Question Windows 7 64-bit consistently fails TLS handshake ?

[Dajvo]

I've recently starting seeing a bunch of TLS handshake failures on my Windows 7 64-bit machine when trying to connect to various servers on the internet via ethernet cable. Please see screenshots below for my system information and Wireshark logs.

Now, I recently disabled a bunch of Windows services, which I thought may have been the culprit. But I then enabled all the services I could and it hasn't fixed things.

 

[Ralston18]

Excluding Wireshark are there any other error messages or pop-up windows when the handshakes fail?

If you type "Manage computer certificates " in the Run box does that open Certificates - Local Computer window?

Did you do any Registry editing?

My thought being that TLS has been disabled.

Perhaps:

https://windowsreport.com/enable-tls-1-2-windows-11/

Windows 7 is #3 on the left side index,

 

[bill001g]

The most common issue with this stuff tends to be date and time wrong on your machine.

Do you know if the server supports TLS 1.2. Most stuff I have seen uses 1.3. Not sure you can put 1.3 on window 7

 

[lantis3]

Not familiar with TLS things, but try my best.

Enabled TLS 1.2 on Windows 7 VM

IP 91.197.230.180 => hector.ldn.kualo.net

Run Curl command (download from https://curl.se/download.html)

C:\curl\bin>curl https://hector.ldn.kualo.net --verbose
* Host hector.ldn.kualo.net:443 was resolved.
* IPv6: (none)
* IPv4: 91.197.230.180
* Trying 91.197.230.180:443...
* Failed to set TCP_KEEPINTVL on fd 132: errno 10042
* Failed to set TCP_KEEPCNT on fd 132: errno 10042
* Connected to hector.ldn.kualo.net (91.197.230.180) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: C:\curl\bin\curl-ca-bundle.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=hector.ldn.kualo.net
* start date: Jun 27 12:54:42 2024 GMT
* expire date: Sep 25 12:54:41 2024 GMT
* subjectAltName: host "hector.ldn.kualo.net" matched cert's "hector.ldn.kualo.
net"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
* Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using
sha256WithRSAEncryption
* Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using
sha256WithRSAEncryption
* Certificate level 2: Public key type ? (4096/128 Bits/secBits), signed using
sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://hector.ldn.kualo.net/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: hector.ldn.kualo.net]
* [HTTP/2] [1] [😛ath: /]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: hector.ldn.kualo.net
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< content-type: text/html
< last-modified: Sat, 10 Oct 2020 19:37:25 GMT
< accept-ranges: bytes
< content-length: 163
< date: Wed, 14 Aug 2024 18:29:13 GMT
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2
592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=
2592000; v="43,46"
<
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV
="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></htm
l>
* Connection #0 to host hector.ldn.kualo.net left intact

But on Windows 11

curl https://hector.ldn.kualo.net --verbose
* Host hector.ldn.kualo.net:443 was resolved.
* IPv6: (none)
* IPv4: 91.197.230.180
* Trying 91.197.230.180:443...
* Connected to hector.ldn.kualo.net (91.197.230.180) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: hector.ldn.kualo.net
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Keep-Alive: timeout=5, max=100
< content-type: text/html
< last-modified: Sat, 10 Oct 2020 19:37:25 GMT
< accept-ranges: bytes
< content-length: 163
< date: Wed, 14 Aug 2024 19:10:28 GMT
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
<
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
* Connection #0 to host hector.ldn.kualo.net left intact

==

So on Windows 7 browser or system tried to use TLS 1.3 yet Windows 11 uses TLS 1.1 ?

 

[lantis3]

Even Windows 10 does not' support TLS 1.3. Windows 7 supports 1.1 and 1.2 but you have to enable it.

Protocols in TLS/SSL (Schannel SSP) - Win32 apps

The schannel SSP implements versions of the TLS, DTLS and SSL protocols. Different Windows versions support different protocol versions.

learn.microsoft.com

 

[lantis3]

https://www.reddit.com/r/windows7/comments/xxvdej/missing_tls_13/

user tinspin said:

Right now Minecraft and Rockstar games are walled behind HTTPS servers that disabled TLS 1.2 even though there are many ciphers that are still considered secure.

don't know what he said was true. I don't play games,

 

[Dajvo]

Excluding Wireshark are there any other error messages or pop-up windows when the handshakes fail?

Whichever client program I'm using will tell me the connection attempt failed. Windows Event Viewer will then show Schannel Error Event ID 36887 errors with fatal alert codes 40 and 80.

If you type "Manage computer certificates " in the Run box does that open Certificates - Local Computer window?

If I type "certificates" it brings up "manage file encryption certificates", but that's probably not what we want. Typing "Manage computer certificates" doesn't get anything.

