We have a relatively old piece of hardware running a client application that has a requirement of making web service calls over TLS 1.0.
The server has many different clients, and so it supports TLS 1.0, 1.1, and 1.2. Therefore, when the server sends it's certificate, it's also alongside a list of CA's. The server is set so that the client can optionally provide a certificate, but it's not required. The issue is that as soon as the client sees a list of CA's, it is sending back a FIN/ACK (closing the connection).
This seems like incorrect behaviour. According to TLS 1.0 RFC https://www.rfc-editor.org/rfc/rfc2246#section-7.4.2
Note that a client may send no certificates if it does not have an appropriate certificate to send in response to the server's authentication request.
Presumably, the client is seeing the list of CA's and assuming that it's required to present a Certificate and outright failing because it does not have one. The client works when it is provided no CA list, which we can force by disabling TLS 1.1 and 1.2 on the server. Unfortunately, this is not an option in our production environment.
My question is whether the above conclusion is correct; should the client instead be responding with no certificate instead of closing the connection?
If so, I see a few options:
- Create client certificate and install on each client device
- Open a separate port on the Server to only allow TLS 1.0 to be used specifically for this client.
- Support ticket to vendor for client device and hope they get it fixed or have a solution (doubt it)
We are leaning towards option 2, as it's the easiest solution for us to implement. If anyone has any other way for us to solve the problem, it would be much appreciated.