestion Another idea: On windows search Internet Options Click advanced and disable TL1.0 1.1

But what happened if you maintain TLS 1.1 not 1.0? (change min to 2 check 1.1) just a suggestion Another idea: On windows search Internet Options Click advanced and disable TL1.0 1.1

Modified by AnnaSycamore

Question owner

Disabled TLS 1.0 / TLS 1.1 in Internet Options / Advanced. Still can't connect over HTTPS. Does Firefox have any advanced logging that will log the TLS handshake?

Disabled TLS 1.0 / TLS 1.1 in Internet Options / Advanced. Still can't connect over HTTPS. Does Firefox have any advanced logging that will log the TLS handshake?
jscher2000
  • Top 10 Contributor
8199 solutions 67058 answers

Wow, that Nartac software looks really interesting.

So if I set Firefox to use ONLY TLS 1.2 and then use the following test page --

https://www.ssllabs.com/ssltest/viewMyClient.html

-- I get the following list of ciphers. It's hard to match up with the Nartac screenshot. Some parts seem obvious, but other parts aren't (ECDH vs. ECDHE key exchange the same? the third part of the block cipher, CBC/GCM?).

Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK

What would be helpful is if you could get IIS/Nartac to display a list of the acceptable ciphers with all the bits and pieces assembled in a similar format rather than with individual checkboxes, since some of those might not actually be compatible/combined with one another.

The https://www.ssllabs.com/ssltest/ tool does that, but it probably can't run against internal servers because it's a webapp.

As a point of reference, what cipher do other browsers use when connecting to the site?

Wow, that Nartac software looks really interesting. So if I set Firefox to use ONLY TLS 1.2 and then use the following test page -- https://www.ssllabs.com/ssltest/viewMyClient.html -- I get the following list of ciphers. It's hard to match up with the Nartac screenshot. Some parts seem obvious, but other parts aren't (ECDH vs. ECDHE key exchange the same? the third part of the block cipher, CBC/GCM?). <pre>Cipher Suites (in order of preference) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_'''RSA_WITH_AES_128'''_GCM_'''SHA256''' (0xc02f) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_'''RSA_WITH_AES_256'''_GCM_'''SHA384''' (0xc030) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_'''RSA_WITH_AES_128'''_CBC_'''SHA''' (0xc013) TLS_ECDHE_'''RSA_WITH_AES_256'''_CBC_'''SHA''' (0xc014) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK </pre> What would be helpful is if you could get IIS/Nartac to display a list of the acceptable ciphers with all the bits and pieces assembled in a similar format rather than with individual checkboxes, since some of those might not actually be compatible/combined with one another. The https://www.ssllabs.com/ssltest/ tool does that, but it probably can't run against internal servers because it's a webapp. As a point of reference, what cipher do other browsers use when connecting to the site?
AnnaSycamore 8 solutions 95 answers

Try to disable MD5 and SHA Disable Null cipher if enabled

Try to disable MD5 and SHA Disable Null cipher if enabled

Question owner

Turned off MD5 and SHA on the server and tried again to connect via HTTPS on client : "Secure Connection Failed"

However, I did run fiddler this time and capture the following trace:

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) Random: 23 80 F2 C9 F9 B8 00 1F A3 2D B4 19 C5 6F 24 FC 20 75 55 23 6E 6B 6A E4 20 98 E6 8F 16 C0 C6 F0 "Time": 5/13/2077 1:28:51 AM SessionID: 7D FD EF B8 B1 69 69 88 2B 58 0C 25 EA 59 7D 79 99 0E 63 86 F4 5F C9 AD CD 65 4B DA F0 B0 76 66 Extensions: server_name devworkflowweb.foo.com extended_master_secret empty renegotiation_info 00 elliptic_curves unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19], unknown [0x100), unknown [0x101) ec_point_formats uncompressed [0x0] SessionTicket empty ALPN h2, http/1.1 status_request OCSP - Implicit Responder 0x0033 00 69 00 1D 00 20 F5 9D 57 58 8F 9E 6C BE 55 0D AC 40 AC A3 F2 BA 9B 0B BF A2 D4 77 7C 60 98 80 BD 98 0B 3E 13 63 00 17 00 41 04 CF 9E AB E7 70 C3 CE AB 08 7D E0 AA 6A B3 7F E9 32 14 E1 A1 EF 03 EC 4F 0E F9 72 8B D1 7E 28 3E BE 65 0D 7A 50 EF 27 C3 64 1E A6 3D 2E 0B 71 9C 00 59 0C 44 11 BD 2A 0B 32 81 CD 25 4E 70 92 A0 0x002b 04 7F 1C 03 03 signature_algs sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, Unknown[0x8]_Unknown[0x4], Unknown[0x8]_Unknown[0x5], Unknown[0x8]_Unknown[0x6], sha256_rsa, sha384_rsa, sha512_rsa, sha1_ecdsa, sha1_rsa 0x002d 01 01 0x001c 40 01 padding 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Ciphers: [1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0033] TLS_DHE_RSA_WITH_AES_128_SHA [0039] TLS_DHE_RSA_WITH_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [0035] TLS_RSA_AES_256_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA

