SSL TLSv1 -vs- TLSv1.2

We're having some strange behavior, whereas, traffic from a particular building fails in HTTP or HTTPS.  All we can determine at this point is there are two different versions of TLS showing in the traces.  TLSv1 and TLSv1.2.  The TLSv1 transactions all seem to work fine, however, those with the insignia of TLSv1.2 all seem to fail.

Huge timeouts, Server fails to respond etc.  Can anyone shed some light on this situation for me and make it known if

1. are v1.1 and v1.2 compatible or interoperable?
2. is there a way to have the server accept both if there is a difference?
3. what other places might I look to identify a remedy to this problem.
David TaylorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You must enable SSL debug
For each SSL protocol there should be at least one matching cipher on both sides.

1. no, though most implementations implement both
2. that is the natural way of how it works.
3. Try qualys analyzer, it might explain more.
btanExec ConsultantCommented:
1. They are different and not compatible if we are strictly speaking in the SSL key exchanges btw client and server.
The exchange always goes for the best available cryptographic suite at both end to establish the final secure communication. TLS 1.1 and TLS1.2 can implement different cryptographic algorithm which TLS 1.2 is recommended for higher security posture. TLS 1.0 fares lower compared to them. See the brief summary from wiki https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

2. Go for TLS 1.0.
Likely it is due to the client been harden to accept TLS1.2 only which the client even in TLS 1.0 or TLS 1.1 is not able to connect and once server set to a lower level like TLS 1.0, the connection is possible as client minimally can support TLS 1.0, selecting a viable crypto suite. There are instance where MS Exchange due to hardening to TLS1.2/1.1 has to move into TLS1.0 for business running with no interruption.

3. Look into the network packet and error log from the server end.
There should be application log ascertain the SSL exchanges failure or connection failure for TLS establishment. Or you can even have openssl to try to connect to the server's service (likely HTTPS) to isolate it is not the apps or browser lockdown.
E.g.  Force openssl s_client to use only TLS: "openssl s_client -connect example.com:443 -tls1"
-ssl3, -tls1, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2
these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3 or TLS as appropriate.

Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only work if TLS is turned off.
https://www.openssl.org/docs/apps/s_client.html

Or for Windows platform, can use iiscrypto tool to see existing crypto available https://www.nartac.com/Products/IISCrypto/Default.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
As per advice given
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.