This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have two captures, one of an successful SSL handshake, and one of an unsuccessful SSL handshake (server never responded with server hello but instead sent a FIN,ACK).

The successful one displays in wireshark protocol column as SSLv3, and in the decoding window shows like so:

Secure Socket Layer
    SSLv3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello

The unsuccessful one shows in wireshark protocol column as merely SSL (not SSLv3), and in the decoding window as:

Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello

Both have SSL3.0 in the version field, so what subtle difference is wireshark detecting that makes it display as SSL rather than SSLv3 ?

Thanks in advance for any help you can offer.

asked 21 Sep '12, 02:39

adrian777uk's gravatar image

adrian777uk
1111
accept rate: 0%


The subtle difference is (without looking at the actual trace, so I might be wrong) that in the unsuccesful case, the SSL record has version 2 and the SSL handshake message has version 3.0. Does your SSL record start with 0x80 or with 0x16?

In the transition from SSLv2 to SSLv3 backward compatibility was ensured by using a SSLv2 record layer header. But today most servers won't allow (the insecure) SSLv2 protocol, so if the client tries a SSLv2 compatible handshake, the server just denies the connection.

permanent link

answered 21 Sep '12, 03:30

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks. I think they both start with 22 (0x16) as they both have

    Content Type: Handshake (22)
    Version: SSL 3.0 (0x0300)

in the header. Here's a more comprehensive dump of the unsuccessful one:

No.     Time            Source                Destination           Protocol Info
    542 16:06:25.801354 172.16.0.15           10.185.116.11         SSL      Client Hello

Frame 542 (176 bytes on wire, 176 bytes captured)
Internet Protocol, Src: 172.16.0.15 (172.16.0.15), Dst: 10.185.116.11 (10.185.116.11)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 162
    Identification: 0xb641 (46657)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x5931 [correct]
        [Good: True]
        [Bad : False]
    Source: 172.16.0.15 (172.16.0.15)
    Destination: 10.185.116.11 (10.185.116.11)
Transmission Control Protocol, Src Port: 39767 (39767), Dst Port: https (443), Seq: 1, Ack: 1, Len: 122
    Source port: 39767 (39767)
    Destination port: https (443)
    [Stream index: 2]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 123    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 5440
    Checksum: 0x41dd [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [Number of bytes in flight: 122]
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 113
            Version: SSL 3.0 (0x0300)
            Random
                gmt_unix_time: Sep 10, 2012 16:06:25.000000000
                random_bytes: BF21E5DA81585DA77701ED324B3A8C03938A4375A6EFB741...
            Session ID Length: 32
            Session ID: 37DFA6901134DA4015FD365E790211A85D98C05504D18347...
            Cipher Suites Length: 42
            Cipher Suites (21 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)

and the successful one:

No.     Time                       Source                Destination           Protocol Info
    401 2012-09-21 09:45:04.539900 172.16.100.10         10.185.116.11         SSLv3    Client Hello

Frame 401 (176 bytes on wire, 176 bytes captured)
Internet Protocol, Src: 172.16.100.10 (172.16.100.10), Dst: 10.185.116.11 (10.185.116.11)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 162
    Identification: 0x92ff (37631)
    Flags: 0x02 (Don't Fragment)
        0.. = Reserved bit: Not Set
        .1. = Don't fragment: Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x1878 [correct]
    Source: 172.16.100.10 (172.16.100.10)
    Destination: 10.185.116.11 (10.185.116.11)
Transmission Control Protocol, Src Port: 33386 (33386), Dst Port: https (443), Seq: 1, Ack: 1, Len: 122
    Source port: 33386 (33386)
    Destination port: https (443)
    [Stream index: 2]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 123    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 5840
    Checksum: 0xb900 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [Number of bytes in flight: 122]
Secure Socket Layer
    SSLv3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 117
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 113
            Version: SSL 3.0 (0x0300)
            Random
                gmt_unix_time: Sep 21, 2012 09:45:04.000000000
                random_bytes: 6AEA044A8357E2C4599E20EAB712601A1C224D3B63C4F2B4...
            Session ID Length: 32
            Session ID: 1C2938C6CCE3EA7E117CAC9623B9B0DC17E13E480B166D26...
            Cipher Suites Length: 42
            Cipher Suites (21 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
(21 Sep '12, 03:50) adrian777uk

OK, I just tested it myself, Wireshark will only set the info column to SSLv3 when it sees the ServerHello. I think this is due to the SSLv2, SSLv3 scenario I sketched in my first response. So in fact you have two (almost) identical ClientHello's.

Then it is either the source IP which might not be allowed to connect or the server might limit the amount of connections? What kind of server are you running? Does the FIN come straight after the ClientHello or is there a delay between them?

(21 Sep '12, 04:09) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×319
×6

question asked: 21 Sep '12, 02:39

question was seen: 10,914 times

last updated: 21 Sep '12, 04:10

p​o​w​e​r​e​d by O​S​Q​A