jddsantaella
Reputation: 3687
TLS Connection - Message unexpected
I am facing a problem during handshake with a client:
As you can see, client reveives an unexpected message so the communication ends. It looks like the server is trying to resume a session using ticket session strategy and the client doesn't like it. Taking a look to the documentation RFC 5077 the message from the server with the NewSessionTicket just should be sent when the client suports this functionalily (through SessionTicket extension) and sends the ticket.
The problem here is that the client is sending (in the Client hello message) an empty ticket session extension, with no ticket. Take a look to the "client hello" message:
There is no ticket. So, why server is responding with a new ticket? According with the doc:
When the client wishes to resume the session, it includes the ticket in the SessionTicket extension within the ClientHello messageThe server then decrypts the received ticket, verifies the ticket's validity, retrieves the session state from the contents of the ticket, and uses this state to resume the session
On the server side we have an Apache version 2.2.15 and both, Session resumption (caching) and Session resumption (tickets), are activated. Regarding the client side, I have not much information, I am trying to gather it.
More over, this situation does not happens always. In the same scenario, there are also cases where server responds correctly (full handshake) and cases where the client sends the ticket and the server responds with full handshake anyway.
I have the feeling that the error has something to do with the client, but at this point, it looks that the problems is in the server side, as a bug in Apache o something similar.
EDITED
Hello Client
No. Time Source Destination Protocol Length Info
1378 132.627955 XX.XXX.138.11 YY.YY.2.200 TLSv1 180 Client Hello
Frame 1378: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.817868000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.817868000 seconds
[Time delta from previous captured frame: 0.000212000 seconds]
[Time delta from previous displayed frame: 0.000212000 seconds]
[Time since reference or first frame: 132.627955000 seconds]
Frame Number: 1378
Frame Length: 180 bytes (1440 bits)
Capture Length: 180 bytes (1440 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: 10:11:11:11:11:11 (10:11:11:11:11:11), Dst: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Destination: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: XX.XXX.138.11 (XX.XXX.138.11), Dst: YY.YY.2.200 (YY.YY.2.200)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 166
Identification: 0x2af6 (10998)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0x77eb [validation disabled]
[Good: False]
[Bad: False]
Source: XX.XXX.138.11 (XX.XXX.138.11)
Destination: YY.YY.2.200 (YY.YY.2.200)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 35413 (35413), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 126
Source Port: 35413 (35413)
Destination Port: 443 (443)
[Stream index: 5]
[TCP Segment Len: 126]
Sequence number: 1 (relative sequence number)
[Next sequence number: 127 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 49680
[Calculated window size: 49680]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x9d55 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 126]
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 121
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 117
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: May 6, 2015 11:13:53.000000000 Hora de verano romance
Random Bytes: 0a2aeead9ad4fcc71cedea83f57456f1383edd09f9ff3217...
Session ID Length: 32
Session ID: eb32d8d516eed625fa6b57d983bfb2f807db851a047093ac...
Cipher Suites Length: 40
Cipher Suites (20 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 4
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Hello Server
No. Time Source Destination Protocol Length Info
1380 132.629663 YY.YY.2.200 XX.XXX.138.11 TLSv1 398 Server Hello, New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
Frame 1380: 398 bytes on wire (3184 bits), 398 bytes captured (3184 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.819576000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.819576000 seconds
[Time delta from previous captured frame: 0.001648000 seconds]
[Time delta from previous displayed frame: 0.001648000 seconds]
[Time since reference or first frame: 132.629663000 seconds]
Frame Number: 1380
Frame Length: 398 bytes (3184 bits)
Capture Length: 398 bytes (3184 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4), Dst: 10:11:11:11:11:11 (10:11:11:11:11:11)
Destination: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: YY.YY.2.200 (YY.YY.2.200), Dst: XX.XXX.138.11 (XX.XXX.138.11)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 384
Identification: 0xce71 (52849)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (6)
Header checksum: 0x0a95 [validation disabled]
[Good: False]
[Bad: False]
Source: YY.YY.2.200 (YY.YY.2.200)
Destination: XX.XXX.138.11 (XX.XXX.138.11)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 35413 (35413), Seq: 1, Ack: 127, Len: 344
Source Port: 443 (443)
Destination Port: 35413 (35413)
[Stream index: 5]
[TCP Segment Len: 344]
Sequence number: 1 (relative sequence number)
[Next sequence number: 345 (relative sequence number)]
Acknowledgment number: 127 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 4266
[Calculated window size: 4266]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x4889 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 344]
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 85
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 81
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: May 6, 2015 11:13:53.000000000 Hora de verano romance
Random Bytes: 8b392c52c3188f5a121594c0f176c09b579c2c4e4b7dedb5...
