0

My code requests only TLS 1.2 secure protocol use but for some reason the remote is receiving an SSL 3.0 handshake according to the wireshark trace. The remote host denies the connection because TLS 1.2 is required by the server.

DWORD dwOption = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
if (!WinHttpSetOption(g_hSession,WINHTTP_OPTION_SECURE_PROTOCOLS,&dwOption,sizeof(dwOption))) {
    //handle error
}

We have all the SCHANNEL setting in the registry set to only allow TLS 1.2 connections. What else can I look at?

jmucchiello
  • 18,754
  • 7
  • 41
  • 61
  • 1
    What Windows version is the code executed on? – Robert May 24 '22 at 16:52
  • Windows 10 I believe. It might be Windows Server 2016. – jmucchiello May 24 '22 at 19:17
  • Some years ago it was common to start the handshake with an SSLv3 handshake message for compatibility reasons. But nowadays SSLv3 handshake is disabled by nearly all cleats and servers. The error message you got sounds like an old client which uses an SSLv3 handshake message tries to connect to a server that has SSLv3 disabled. But that does not really match your description that the client is Win10. May be there is an older network middle box active in between which decrypts and inspects the TLS traffic? – Robert May 24 '22 at 20:20
  • @Robert+ I think you are remembering the practice in much of the noughties of using SSL**v2** format hello but negotiating up to SSLv3 _or_ TLS for the actual session; the _format_ for SSLv3 is unchanged through TLSv1.2 and mostly in TLSv1.3 as well. **OP:** are you certain you are checking the _offer_ version in the clienthello _message_ and _not_ the handshake _record_ version, which is basically meaningless and does not indicate the protocol version(s) used? – dave_thompson_085 May 24 '22 at 23:23
  • Problem is I don't know how to read the protocol in wireshark. I can only go by what I'm being told by the network folk. The remote system is rejecting the connection based on the handshake being "SSL3" instead of "TLS1.2". And yeah, for all I know the SSL3 part is red herring and there some other problem. But since I'm using the WinHttp library I don't have access to anything that happens inside the API black box. – jmucchiello May 25 '22 at 22:33

0 Answers0