Win7, IE 8, Client Cert Auth with TLSv1.2 enabled NOT WORKING

Hi All,

I am troubleshooting the not working scenario in which we have sucessful client cert authentication from Win7, IE8 and TLS1.0 enabled  - but as soon as in Advanced tab of Internet Options TLS v1.2 is also selected the communication if failing.

Client's machine has client certificate installed, and also the root CA is installed in Trusted Root store

The process is as follows (with TLS 1.2 enabled)

1. Client connects to the SSL server - the initial handshake works fine , and in the ServerHello we can see certificate request all right.

2. On the client side - there is a pop up with the list of client certs - user selects his cert and confirms OK

3. At this stage user getting "Page canot be displayed" message on IE . At the same time, looking into the trace and the communication being done from the client  - the very starange thing is that there is no "ClientHello" being sent by the client (10.4.103.130).

The initial TCP handshake looks ok, bu then client is finishing the connection, instead of staring SSL handshake by sending ClientHello....

62527 08:58:03.541 10.4.103.130 TCP 110 x.15.226.18   49984 > https [SYN] Seq=2509215337 Win=32768 Len=0 MSS=1460 WS=1 TSval=4016368077 TSecr=0 SACK_PERM=1
62528 08:58:03.541 x.15.226.18 TCP 92 10.4.103.130   https > 49984 [SYN, ACK] Seq=2329522121 Ack=2509215338 Win=8190 Len=0 MSS=1460
62529 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18   49984 > https [ACK] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
62530 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18   49984 > https [FIN, ACK] Seq=2509215338 Ack=2329522122 Win=33580 Len=0
62531 08:58:03.541 x.15.226.18 TCP 92 10.4.103.130   https > 49984 [FIN, ACK] Seq=2329522122 Ack=2509215339 Win=35688 Len=0
62532 08:58:03.541 10.4.103.130 TCP 86 x.15.226.18   49984 > https [ACK] Seq=2509215339 Ack=2329522123 Win=33579 Len=0

* this has been checked on known working user cert and the situation is the same ....

HAve anyone seen such a behaviour ?

What I am thinkg of is that TLS1.2 is not really enabled on the client machine.

Thanks for your input.

Andrzej