Apple TLS Cyphers problem

Whilst prepping our WS1 lab environment for an upgrade, it was found that Android devices enrolled and was manged correctly but Apple devices had no APNs push, they would enrol and check in but not receive and profiles or apps.
After changing the APNs certificate for that LG, we still had the same issue, digging deeper and looking in to the DB with select * from dbo.APNsGenerationStatus showed the APNs certificate correct in the DB.
from both the Console Server and Device server ‘telnet 2195’ and’ telnet 2196’ connected.
Using Wireshark we found a TLS1.2 handshake error

This related to port 2195
TLSv1.2 Record Layer:Alert (Level Fatal, Description: Handshake failure)

On the console and device server only TLS1.2 was enabled and weak TLS_RSA_WITH_AES cyphers were disabled.
Qualys SSL Labs report gave the device server a grade A and the Console server a grade A+

enabling the following cyphers on the Console server cured the TLS hand shake errors:

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128


The CBC ciphers are deemed to be weak and recommended to be disabled, however you will block APNs push if you do.

This article is very useful.

This refers to handshake errors and

An interesting exercise.