Handshake failure 40 on incoming traffic from telegram to my server

Question

My telegram Bot doesn't receive updates anymore, Because of the last api update Which only works with tls 1.2 .

I tried with wireshark listening to check , I found that the outgoing requests are sent over tls1.2 successfully But the INCOMING ONES (updates,commands sent to my bot) fail due to HANDSHAKE FAILURE.

Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

Knowing that i tried :

1. Enabling Tls 1.2 using Internet Options

2. Added client and Server Keys to SChanel entry in registry (DisabledByDefault = 0 ; Enabled = 1)

3. Installed This Update kb3140245

4. Installed all the important updates on my windows server 2012

What should i do to solve this issue ? Thanks for your time.

Answer 1

Note: This is an edited repost of my original answer, as it was deleted for being low-quality.

The issue is that in the TLS1.2 set of cipher suites, the Telegram API only accepts a limited set. Of those only TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) are supported on Windows 2012. A secure channel for SSL / TLS could not be created on create new TelegramBotClient

However Microsoft has disabled their implementations of those ciphers on Windows 2012 already in 2014 as part of a remote code execution patch: MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

They are considered unsafe ciphers by among others Qualys SSL Labs and NARTAC.

Note that the Telegram API supports many other, more secure ciphers even TLS 1.3, but none of those are supported by any version of Windows 2012. TLS 1.3 is not supported by any Windows version at the time of writing.

In summary, this explains why the problem occurs. The bad news is that there is no good solution on Windows Server 2012. The oldest Windows Server version that supports Telegram bots currently is Windows Server 2016. I'm moving my bot to a Ubuntu 19.10 server.