serverssl behavior in 11.4.x

The Deployment Guide for Exchange 2013 contains the following interesting note:

SSL ciphers used in the Server SSL profile in 11.4.x are not compatible with those in some versions of Microsoft Internet Information Server (IIS).

This seems to be a bug in only this version.

And yes I also made a ssldump, but didn't have it available anymore (and can't reproduce it again). But I can remember that after the client hello the server immediately sends a RST (not a FIN). Right now without TLS1.2 it looks like this:

New TCP connection 1: 10.71.65.97(43749) <-> 10.76.144.52(443)
1 1  0.0003 (0.0003)  C>SV3.2(107)  Handshake
  ClientHello
    Version 3.2 
    random[32]=
      22 62 5d 20 0e 4d dd 89 b9 d0 25 d5 c1 fc cb 63 
      62 d8 f7 ac 8f a6 bd ea d8 a0 25 85 70 6d a7 8d 
    resume [32]=
      99 33 00 00 3d 97 b1 db b9 89 e9 b0 25 7f 8e aa 
      51 35 35 d3 08 63 47 2a 04 3e 64 b1 21 d1 4a 81 
    cipher suites
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    Unknown value 0xc013
    Unknown value 0xc014
    Unknown value 0xc012
    Unknown value 0xff
    compression methods
              NULL
1 2  0.0009 (0.0005)  S>CV3.2(81)  Handshake
  ServerHello
    Version 3.2 
    random[32]=
      56 0c df 67 99 9e 1b 83 f9 77 e2 27 24 8e 13 c1 
      b0 a2 f1 7b 5b 65 88 fe e1 91 95 64 88 a1 08 c7 
    session_id[32]=
      99 33 00 00 3d 97 b1 db b9 89 e9 b0 25 7f 8e aa 
      51 35 35 d3 08 63 47 2a 04 3e 64 b1 21 d1 4a 81 
    cipherSuite         Unknown value 0xc014
    compressionMethod                   NULL

If I check the above I also can remember that with TLS 1.2 there was not this "resume [32]=" line included.

Here is the sniffer output from the failure:

Ciao Stefan 🙂