I restricted the ciphers via GPO "Computer./Administrative./Network/SSL Configuration./SSL Cipher Suite Order" to be Next i tried to configure the Schannel Registry to support TLS 1.0, 1.1 and 1.2 viaĪnd so on for TLS1.1, but still only offers TLS1.0 on RDP port Openssl s_client still connects with TLS1.0 at its best. So I started with installing the Remote Desktop Packages Version 6.2+6.3 on my Server 2008R2 I am verifying this with an "openssl s_client" Connectionįor example, a Server 2012R2 offers TLS1.2, if I check against its RDP port. Initially my RDP Service (out of the box), allowed Connections no better than TLS1.0 If used like this, the output is very similar to the openssl_client output.I am currently struggeling to get the RDP Connections working with TLS1.2 on Server 2008R2 SP1 In this case, the connection fails because the client does not offer any TLS version above 1.1, but the server does not accept any version below 1.2. * error:141E70BF:SSL routines:tls_construct_client_hello:no protocols availableĬurl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available * TLSv1.3 (OUT), TLS alert, internal error (592): To forbid that the server upgrades the TLS version use the -tls-max option: $ curl -Iiv -tlsv1.1 -tls-max 1.1 * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * TLSv1.2 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * successfully set certificate verify locations: I like to use curl which can report a TLS version negotiation quite nicely.įor example, this tries to connect with TLS 1.1, which the server negotiates to upgrade to 1.2: $ curl -Iiv -tlsv1.1
0 kommentar(er)