Session ID Length: 32
Session ID: eb32d8d516eed625fa6b57d983bfb2f807db851a047093ac...
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Compression Method: null (0)
Extensions Length: 9
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
TLSv1 Record Layer: Handshake Protocol: New Session Ticket
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 202
Handshake Protocol: New Session Ticket
Handshake Type: New Session Ticket (4)
Length: 198
TLS Session Ticket
Session Ticket Lifetime Hint: 0
Session Ticket Length: 192
Session Ticket: 21425f8c986d7fe5fea84e7ef3e8c8739c4427455c5fad73...
TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.0 (0x0301)
Length: 1
Change Cipher Spec Message
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 36
Handshake Protocol: Encrypted Handshake Message
Unexpected message
No. Time Source Destination Protocol Length Info
1382 132.638728 XX.XXX.138.11 YY.YY.2.200 TLSv1 61 Alert (Level: Fatal, Description: Unexpected Message)
Frame 1382: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.828641000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.828641000 seconds
[Time delta from previous captured frame: 0.000295000 seconds]
[Time delta from previous displayed frame: 0.000295000 seconds]
[Time since reference or first frame: 132.638728000 seconds]
Frame Number: 1382
Frame Length: 61 bytes (488 bits)
Capture Length: 61 bytes (488 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: 10:11:11:11:11:11 (10:11:11:11:11:11), Dst: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Destination: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: XX.XXX.138.11 (XX.XXX.138.11), Dst: YY.YY.2.200 (YY.YY.2.200)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 47
Identification: 0x2af8 (11000)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0x7860 [validation disabled]
[Good: False]
[Bad: False]
Source: XX.XXX.138.11 (XX.XXX.138.11)
Destination: YY.YY.2.200 (YY.YY.2.200)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 35413 (35413), Dst Port: 443 (443), Seq: 127, Ack: 345, Len: 7
Source Port: 35413 (35413)
Destination Port: 443 (443)
[Stream index: 5]
[TCP Segment Len: 7]
Sequence number: 127 (relative sequence number)
[Next sequence number: 134 (relative sequence number)]
Acknowledgment number: 345 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 49680
[Calculated window size: 49680]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x5f13 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 7]
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Unexpected Message)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Unexpected Message (10)
Thanks in advance.
Upvotes: 2
Views: 10059
Answers (1)
Steffen Ullrich
Reputation: 123270
This is very strange. Instead of sending certificate, key exchange and server hello done the server is sending some Encrypted Handshake Message. I would suggest to look at the servers log file for hints what might be wrong. But it might also be the bug described here which might be caused by a large certificate chain or list of accepted CA for client certificate and results in the server response spanning multiple SSL frames. Some clients might not be able to deal with this.
Upvotes: 2
Related Questions
- Apache SSL Configuration Error (SSL Connection Error)
- SSL HandShake exception
- How do I fix "ssl handshake failed" with ApacheBench?
- OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
- Java - Received fatal alert: handshake_failure
- SSL : Received fatal alert: handshake_failure
- SSL handshake failing with "sslv3 alert handshake failure:SSL alert number 40"
- SSL handshake issue with remote apache httpd server, works locally
- OpenSSL error - handshake failure
- SSL Cannot Make A Handshake