janjust wrote: that's a common routing issue the easiest solution in your setup (windows server) is to add a route on your LAN router to state that the VPN traffic (10.8/x) needs to go back to the VPN server (the windows machine). REG_DWORD value of: DisabledByDefault with a value of 0ĬEM Clients receive connection error with TLS 1.1 or 1.2 but connect successfully with TLS 1. Re: VERIFY ERROR: depth1, errorself signed certificate in. HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server.To verify this you should reference the following registry key to make sure it exists: After rebooting the SMP, clients should be able to connect without error. A server restart is required after making this change.You could expand the cipher suites table in the capture and check if ECDHEECDSAWITHAES128GCMSHA256 is there or not.
Upon further testing, it seems like the DWORD value should be: DisabledByDefault with a decimal value of 0. Theres a problem with your capture : the ClientHello shows a 14 long cipher suites table but in your code you just add one and we expect to see 14 entries in your array. In a few circumstances this was found not to work.Create a new DWORD value of Enabled with a decimal value of 0.Create registry entry: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server.Here’s an example: In this scenario, there is no mutually supported TLS protocol and the server likely isn’t supporting backwards versioning. While the article also references TLS 1.0, errors are not experienced when using 1.0.Īs per the linked Microsoft article, on your SMP, open the registry and do the following: If you’re getting the SSL/TLS handshake failed error as a result of a protocol mismatch, it means that the client and server do not have mutual support for the same TLS version. You will notice this article indicates that you need to create a registry key for TLS version 1.1 or/and 1.2 based upon your desired protocol. That peer is connecting on 10.0.0.1, not sure why I allowed other IP's there, but shouldn't affect anything. First in the console, check the communication profile which agent tries to connect and make sure the appropriate TLS options are enabled: EDIT: Here's the output, if you're curious: imgur link The super long time since the last handshake is just because I shut the client interface dowtn around that time.