Advertisement
Interview Question
After tightening TLS settings, some clients fail during handshake. How do you triage and restore compatibility without weakening security?
Key Points to Cover
- Collect handshake errors and client JA3/JA4 fingerprints
- Compare enabled protocol/cipher suites vs client capabilities
- Introduce secure compatibility ciphers or TLS versions selectively
- Use ALPN/SNI routing to separate legacy clients
- Document policy and add compatibility tests in CI
Evaluation Rubric
Gathers handshake-level evidence30% weight
Matches cipher/protocol compat30% weight
Segments legacy traffic safely20% weight
Codifies policy/tests for regressions20% weight
Hints
- 💡Beware of TLS 1.0/1.1 deprecations on old clients.
Common Pitfalls to Avoid
- ⚠️Rolling back security settings globally without understanding the specific cause of the failure.
- ⚠️Re-enabling insecure or obsolete cipher suites or TLS versions indiscriminately.
- ⚠️Failing to collect or analyze JA3/JA4 fingerprints, leading to a guess-work approach.
- ⚠️Not documenting the changes made and the rationale behind them, hindering future troubleshooting.
- ⚠️Ignoring the opportunity to provide client-side remediation guidance, leaving the burden solely on the server administrator.
Potential Follow-up Questions
- ❓How to test with real client fingerprints?
- ❓When to require mTLS?
Advertisement
Related Questions
Questions that share similar topics with this one
TLS Handshake Basics
Intermediate📞 Phone Screen•2 min•Phone
SSL vs TLS
Beginner📞 Phone Screen•2 min•Phone
SSH Keys vs Password Authentication
Beginner📞 Phone Screen•1 min•Phone
Design a URL Shortener (TinyURL)
Advanced🏗️ System Design•45 min•System-Design
Design an API Gateway / Edge Layer
Advanced🏗️ System Design•45 min•System-Design