Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HoiFree
New Contributor II

FortiClient Added TLS1.1 in Client Hello from 7.2.5

Hello,

Discovered that starting from FortiClient 7.2.5, the 1st 'Client Hello' packet added TLS1.1 as supported version and caused problem in establishing VPN connection with proxy (seems the proxy disallowed the TLS 1.1 support).

This can be overcome by creating registry keys HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1 

DisableByDefault = 1

Enabled = 0

 

However, this has no effect in Windows 10 as the format of the1st 'Client Hello' is different from that of Windows 11 which does not carry the 'supported_versions' information.

 

7_2_4_and_older.png7_2_5_and_newer.png 

Is there any method to make this works in Windows 10 environment?

 

Thanks.

2 REPLIES 2
pminarik
Staff
Staff

I would say that the proxy's behaviour should be fixed then.

TLS version of a session is not established until both sides agree, so a middle-box blocking a session because it sees 1.1 mentioned in a ClientHello and interprets is as TLS 1.1 is factually wrong.

[ corrections always welcome ]
HoiFree
New Contributor II

Thanks pminaril, agreed your point.

However, altering the middle-box is not feasible at the moment. Just wonder what actually changed from FortiClient 7.2.5 and newer version that created this symptom (the connection establishment stops at 10%).

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors