FortiClient Added TLS1.1 in Client Hello from 7.2.5

Forum|Forum|1 year ago
May 28, 2025
1 reply
708 views

Hello,

Discovered that starting from FortiClient 7.2.5, the 1st 'Client Hello' packet added TLS1.1 as supported version and caused problem in establishing VPN connection with proxy (seems the proxy disallowed the TLS 1.1 support).

This can be overcome by creating registry keys HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

DisableByDefault = 1

Enabled = 0

However, this has no effect in Windows 10 as the format of the1st 'Client Hello' is different from that of Windows 11 which does not carry the 'supported_versions' information.

Is there any method to make this works in Windows 10 environment?

Thanks.

FortiClient

pminarik

Staff

I would say that the proxy's behaviour should be fixed then.

TLS version of a session is not established until both sides agree, so a middle-box blocking a session because it sees 1.1 mentioned in a ClientHello and interprets is as TLS 1.1 is factually wrong.

HoiFreeAuthor

New Member

Thanks pminaril, agreed your point.

However, altering the middle-box is not feasible at the moment. Just wonder what actually changed from FortiClient 7.2.5 and newer version that created this symptom (the connection establishment stops at 10%).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded