WCF/SOAP client in .NET 4.6.1 and TLS 1.0 server: client hello missing

Question

I'm having really hard time to find solution for following scenario:

• we have legacy SOAP Service created in Java, for which we don't have any reasonable way to upgrade/modify. This legacy service is accessible using https endpoint and supports only TLS 1.0
• we have SCHANNEL configured in the registry to enable tls 1.0
• we do have also strong encription enabled in the registry however i guess it shouldn't harm, as it only disables SSL3?
• we are able to reach this endpoint correctly using web browser
• we are able to confirm that TLS 1.0 is enabled using following powershell script:

        $RetValue = New-Object psobject -Property @{
            Host = $HostName
            Port = $Port
            SSLv2 = $false
            SSLv3 = $false
            TLSv1_0 = $false
            TLSv1_1 = $false
            TLSv1_2 = $false
            KeyExhange = $null
            HashAlgorithm = $null
        }
        "ssl2", "ssl3", "tls", "tls11", "tls12" | %{
            $TcpClient = New-Object Net.Sockets.TcpClient
            $TcpClient.Connect($RetValue.Host, $RetValue.Port)
            $SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()
            $SslStream.ReadTimeout = 15000
            $SslStream.WriteTimeout = 15000
            try {
                $SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)
                $RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
                $RetValue.HashAlgorithm = $SslStream.HashAlgorithm
                $status = $true
            } catch {
                $status = $false
            }
            switch ($_) {
                "ssl2" {$RetValue.SSLv2 = $status}
                "ssl3" {$RetValue.SSLv3 = $status}
                "tls" {$RetValue.TLSv1_0 = $status}
                "tls11" {$RetValue.TLSv1_1 = $status}
                "tls12" {$RetValue.TLSv1_2 = $status}
            }
        }

        $RetValue
        "From "+ $TcpClient.client.LocalEndPoint.address.IPAddressToString +" to $hostname "+ $TcpClient.client.RemoteEndPoint.address.IPAddressToString +':'+$TcpClient.client.RemoteEndPoint.port
        $SslStream | gm | ? {$_.MemberType -match 'Property'} | Select-Object Name | % {$_.Name +': '+ $sslStream.($_.name)}

we are not able however to connect to this endpoint using .NET 4.6.1 WCF Client application. When we checked the wireshark connection and it turned out, that for TLS 1.2 there is proper handshake protocol executed (and failing, which was expected), however there is no CLIENT HELLO for TLS 1.0 handshake. there is only empty TCP connection and next - connection reset.

We are using BasicHttpsBinding and forcing TLS client: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 ;

Can someone suggest, what i have missed in the code or server configuration that could potentially prevent WCF client from initiating this connection?

Answer 1

Ok, seems that the answer was very simple. Everything was fine with the code, the problem was on very old version of WebLogic, which not only didn't support tls higher than 1.0, but also - was not able to correctly handle higher TLS handshake. The only workaround was creating a reverse proxy, that was receiving traffic on higher TLS and forward it only on TLS 1.0 to target weblogic.