Client cannot connect when Minimum TLS 1.2 is selected

What is the name of the domain?

api2 < dot > my own account.net

What is the issue you’re encountering

Client connections stop when using Minimum TLS 1.2

What steps have you taken to resolve the issue?

Our 4 corporate customers use our API which is fronted by HaProxy. I know one of them has a Fortinet and 2 others are on AWS. The 4th one was installed this year on a recent VM.

HaProxy has a valid Let’sEncrypt certificate and is configured to only accept TLS 1.2 and TLS 1.3. When using “openssl s_client -connect” from my PC, it reports among other things:


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 2992 bytes and written 303 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
…etc…

Cloudflare is configured with “Minimum TLS 1.0” and “Full Encryption” mode, and I also can see successfull client log connections happening on HaProxy using TLSv1.3 TLS_AES_256_GCM_SHA384.

Now I am trying to set “Minimum TLS 1.2” on Cloudflare but as soon as I do so, all connections stops, this until I put “TLS 1.0” back. From my PC it works fine tbough.

I don`t even see the typical “SSL handshake failure” messages in the log, nothing is being logged.

I also have asked one client to test “openssl s_client -connect :443 -tls1_2” from their VM and I am waiting on their output.

Any suggestions on how to debug this further ? Does that ring any bell ? I am far from being an expert with these, so any hint will be appreciated.

Thanks a bunch !

Hello,

From our documentation here, it states that not all browser versions support TLS 1.2 and above.

Do you happen to know the browser versions of these users?

Hi,
The affected component is our API and the client is a software.
Do you have traces of the protocol/cyphers that were negociated for a specific timeframe and IP ?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.