FortiClient Added TLS1.1 in Client Hello from 7.2.5

HoiFree · ‎05-27-2025

Hello,

Discovered that starting from FortiClient 7.2.5, the 1st 'Client Hello' packet added TLS1.1 as supported version and caused problem in establishing VPN connection with proxy (seems the proxy disallowed the TLS 1.1 support).

This can be overcome by creating registry keys HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

DisableByDefault = 1

Enabled = 0

However, this has no effect in Windows 10 as the format of the1st 'Client Hello' is different from that of Windows 11 which does not carry the 'supported_versions' information.

Is there any method to make this works in Windows 10 environment?

Thanks.

pminarik · ‎05-28-2025

I would say that the proxy's behaviour should be fixed then.

TLS version of a session is not established until both sides agree, so a middle-box blocking a session because it sees 1.1 mentioned in a ClientHello and interprets is as TLS 1.1 is factually wrong.

[ corrections always welcome ]

HoiFree · ‎06-06-2025

Thanks pminaril, agreed your point.

However, altering the middle-box is not feasible at the moment. Just wonder what actually changed from FortiClient 7.2.5 and newer version that created this symptom (the connection establishment stops at 10%).

FortiClient Added TLS1.1 in Client Hello from 7.2.5

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website