0

I am facing the same problem as stated Server sends RST after receiving Client Hello when binding certain certificate when I try to authenticate to AD (Active Directory server) over TLSv1.2. Wireshark capture is same as the posted in question. And 'client Hello' uses the following signature algo.

Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 22
Signature Hash Algorithms Length: 20
Signature Hash Algorithms (10 algorithms)
    Signature Hash Algorithm: 0x0603
        Signature Hash Algorithm Hash: SHA512 (6)
        Signature Hash Algorithm Signature: ECDSA (3)
    Signature Hash Algorithm: 0x0601
        Signature Hash Algorithm Hash: SHA512 (6)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0503
        Signature Hash Algorithm Hash: SHA384 (5)
        Signature Hash Algorithm Signature: ECDSA (3)
    Signature Hash Algorithm: 0x0501
        Signature Hash Algorithm Hash: SHA384 (5)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0403
        Signature Hash Algorithm Hash: SHA256 (4)
        Signature Hash Algorithm Signature: ECDSA (3)
    Signature Hash Algorithm: 0x0401
        Signature Hash Algorithm Hash: SHA256 (4)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0402
        Signature Hash Algorithm Hash: SHA256 (4)
        Signature Hash Algorithm Signature: DSA (2)
    Signature Hash Algorithm: 0x0203
        Signature Hash Algorithm Hash: SHA1 (2)
        Signature Hash Algorithm Signature: ECDSA (3)
    Signature Hash Algorithm: 0x0201
        Signature Hash Algorithm Hash: SHA1 (2)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0202
        Signature Hash Algorithm Hash: SHA1 (2)
        Signature Hash Algorithm Signature: DSA (2)

How can I see the potential list of certificates available on the Active Directory server which can be used by AD for TLSv1.2 'server Hello'?

DIPESH DHAMELIYA
  • 1
  • 1
  • The supported TLS versions are not determined by the certificate. – Greg Askew May 11 '20 at 11:45
  • I agree, but where can I find possible list of certificate that could be used by AD server during 'serverHello'. – DIPESH DHAMELIYA May 11 '20 at 12:43
  • There should not be a list, usually there is only one certificate. It's in the same location as any other Windows system, in the machine's Personal store in certlm.msc. – Greg Askew May 11 '20 at 12:49
  • So you are saying that AD server do use that only certificate? what if personal store is empty ? could it be reason for RST send by AD? – DIPESH DHAMELIYA May 11 '20 at 12:57
  • Yes it would. Can't have a secure connection without a certificate. – Greg Askew May 11 '20 at 13:01
  • Thanks for your reply. My next thing would be silly but there is no proper answer available for question. Do AD server require restart after adding certificate in personal store? Is there any specific procedure for adding certificate? – DIPESH DHAMELIYA May 11 '20 at 13:03

0 Answers0