![test tls 1.2 server 2008 r2 test tls 1.2 server 2008 r2](http://1.bp.blogspot.com/_A0w9AdYdLxo/THx5fFXWDvI/AAAAAAAAA2E/l-MtOFcw1sY/s320/smtp+relay+9.png)
- #Test tls 1.2 server 2008 r2 upgrade#
- #Test tls 1.2 server 2008 r2 code#
- #Test tls 1.2 server 2008 r2 windows#
#Test tls 1.2 server 2008 r2 windows#
Next, I configured the SSL Cipher Suite Order on the windows server to match what the Netscaler was presenting in the Client Hello packet, at least the top 10 or so. You should limit the number of ciphers available on the virtual server of your Access Gateway to just what you need and leverage the more current stronger methods available such as AES 256 over RC4 and MD5, etc. (Note – for the sake of easier troubleshooting, I left the default grouping of ciphers in place as it was a large group of widely accepted ciphers until I identified the issue and then trimmed down the cipher list. Time for some network tracing.įiring up Wireshark on the delivery controller, I could see that the connection was getting immediately reset by the server after the Client Hello from the Netscaler.Įxpanding the Client Hello packet in the capture, I could see a list of ciphers currently being offered by the Netscaler. At least I now knew there was an issue with the SSL handshake between the Netscalers and the Windows 2012 R2 delivery controllers. I can’t remember where exactly I found the enum definition for the Schannel 1205 code, but it basically means that a fatal error was send to the endpoint and the connection was being forcibly terminated.
#Test tls 1.2 server 2008 r2 code#
Looking up the error code on the RFC page for the TLS protocol ( ) I found that error code 40 is a handshake failure (you can find this in the A.3 part of the appendix in the Alert Messages section). Well, we obviously have an SSL issue, but these codes aren’t exactly pointing me anywhere. The Windows SChannel error state is 1205.). The TLS protocol defined fatal error code is 40. This may result in termination of the connection. The SSL connection request has failed.) and Event ID 36888 (A fatal alert was generated and sent to the remote endpoint. Jumping on one of the Windows 2012 R2 delivery controllers, I noticed the System event log was flooded with Schannel errors for Event ID 36874 (An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The Windows 2008 R2 delivery controllers were not denying the STA requests. Tracking down the servers based on their STA ID in the ticket, I noticed that users only had issues when they were attempting to authenticate to Windows 2012 R2 delivery controllers. Some users were receiving the “SSL Error 43: The proxy denied access to…” error with their STA ticket when clicking on their application icons on the web page. The next day, we started receiving some calls regarding issues with launching apps via Storefront.
#Test tls 1.2 server 2008 r2 upgrade#
The upgrade went very smoothly, no errors, no user calls… for a while. So as part of a recent upgrade I was performing, I upgraded a couple of Netscaler Access Gateways from version 10.1 to version 10.5.