First me knows TLS1.0 is bad, but I have no choice but to support it – we can not control the client end, and if a large percentage of the clients are not supported, it would be a disadvantage for us head Competitive disadvantage for this project.
I'm not an SSL / TLS / etc expert, but I think I have an idea of how it should work.
I have written a service that runs on a Windows 10 computer over https with a self-signed SSL certificate. This works fine if (of course) all clients explicitly trust this certificate or are configured to not validate the server certificate. Usually this will support TLS 1.1 and 1.2, but for the purposes of this test, I have limited it to Only 1.0
Some clients for this service are running Windows XP (the specific client I need to test with is Windows XP Embedded SP2, but can not specify that this will be used for all XP clients).
I used NetMon to capture a network trace.
I think it's a negotiating problem with the cipher suite.
As a test, I have an old version of FireFox installed on the XP machine and thus established a connection. This works fine, but as I understand FF uses its own TLS stack, so obviously an encryption suite can be arranged, but at least excludes other network problems or problems with my service.
I use IISCrypto View / modify related content on my Windows 10-based computer.
I used NetMon to capture and see traces Customer Hello Messages from these older clients, but no Hello server In answer.
I can see that the client is sending a list of (older) cipher suites, the third of which is
TLS_RSA_WITH_3DES_EDE_CBC_SHAThat's one that I am appear to have in my list
I have used IISCrypto Enable this encryption suite on my Windows 10 computer and rearrange the list so that it appears at the top. However, this has not made a difference. It is possible for me added This was added to the list with IIS Crypto, but was not sure at the time (studied it for several days).
When I create a TLS 1.0 client and run it locally on my computer, it works fine.
My best guess is that one of the components of the cipher is not properly set up / present … Can anyone suggest what I can change that can help?