This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL Record Layer vs SSLv3 Record Layer

0

Hi,

I have two captures, one of an successful SSL handshake, and one of an unsuccessful SSL handshake (server never responded with server hello but instead sent a FIN,ACK).

The successful one displays in wireshark protocol column as SSLv3, and in the decoding window shows like so:

Secure Socket Layer
    SSLv3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello

The unsuccessful one shows in wireshark protocol column as merely SSL (not SSLv3), and in the decoding window as:

Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello

Both have SSL3.0 in the version field, so what subtle difference is wireshark detecting that makes it display as SSL rather than SSLv3 ?

Thanks in advance for any help you can offer.

asked 21 Sep '12, 02:39

adrian777uk's gravatar image

adrian777uk
1111
accept rate: 0%

One Answer:

0

The subtle difference is (without looking at the actual trace, so I might be wrong) that in the unsuccesful case, the SSL record has version 2 and the SSL handshake message has version 3.0. Does your SSL record start with 0x80 or with 0x16?

In the transition from SSLv2 to SSLv3 backward compatibility was ensured by using a SSLv2 record layer header. But today most servers won't allow (the insecure) SSLv2 protocol, so if the client tries a SSLv2 compatible handshake, the server just denies the connection.

answered 21 Sep '12, 03:30

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks. I think they both start with 22 (0x16) as they both have

    Content Type: Handshake (22)
    Version: SSL 3.0 (0x0300)

in the header. Here's a more comprehensive dump of the unsuccessful one:

No.     Time            Source                Destination           Protocol Info
    542 16:06:25.801354 172.16.0.15           10.185.116.11         SSL      Client Hello

Frame 542 (176 bytes on wire, 176 bytes captured)
Internet Protocol, Src: 172.16.0.15 (172.16.0.15), Dst: 10.185.116.11 (10.185.116.11)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 162
Identification: 0xb641 (46657)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x5931 [correct]
[Good: True]
[Bad : False]
Source: 172.16.0.15 (172.16.0.15)
Destination: 10.185.116.11 (10.185.116.11)
Transmission Control Protocol, Src Port: 39767 (39767), Dst Port: https (443), Seq: 1, Ack: 1, Len: 122
Source port: 39767 (39767)
Destination port: https (443)
[Stream index: 2]
Sequence number: 1    (relative sequence number)
[Next sequence number: 123    (relative sequence number)]
Acknowledgement number: 1    (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…1 …. = Acknowledgement: Set
…. 1… = Push: Set
…. .0.. = Reset: Not set
…. ..0. = Syn: Not set
…. …0 = Fin: Not set
Window size: 5440
Checksum: 0x41dd [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Number of bytes in flight: 122]
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 117
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 113
Version: SSL 3.0 (0x0300)
Random
gmt_unix_time: Sep 10, 2012 16:06:25.000000000
random_bytes: BF21E5DA81585DA77701ED324B3A8C03938A4375A6EFB741…
Session ID Length: 32
Session ID: 37DFA6901134DA4015FD365E790211A85D98C05504D18347…
Cipher Suites Length: 42
Cipher Suites (21 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)

and the successful one:

No.     Time                       Source                Destination           Protocol Info
401 2012-09-21 09:45:04.539900 172.16.100.10         10.185.116.11         SSLv3    Client Hello


Frame 401 (176 bytes on wire, 176 bytes captured)
Internet Protocol, Src: 172.16.100.10 (172.16.100.10), Dst: 10.185.116.11 (10.185.116.11)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 162
Identification: 0x92ff (37631)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x1878 [correct]
Source: 172.16.100.10 (172.16.100.10)
Destination: 10.185.116.11 (10.185.116.11)
Transmission Control Protocol, Src Port: 33386 (33386), Dst Port: https (443), Seq: 1, Ack: 1, Len: 122
Source port: 33386 (33386)
Destination port: https (443)
[Stream index: 2]
Sequence number: 1    (relative sequence number)
[Next sequence number: 123    (relative sequence number)]
Acknowledgement number: 1    (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…1 …. = Acknowledgement: Set
…. 1… = Push: Set
…. .0.. = Reset: Not set
…. ..0. = Syn: Not set
…. …0 = Fin: Not set
Window size: 5840
Checksum: 0xb900 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Number of bytes in flight: 122]
Secure Socket Layer
SSLv3 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 117
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 113
Version: SSL 3.0 (0x0300)
Random
gmt_unix_time: Sep 21, 2012 09:45:04.000000000
random_bytes: 6AEA044A8357E2C4599E20EAB712601A1C224D3B63C4F2B4…
Session ID Length: 32
Session ID: 1C2938C6CCE3EA7E117CAC9623B9B0DC17E13E480B166D26…
Cipher Suites Length: 42
Cipher Suites (21 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
(21 Sep ‘12, 03:50) adrian777uk

OK, I just tested it myself, Wireshark will only set the info column to SSLv3 when it sees the ServerHello. I think this is due to the SSLv2, SSLv3 scenario I sketched in my first response. So in fact you have two (almost) identical ClientHello’s.

Then it is either the source IP which might not be allowed to connect or the server might limit the amount of connections? What kind of server are you running? Does the FIN come straight after the ClientHello or is there a delay between them?

(21 Sep ‘12, 04:09) SYN-bit ♦♦