TLS1.2 protocol handshake error

We have a client connecting to our API, they can connect to other sites in the same domain xxx.domain.com works but yyy.domain.com we don’t even show the connection in the WAF / Events.
We allowlisted their IP and confirmed and see it come in to the other sites. If we disable proxy it works and connects via TLS1.2

Turning proxy on they get protocol handshake error.

I am thinking this is something with the ciphers enabled/blocked in CF but I am not 100%. The site works for other clients using the exact same URL. I have never seen ‘0 connections’ from an IP through CF before so not even sure where to start telling this client what to do.

What is the issue you’re encountering

Even with allowlisted IP client is getting protocol error, but its on the CF proxy side

What steps have you taken to resolve the issue?

Removing proxy everything works

What are the steps to reproduce the issue?

Enable CF proxy

What is the operating system the client is using to make the calls? I only ask because we recently had to set up a proxy server because a vendor disabled the following cipher suites which were the last available for Win 2012r2 and I’m wondering if same use case. TLS 1.2 cipher suites disabled were:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The following TLS 1.2 cipher suites were still supported by the vendor but were not supported on our side (using Win 2012 r2):

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp256r1 (eq. 3072 bits RSA) FS 256P

Oh interesting. I know it’s a java app running on windows java 1.8 which is the latest on the jre side and I believe it was windows when I pulled the logs. I will have to check with them. I was hoping to find what ciphers are supported. We are tls1.2 set for PCI which disables several ciphers but they can connect directly just fine

I suspect Java 1.8 is still using Windows Schannel to make the call but don’t know. And if Windows 2012 r2 is host, it may not work. If it were something like curl or another third party app that works via something other than Windows Schannel (curl utilizes OpenVPN I believe), this may not be the case but I don’t know. Ask what they are running and go from there.

We are tls1.2 set for PCI which disables several ciphers but they can connect directly just fine

Out of curiosity are you using IISCrypto to enable ciphers for PCI compliance on your side?

Yes we are , but they can connect to us directly if we disable the CF proxy. I added ciphers to iis logs to grab them I didn’t look up the codes other than tls1.2 . We initially thought for sure this was them not using tls12. But digging in it seems more like ciphers , I’m going to look in the logs and figure out the hex code for ciphers to see

This topic was automatically closed after 15 days. New replies are no longer allowed.