Question Windows 7 64-bit consistently fails TLS handshake ?

[Dajvo]

I've recently starting seeing a bunch of TLS handshake failures on my Windows 7 64-bit machine when trying to connect to various servers on the internet via ethernet cable. Please see screenshots below for my system information and Wireshark logs.

Now, I recently disabled a bunch of Windows services, which I thought may have been the culprit. But I then enabled all the services I could and it hasn't fixed things.

 

[Ralston18]

Excluding Wireshark are there any other error messages or pop-up windows when the handshakes fail?

If you type "Manage computer certificates " in the Run box does that open Certificates - Local Computer window?

Did you do any Registry editing?

My thought being that TLS has been disabled.

Perhaps:

https://windowsreport.com/enable-tls-1-2-windows-11/

Windows 7 is #3 on the left side index,

 

[bill001g]

The most common issue with this stuff tends to be date and time wrong on your machine.

Do you know if the server supports TLS 1.2. Most stuff I have seen uses 1.3. Not sure you can put 1.3 on window 7

 

[lantis3]

Not familiar with TLS things, but try my best.

Enabled TLS 1.2 on Windows 7 VM

IP 91.197.230.180 => hector.ldn.kualo.net

Run Curl command (download from https://curl.se/download.html)

C:\curl\bin>curl https://hector.ldn.kualo.net --verbose
* Host hector.ldn.kualo.net:443 was resolved.
* IPv6: (none)
* IPv4: 91.197.230.180
* Trying 91.197.230.180:443...
* Failed to set TCP_KEEPINTVL on fd 132: errno 10042
* Failed to set TCP_KEEPCNT on fd 132: errno 10042
* Connected to hector.ldn.kualo.net (91.197.230.180) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: C:\curl\bin\curl-ca-bundle.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=hector.ldn.kualo.net
* start date: Jun 27 12:54:42 2024 GMT
* expire date: Sep 25 12:54:41 2024 GMT
* subjectAltName: host "hector.ldn.kualo.net" matched cert's "hector.ldn.kualo.
net"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
* Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using
sha256WithRSAEncryption
* Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using
sha256WithRSAEncryption
* Certificate level 2: Public key type ? (4096/128 Bits/secBits), signed using
sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://hector.ldn.kualo.net/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: hector.ldn.kualo.net]
* [HTTP/2] [1] [ath: /]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: hector.ldn.kualo.net
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< content-type: text/html
< last-modified: Sat, 10 Oct 2020 19:37:25 GMT
< accept-ranges: bytes
< content-length: 163
< date: Wed, 14 Aug 2024 18:29:13 GMT
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2
592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=
2592000; v="43,46"
<
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV
="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></htm
l>
* Connection #0 to host hector.ldn.kualo.net left intact

But on Windows 11

curl https://hector.ldn.kualo.net --verbose
* Host hector.ldn.kualo.net:443 was resolved.
* IPv6: (none)
* IPv4: 91.197.230.180
* Trying 91.197.230.180:443...
* Connected to hector.ldn.kualo.net (91.197.230.180) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: hector.ldn.kualo.net
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Keep-Alive: timeout=5, max=100
< content-type: text/html
< last-modified: Sat, 10 Oct 2020 19:37:25 GMT
< accept-ranges: bytes
< content-length: 163
< date: Wed, 14 Aug 2024 19:10:28 GMT
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
<
<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
* Connection #0 to host hector.ldn.kualo.net left intact

==

So on Windows 7 browser or system tried to use TLS 1.3 yet Windows 11 uses TLS 1.1 ?

 

[lantis3]

Even Windows 10 does not' support TLS 1.3. Windows 7 supports 1.1 and 1.2 but you have to enable it.

Protocols in TLS/SSL (Schannel SSP) - Win32 apps

The schannel SSP implements versions of the TLS, DTLS and SSL protocols. Different Windows versions support different protocol versions.

learn.microsoft.com

 

[lantis3]

https://www.reddit.com/r/windows7/comments/xxvdej/missing_tls_13/

user tinspin said:

Right now Minecraft and Rockstar games are walled behind HTTPS servers that disabled TLS 1.2 even though there are many ciphers that are still considered secure.

don't know what he said was true. I don't play games,