Compression: [00] NO_COMPRESSION

Turned off MD5 and SHA on the server and tried again to connect via HTTPS on client : "Secure Connection Failed" However, I did run fiddler this time and capture the following trace: A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below. Version: 3.3 (TLS/1.2) Random: 23 80 F2 C9 F9 B8 00 1F A3 2D B4 19 C5 6F 24 FC 20 75 55 23 6E 6B 6A E4 20 98 E6 8F 16 C0 C6 F0 "Time": 5/13/2077 1:28:51 AM SessionID: 7D FD EF B8 B1 69 69 88 2B 58 0C 25 EA 59 7D 79 99 0E 63 86 F4 5F C9 AD CD 65 4B DA F0 B0 76 66 Extensions: server_name devworkflowweb.foo.com extended_master_secret empty renegotiation_info 00 elliptic_curves unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19], unknown [0x100), unknown [0x101) ec_point_formats uncompressed [0x0] SessionTicket empty ALPN h2, http/1.1 status_request OCSP - Implicit Responder 0x0033 00 69 00 1D 00 20 F5 9D 57 58 8F 9E 6C BE 55 0D AC 40 AC A3 F2 BA 9B 0B BF A2 D4 77 7C 60 98 80 BD 98 0B 3E 13 63 00 17 00 41 04 CF 9E AB E7 70 C3 CE AB 08 7D E0 AA 6A B3 7F E9 32 14 E1 A1 EF 03 EC 4F 0E F9 72 8B D1 7E 28 3E BE 65 0D 7A 50 EF 27 C3 64 1E A6 3D 2E 0B 71 9C 00 59 0C 44 11 BD 2A 0B 32 81 CD 25 4E 70 92 A0 0x002b 04 7F 1C 03 03 signature_algs sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, Unknown[0x8]_Unknown[0x4], Unknown[0x8]_Unknown[0x5], Unknown[0x8]_Unknown[0x6], sha256_rsa, sha384_rsa, sha512_rsa, sha1_ecdsa, sha1_rsa 0x002d 01 01 0x001c 40 01 padding 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Ciphers: [1301] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [1303] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [1302] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/ [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0033] TLS_DHE_RSA_WITH_AES_128_SHA [0039] TLS_DHE_RSA_WITH_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [0035] TLS_RSA_AES_256_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA Compression: [00] NO_COMPRESSION
AnnaSycamore 8 solutions 95 answers

signature_algs sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, Unknown[0x8]_Unknown[0x4], Unknown[0x8]_Unknown[0x5], Unknown[0x8]_Unknown[0x6], sha256_rsa, sha384_rsa, sha512_rsa, sha1_ecdsa, sha1_rsa

you disabled md5 Is considered not secure But your certificate use md5 signature? If yes here could be the problem. you say Cert is fine in Chrome / IE, not Firefox. when you capture traffic of a successful connection what fiddler capture?

hope this help

signature_algs sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, Unknown[0x8]_Unknown[0x4], Unknown[0x8]_Unknown[0x5], Unknown[0x8]_Unknown[0x6], sha256_rsa, sha384_rsa, sha512_rsa, sha1_ecdsa, sha1_rsa you disabled md5 Is considered not secure But your certificate use md5 signature? If yes here could be the problem. you say Cert is fine in Chrome / IE, not Firefox. when you capture traffic of a successful connection what fiddler capture? hope this help

Modified by AnnaSycamore

AnnaSycamore 8 solutions 95 answers

when you have a successful connection what fiddler capture? Try to compare

when you have a successful connection what fiddler capture? Try to compare

Modified by AnnaSycamore

jscher2000
  • Top 10 Contributor
8199 solutions 67058 answers

Does the server respond with its preferred set of ciphers? Maybe not with Firefox but with another browser...

Does the server respond with its preferred set of ciphers? Maybe not with Firefox but with another browser...

Question owner

Using HTTPS / TLS 1.2 exclusive, I connected to the same server with IE 11. Here is the fiddler dump:

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) Random: 5B B6 2F E9 08 9F F2 25 6E FC B0 76 16 F0 50 06 04 9C B8 BF 8C 8D 0B 80 C4 B1 C5 BF 65 EA CD 29 "Time": 12/21/2093 1:16:43 AM SessionID: empty Extensions: server_name devworkflowweb.foo.com status_request OCSP - Implicit Responder elliptic_curves unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] signature_algs sha256_rsa, sha384_rsa, sha1_rsa, sha256_ecdsa, sha384_ecdsa, sha1_ecdsa, sha1_dsa, sha512_rsa, sha512_ecdsa SessionTicket empty ALPN h2, http/1.1 extended_master_secret empty 0x0018 00 10 03 02 01 00 renegotiation_info 00 Ciphers: [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [003D] TLS_RSA_WITH_AES_256_CBC_SHA256 [003C] TLS_RSA_WITH_AES_128_CBC_SHA256 [0035] TLS_RSA_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA

