Why did the SSL connection fail when enabling multiple SSL Client protocol versions?

book

Article ID: 168362

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In a reverse proxy deployment, there is a scenario where the server will only support certain SSL/TLS versions. In this case, a server only supports TLSv1.0; it did not support TLSv1.1 or TLSv1.2. On the ProxySG appliance's SSL Client, there is an option to select which version you would like the ProxySG appliance use to negotiate with the backend server. When all of the protocols were selected, the connection failed.

When the ProxySG appliance was sending a Client Hello, the server was responding with a fatal error message instead of a Server Hello. The ProxySG appliance will normally start with the highest version before it falls back to a lower version. In this case, the appliance was sending TLSv1.2 in the Client Hello to the server, but since the server did not support TLSv1.2, the server responded with a fatal error - "Notify Close." Thus the connection was terminated.

The server should respond with a Server Hello if it would like to use TLSv1.0. The ProxySG appliance did the right thing in closing the connection instead of trying to renegotiate to another version, since it did not get a Server Hello. This is an expected behavior or by design on the ProxySG appliance side.