Did you do any Registry editing?

Yes. A while back I enabled TLS 1.2 by modifying the registry.

My thought being that TLS has been disabled.

SSL 2.0, SSL 3.0, TLS 1.0, TSL 1.1, and TLS 1.2 all show as enabled in the "Internet Properties -> Advanced" tab. I think the Wireshark logs show that my computer, as Client, is trying to initiate a TLS connection, so it would have to be enabled.

 

[Dajvo]

The most common issue with this stuff tends to be date and time wrong on your machine.

Do you know if the server supports TLS 1.2. Most stuff I have seen uses 1.3. Not sure you can put 1.3 on window 7

As far as I can tell, my time and date are correct... I mean, if I look at the Windows "clock" in the lower right-hand corner of the screen in the system tray, it's correct.

I don't know for sure if the server supports TLS 1.2. Do most servers not support 1.2? It's my understanding that 1.3 isn't enabled by default on Win 10, so I'd think they'd be making life difficult for a number of non-obsolete users by exluding 1.2.

 

[kanewolf]

As far as I can tell, my time and date are correct... I mean, if I look at the Windows "clock" in the lower right-hand corner of the screen in the system tray, it's correct.

I don't know for sure if the server supports TLS 1.2. Do most servers not support 1.2? It's my understanding that 1.3 isn't enabled by default on Win 10, so I'd think they'd be making life difficult for a number of non-obsolete users by exluding 1.2.

I remember something, from a long time ago.... There was issues with root certificates and Windows 7. -- https://help.gamemaker.io/hc/en-us/...dows-Update-package-to-fix-certificate-issues
You might google windows 7 and root certificates .... I am so far past Win 7 that I don't care to expend the energy....
https://docs.pexip.com/admin/certificate_management.htm

 

[Dajvo]

Not familiar with TLS things, but try my best.

Enabled TLS 1.2 on Windows 7 VM

<snip>

So on Windows 7 browser or system tried to use TLS 1.3 yet Windows 11 uses TLS 1.1 ?

This doesn't make sense to me. The choice to use TLS 1.3 was made by the client, right? I don't know what this log is showing.

 

[lantis3]

Probably because curl is not a built-in command for Win7 and default to v1.3 yet it's a built-in command for Win11 yet it defaults to v1.1?

 

[lantis3]

If you use browser to visit https://hector.ldn.kualo.net right now

there are no handshake errors in Wireshark logs, and it seems server only offers TLSv1.3

As @kanewolf suggested, I'm also way past Win7. Reason you still stick to it?

 

[Dajvo]

I remember something, from a long time ago.... There was issues with root certificates and Windows 7. -- https://help.gamemaker.io/hc/en-us/...dows-Update-package-to-fix-certificate-issues
You might google windows 7 and root certificates .... I am so far past Win 7 that I don't care to expend the energy....
https://docs.pexip.com/admin/certificate_management.htm

Thanks, I'll check these out.

 

[Dajvo]

If you use browser to visit https://hector.ldn.kualo.net right now

there are no handshake errors in Wireshark logs, and it seems server only offers TLSv1.3

Is there a way to tell using Wireshark, etc. whether a server fails handshake because it doesn't support the client's TLS version? I think that's what we'd want to know for my issue.

 

[lantis3]

Can't really help. I'm not a Wireshark expert.

I can count my numbers of Wireshark usage with all of my fingers in past 20 years.

 

[bill001g]

Wireshark just confirms what everything else says but you know it the server that has the issue.

If you understand the wireshark trace then the below is a repeat of what you know.

In the first one the server just blindly issues a reset message to the hello message. No way to tell why but in the first case it is the server rejecting the session.

The second one the client first tries 1.2 then 1.1 and finally 1. In all three cases it gets a response back from the server that says there is something wrong with the handshake. Wireshark did not decode the hello message on this screen but maybe if you open the packet. There are lots more bits inside.

Digging at this detail does not help because it still comes down to some setting on the win 7 pc that is creating the hello packet that the server does not like.

I know the OS is involved but I would bet it is the browser that is sending those messages so maybe it is a browser issue.

 

[Dajvo]

Thanks to everyone who provided assistance. Just wanted to let you know the issue is solved.

I was able to get this working using the info here:

Native Access...please come home! NA login issue in Windows 7 solved!

Hello everybody! I'm totally new here, but I've been perusing this blog for so many years that I almost feel I know you all... sort of! This is my very first post and my issue might seem easy to resolve for most of you, but I have all but given up scanning the web for answers to my...

vi-control.net

Apparently it's a matter of Windows 7 not supporting the TLS 1.2 ciphers required by the servers. Running the mitmproxy proxy server worked around the problem.