UKC

So it seems to go along with the spirit of social distancing my ISP is now since a few days ago refusing to do TLS handshakes.

I use my phone for all my internet so my connection is already shite at the best of times, but now the majority of websites when trying to open them get stuck at 'performing a TLS handshake' on FF or 'establishing a secure connection' in Chrome, and then timeout.

Loads of waffle in the internet regarding secure connection problems but even though i can get google to load search results about once every 10 attempts i can't open the pages hosting the actual search finds...

UKC works just fine, so if anyone has any ideas as to whether is there anything i can do to help pages load it'd be awesome, as in between other things i really need to open my email to send some rather important ones. Not holding much hope it being an iSP issue but worth a try

Assuming this isn’t an v old version of chrome/FF or windows XP etc:

• Is the time on your device correct
• Are you running an anti virus (or indeed a virus!) that does some kind of MITM

Both fairly contemporary as i'm running W10 and it updates whenever it pleases

Think so. Both phone and laptop auto-sync the time online, so should be correct. Time matches the time signature in the 'posts' here, so should be good.

Light anti virus and scan with malware bytes regularly for good measure. Nothing ever found. Got to say, the problem is there whether i use the laptop's browsers via tethering or the phone's own browsers (dolphin and chrome on the phone) so not device specific.

Thanks

• Are you connecting via VPN?
• Running a VPN profile on your phone?
• is the phone OS up to date?

would also be useful to use curl to see what the headers say in one of the failing sites. In cmd prompt or terminal type:

curl -v https://example.com

You should get some more specific error messages about why the TLS connection fails

Any anti-virus apps on the phone? (In the sense that they could be causing the problem.)

Or any other apps that you've installed recently? Might be worth trying to uninstall them.

No VPN's. 2 phones i got same problem and up to date. That's why i'm pretty sure it's the ISP rather than my devices, 2 phones with 2 browsers each and a laptop on the same connection, all the same problem

Curl returns:

C:UsersSENOR>curl -v https://outlook.live.com
* Rebuilt URL to: https://outlook.live.com/
*   Trying 13.107.42.11...
* TCP_NODELAY set
* Connected to outlook.live.com (13.107.42.11) port 443 (#0)
* schannel: SSL/TLS connection with outlook.live.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 181 bytes...
* schannel: sent initial handshake data: sent 181 bytes
* schannel: SSL/TLS connection with outlook.live.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data

That's where it fails All other sites are the same (Nice nifty functionality btw)

Tried running all devices in safe mode already to discount any possible conflicts. Thanks

I'm a little confused now. I thought you were making all the connections through a phone?

Is one phone tethered to the other phone? Or you have two separate data connections for the phones? Or all three devices are connecting to conventional broadband?

Yeah sorry. I got 1 sim card that lives in 1 phone, and use that to connect to the internet and tether to the laptop. When all this started i put the sim card in another phone i have to see if the problem was coming from phone 1 specifically, but the same issue remained.

Thanks for the help

There were meant to be some Microsoft TLS changes around now, but these have been postponed. However, an intermediary may have already acted to fit in with the proposed changes. As a client I would have expected properly updated software to deal with this seamlessly. Although VPNs may be stuck with older algorithms. I would check your date and time and your DNS settings though.

Uh that's interesting. Could be my phone company trying to upgrade the systems and messing it up as they always do. They deny any issues other than 'the network is saturated' which is crap as i stayed till 3am last night hoping to catch the network 'unsaturated' but no change...

I did already flush and reset DNS and TCP/IP settings but didn't work

What ISP is it?

To force a tls v1.2 connection (TLS 1.0 and 1.1 are soon to be deprecated, and should be already, but I'd be surprised if thats the issue with modern tech and decent ISP). Test using:

curl -vv --tlsv1.2 https://outlook.live.com

As an experiment, try installing and running your phone connection through https://1.1.1.1/ 

You should be able to get a small trial of the WARP+ feature too, which is more akin to a VPN than just a DoH resolver.

Test using:

curl -vv https://outlook.live.com

in all 3 states (without the forced 1.2 connection switch) in normal, Warp and Warp+ and see what the output is.

Awesome stuff, albeit total failure. Can't visit the web site because it requires a tls handshake... So don't know if that'd would be to install the VPN on the laptop or not.

I downloaded and installed the app to the phone, and it stay disconnected saying "your tunnel configuration is invalid". In the app's console it shows it's trying to connect every 3 seconds and says "unable to connect SSL timed out" and then a handful of errors with 'unable to connect' and 'dns timeout' before retrying. Also while 1.1.1.1 is enabled on the laptop's console i get 'could not resolve host' to the curl call.

Also tried the curl command to try and force 1.0 and 1.1 for a laugh and same result as the one for 1.2.

Seems i'm gonna have to go for a walk with a wifi scanner app and see if i can find an unsecured wifi connection somewhere...

Cheers

Just a thought. Does your internet provider (phone) have certificate updates independent of the OS. This could be called something like Contract WAP. You can then check the validity of the certificates associated with that.

That all sound like Klingon to me. Ha, ha. Probably not. It's just a standard '3' pay monthly contract

On my phone I have one for Vodafone and when the phone detects an update in the OS I sometimes get a text that invites me to update. I have never had the same thing with EE though on the other work phone.

Oh right. Never noticed them to be separate. At least i'm sure i've never had to update them or something. I think.

I did consider a CA bundle issue (as per SouthernSteve's suggestion)

Generally seems like there is a DNS/CA settings issue, but odd that it is on both devices.

Would consider trying to reset the network settings

http://support.three.co.uk/SRVS/CGI-BIN/WEBISAPI.DLL?Command=New,Kb=Mobile,...

Ironically this page isn't available via https...

Or, if you have sufficient back up of data factory reset one device.

Hold your horses! Out of the blue now it's all working and connecting fine. Time to wade through the backlog of emails.

Thanks for all the replies folks

Hey mate. It's now working somehow. Don't know if it was all the messing about or what but i'm not about to complain. Thanks!