0

I am working out a connection between our IIS server and a client server which is running Apache. I have set up TLS 2 way (HTTPS Required). When they try to connect to us, they get the following and we just get error 500 for the log in IIS.

E2E connection XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXXXX3 <==> XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXXXX established.
Using Cipher: ECDHE-RSA-AES256-SHA384 TLSv1.2 256
Connection error: ssl_hs_rxhelloreq:6290: renegotiation disallowed (40)
Client connection XX.XXX.XXX.XXX:XXXXX<->XX.XXX.XXX.XXX:XXX closed.
<SERVER_CLOSED>: 10.115.142.228:443 closed the connection

I'm fairly new to TLS / SSL troubleshooting but from what I can read, renegotiation disallowed (40) seems to be the breaking point. Is this referring to (cipher) secure renegotiation? Is this something the client should be able to allow?

Using OpenSSL to our server, Everything seems to read fine. Is it normal to have renegotiate cipher all the time? And why do I see some lines twice even though it is a successful connection?

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
GET / HTTP/1.0

SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 106
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
TechnicalId:
EventName:
MichaelChan
  • 101
  • 2

1 Answers1

0

This was resolved ironically by enabling clientcertnegotiation in the IIS site. By default, IIS only requests the client certificate after the request command is given (ex GET / HTTP/1.0). Enabling this forces the client to authenticated on first request. This usually isn't a problem but since our client has strict security policies, this was necessary.

https://blogs.technet.microsoft.com/nettracer/2013/12/30/how-it-works-on-the-wire-iis-http-client-certificate-authentication/

  • Get the certificate hash and app Id from current SSL Binding

  • Delete the existing SSL Binding

  • Add the SSL Binding again with new options.

    netsh http show sslcert ipport=<ip>:<port>
netsh http delete sslcert ipport=<ip>:<port>
netsh http add sslcert ipport=<ip>:<port> certhash= $certHash appid=$appId clientcertnegotiation=enable
MichaelChan
  • 101
  • 2