TLS 1.2 connection problems
I am trying to establish a TLS 1.2 connection via a machine certificate. This works fine on one machine:
3.590109 ClientIp ServerIp TLSv1.2 221 Client Hello
3.617942 ServerIp ClientIp TLSv1.2 1514 Server Hello
3.618151 ServerIp ClientIp TLSv1.2 1143 Certificate, Server Key Exchange, Certificate Request, Server Hello Done
3.627569 ClientIp ServerIp TLSv1.2 3593 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
3.660094 ServerIp ClientIp TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
Connection established, data flowing. This machine does not use a proxy. The exact same client (a .NET program) on different machine is not so lucky, I can see in Wireshark that the client just does not not seem to answer to the server's certificate request:
10.792079 ClientIp ProxyIp TLSv1.2 221 Client Hello
10.827628 ServerIp ClientIp TLSv1.2 1374 Server Hello
10.827753 ServerIp ClientIp TLSv1.2 1374 Certificate [TCP segment of a reassembled PDU]
10.827840 ServerIp ClientIp TLSv1.2 103 Server Key Exchange, Certificate Request, Server Hello Done
Then the client reports "The request was aborted: Could not create SSL/TLS secure channel".
The only hint I am seeing is the [TCP segment of a reassembled PDU] message, which I am only (and always) seeing on the machine where the client is not connecting. I read that this just means that Wireshark reassembled packets and that it may not point to any protocol errors, however, maybe it means something since it never appears with the client that can connect?
It's easier to analyze if you can share pcaps.
On what system (or part of the network) are the captures made?
What is the system
ProxyIp
? Should the server be communicating back through the proxy?Sorry, I would not know how to clean the pcaps (are they "anonymizable") and this is in my customer's network. I made the captures on one Windows 10 PC in the customer network (where it does not work) and on one Windows 10 PC at home (no problems there). But another W10 machine in the same customer network can connect with the exact same software / configuration (cannot provide wireshark info for that before tomorrow). The customer is using a proxy (I made a mistake there and edited that now), so the proxy ip will show up in wireshark. Yes, the server should communicate through the proxy.