Compression: [00] NO_COMPRESSION

Using HTTPS / TLS 1.2 exclusive, I connected to the same server with IE 11. Here is the fiddler dump: A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below. Version: 3.3 (TLS/1.2) Random: 5B B6 2F E9 08 9F F2 25 6E FC B0 76 16 F0 50 06 04 9C B8 BF 8C 8D 0B 80 C4 B1 C5 BF 65 EA CD 29 "Time": 12/21/2093 1:16:43 AM SessionID: empty Extensions: server_name devworkflowweb.foo.com status_request OCSP - Implicit Responder elliptic_curves unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] signature_algs sha256_rsa, sha384_rsa, sha1_rsa, sha256_ecdsa, sha384_ecdsa, sha1_ecdsa, sha1_dsa, sha512_rsa, sha512_ecdsa SessionTicket empty ALPN h2, http/1.1 extended_master_secret empty 0x0018 00 10 03 02 01 00 renegotiation_info 00 Ciphers: [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [003D] TLS_RSA_WITH_AES_256_CBC_SHA256 [003C] TLS_RSA_WITH_AES_128_CBC_SHA256 [0035] TLS_RSA_AES_256_SHA [002F] TLS_RSA_AES_128_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHA Compression: [00] NO_COMPRESSION
jscher2000
  • Top 10 Contributor
8199 solutions 67058 answers

The list of ciphers sent by IE is very different from Firefox's. Presumably the server connects to IE using one of the ciphers that isn't on Firefox's list. That's all I can say at this point.

The list of ciphers sent by IE is very different from Firefox's. Presumably the server connects to IE using one of the ciphers that isn't on Firefox's list. That's all I can say at this point.
AnnaSycamore 8 solutions 95 answers

Hello, Considering my last reply You can try to disable MD5 and re-enable SHA Let's me know if work !

Hello, Considering my last reply You can try to disable MD5 and re-enable SHA Let's me know if work !

Modified by AnnaSycamore

AnnaSycamore 8 solutions 95 answers

My last reply is wrong Sorry!

My last reply is wrong Sorry!

Question owner

Here is server hello from IE11 / Fiddler:

HTTP/1.0 200 Connection Established FiddlerGateway: Direct StartTime: 13:55:35.564 Connection: close

This is a CONNECT tunnel, through which encrypted HTTPS traffic flows. To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) SessionID: D3 31 00 00 A7 9B 1A 22 5F 00 30 20 63 12 08 46 FF CF 66 55 C2 25 23 B5 E0 99 FC C2 AE D3 F7 1D Random: 5B B6 62 27 18 8C AB 92 12 5F F4 43 7B 9D C8 91 59 4A 2B 0F E7 F1 95 F6 E5 75 29 84 77 A5 96 F9 Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384 [0x009D] CompressionSuite: NO_COMPRESSION [0x00] Extensions: status_request (OCSP-stapling) empty extended_master_secret empty renegotiation_info 00

Here is server hello from IE11 / Fiddler: HTTP/1.0 200 Connection Established FiddlerGateway: Direct StartTime: 13:55:35.564 Connection: close This is a CONNECT tunnel, through which encrypted HTTPS traffic flows. To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option. A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below. Version: 3.3 (TLS/1.2) SessionID: D3 31 00 00 A7 9B 1A 22 5F 00 30 20 63 12 08 46 FF CF 66 55 C2 25 23 B5 E0 99 FC C2 AE D3 F7 1D Random: 5B B6 62 27 18 8C AB 92 12 5F F4 43 7B 9D C8 91 59 4A 2B 0F E7 F1 95 F6 E5 75 29 84 77 A5 96 F9 Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384 [0x009D] CompressionSuite: NO_COMPRESSION [0x00] Extensions: status_request (OCSP-stapling) empty extended_master_secret empty renegotiation_info 00
jscher2000
  • Top 10 Contributor
8199 solutions 67058 answers

> Here is server hello from IE11 / Fiddler: ... > TLS_RSA_WITH_AES_256_GCM_SHA384

That's not one of the ones Firefox supports when I check on

https://www.ssllabs.com/ssltest/viewMyClient.html

Maybe this is a limitation of IIS or your version of Windows Server?

> Here is server hello from IE11 / Fiddler: ... > TLS_RSA_WITH_AES_256_GCM_SHA384 That's not one of the ones Firefox supports when I check on https://www.ssllabs.com/ssltest/viewMyClient.html Maybe this is a limitation of IIS or your version of Windows Server?

Question owner

How do you map the ssl labs cipher suites to Nartac Ciphers?

How do you map the ssl labs cipher suites to Nartac Ciphers?
jscher2000
  • Top 10 Contributor
8199 solutions 67058 answers

There must be a way to generate the ciphers in a list format similar to what you see in Client Hello. My knowledge of IIS and Windows Server is limited, however.

There must be a way to generate the ciphers in a list format similar to what you see in Client Hello. My knowledge of IIS and Windows Server is limited, however.