This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have a question about SSL and the Record Layer. In establishing an SSL connection to a vendor site, I consistently get a failure on the first client hello message. But after 15 seconds a second client hello message is resent and I receive the corresponding server hello message.

The usual SYN, SYN-ACK, ACK process never changes. In the first client hello message, I see that the Record Layer is labeled as an SSL Record Layer: Handshake Protocol: Client Hello, Content Type Handshake (22), Version TLS 1.0 (0x0301) and a length of 123. The first Client Hello never receives the Server Hello message.

Approximately 15 seconds after the first Client Hello message, a second Client Hello message is sent. The difference this time is that it is labeled as a "TLS Record Layer: Handshake Protocol: Client Hello".

When I receive the Server Hello message, I see that it is responding back with TLSv1.0. In the Handshake Protocol from both Client Hello messages, TLS 1.2 is identified as the version. Since the typical SYN, SYN-ACK, ACK are occurring prior to both Client Hello messages, I am assuming that the server does not support TLS 1.2 or TLS 1.1 and that is the reason I don't receive the Server Hello message from the first Client Hello message. Is my assumption correct?

Also, is the fact that the second Client Hello message is labeled a "TLSv1" Record Label have anything to do with the server responding with its Server Hello message?

Any information or insight would be greatly appreciated. I've done quite a bit of reading on SSL/TLS and would like to know if I am understanding the protocols correctly.

Thank You,

M.R.

asked 03 Feb '14, 10:17

MRSoCal's gravatar image

MRSoCal
11111
accept rate: 0%


Both ClientHello messages have the same content. the difference in the labeling comes from the fact that in the first instance the negotiation doesn't complete, therefore wireshark labels both packets differently. If you delete all packets after the Client Hello in the succeeding case, the client Hello will change to SSL also - right?

"Also, is the fact that the second Client Hello message is labeled a "TLSv1" Record Label have anything to do with the server responding with its Server Hello message?" - No, it's the other way around, it is labelled as SSL because the Server does not enter TLS negotiation.

" Handshake Protocol: Client Hello, Content Type Handshake (22), Version TLS 1.0 (0x0301) and a length of 123. " vs. " In the Handshake Protocol from both Client Hello messages, TLS 1.2 is identified as the version." - "When I receive the Server Hello message, I see that it is responding back with TLSv1.0."

If the client sends a TLS Handshake 160301 record it requests TLS_V1.0 and the server needs to accept this proposal which it obviously does. Which other TLS versions are supported cannot be told from this connection as it is the client that suggests - only - TLS V1.0

Looking at this from a distance, I'd say the server didn't get your ClientHello at all or did not expect it (at this point in time). You might be talking to two different servers behind a Load_Balancer...

permanent link

answered 03 Feb '14, 22:40

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×75

question asked: 03 Feb '14, 10:17

question was seen: 14,786 times

last updated: 03 Feb '14, 22:40

p​o​w​e​r​e​d by O​S​Q​A