This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TLSv1 Record Layer: Encrypted Alert

0

I am trying to dubug an Encrypted Alert situation. I have captured and am showing some information below to describe the problem. Any insight would be very helpful.

Thank You.

The client makes a hello request in frame 778 The server responds with its certificate and then continued bytes from the server certificate. The client then sends an "Encrypted handshake message" The client then sends its certificate with Client Key exchange and also indicates a change of cipher spec. In frame 917, we can see an encrypted alert!

No. Source Destination Info 773 192.168.1.5 162.254.186.105 2103→443 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1

Frame 773: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 0, Len: 0

No. Source Destination Info 774 162.254.186.105 192.168.1.5 443→2103 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1380 SACK_PERM=1

Frame 774: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 0, Ack: 1, Len: 0

No. Source Destination Info 775 192.168.1.5 162.254.186.105 2103→443 [ACK] Seq=1 Ack=1 Win=16560 Len=0

Frame 775: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 0

No. Source Destination Info 776 192.168.1.5 162.254.186.105 Client Hello

Frame 776: 163 bytes on wire (1304 bits), 163 bytes captured (1304 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 109 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 104 Handshake Protocol: Client Hello

No. Source Destination Info 777 162.254.186.105 192.168.1.5 443→2103 [ACK] Seq=1 Ack=110 Win=14600 Len=0

Frame 777: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 1, Ack: 110, Len: 0

No. Source Destination Info 778 162.254.186.105 192.168.1.5 Server Hello

Frame 778: 1434 bytes on wire (11472 bits), 1434 bytes captured (11472 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 1, Ack: 110, Len: 1380 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 81 Handshake Protocol: Server Hello

No. Source Destination Info 779 162.254.186.105 192.168.1.5 Certificate

Frame 779: 1088 bytes on wire (8704 bits), 1088 bytes captured (8704 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 1381, Ack: 110, Len: 1034 [2 Reassembled TCP Segments (2319 bytes): #778(1294), #779(1025)] Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 2314 Handshake Protocol: Certificate Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 4 Handshake Protocol: Server Hello Done

No. Source Destination Info 780 192.168.1.5 162.254.186.105 2103→443 [ACK] Seq=110 Ack=2415 Win=16560 Len=0

Frame 780: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 110, Ack: 2415, Len: 0

No. Source Destination Info 781 192.168.1.5 162.254.186.105 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

Frame 781: 368 bytes on wire (2944 bits), 368 bytes captured (2944 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 110, Ack: 2415, Len: 314 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 262 Handshake Protocol: Client Key Exchange TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.0 (0x0301) Length: 1 Change Cipher Spec Message TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 36 Handshake Protocol: Encrypted Handshake Message

No. Source Destination Info 782 162.254.186.105 192.168.1.5 Change Cipher Spec

Frame 782: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2415, Ack: 424, Len: 6 Secure Sockets Layer TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.0 (0x0301) Length: 1 Change Cipher Spec Message

No. Source Destination Info 783 162.254.186.105 192.168.1.5 Encrypted Handshake Message

Frame 783: 95 bytes on wire (760 bits), 95 bytes captured (760 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2421, Ack: 424, Len: 41 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 36 Handshake Protocol: Encrypted Handshake Message

No. Source Destination Info 784 192.168.1.5 162.254.186.105 2103→443 [ACK] Seq=424 Ack=2462 Win=16513 Len=0

Frame 784: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 424, Ack: 2462, Len: 0

No. Source Destination Info 785 192.168.1.5 162.254.186.105 Application Data

Frame 785: 566 bytes on wire (4528 bits), 566 bytes captured (4528 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 424, Ack: 2462, Len: 512 Secure Sockets Layer TLSv1 Record Layer: Application Data Protocol: spdy Content Type: Application Data (23) Version: TLS 1.0 (0x0301) Length: 507 Encrypted Application Data: 87007d8381aac59c4cdba9b53ed70cf29ac9928e3bcc078f...

No. Source Destination Info 786 192.168.1.5 162.254.186.105 [TCP segment of a reassembled PDU]

Frame 786: 1434 bytes on wire (11472 bits), 1434 bytes captured (11472 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 936, Ack: 2462, Len: 1380

No. Source Destination Info 787 192.168.1.5 162.254.186.105 Application Data

Frame 787: 1107 bytes on wire (8856 bits), 1107 bytes captured (8856 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 2316, Ack: 2462, Len: 1053 [2 Reassembled TCP Segments (2433 bytes): #786(1380), #787(1053)] Secure Sockets Layer TLSv1 Record Layer: Application Data Protocol: spdy Content Type: Application Data (23) Version: TLS 1.0 (0x0301) Length: 2428 Encrypted Application Data: 07ae91c9a77ff246f809b41c799fc7ade9d7fe090cc70da1...

No. Source Destination Info 827 162.254.186.105 192.168.1.5 443→2103 [ACK] Seq=2462 Ack=2316 Win=19320 Len=0

Frame 827: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2462, Ack: 2316, Len: 0

No. Source Destination Info 828 162.254.186.105 192.168.1.5 443→2103 [ACK] Seq=2462 Ack=3369 Win=22080 Len=0

Frame 828: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2462, Ack: 3369, Len: 0

No. Source Destination Info 917 162.254.186.105 192.168.1.5 Encrypted Alert

Frame 917: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2462, Ack: 3369, Len: 27 Secure Sockets Layer TLSv1 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 22 Alert Message: Encrypted Alert

No. Source Destination Info 918 162.254.186.105 192.168.1.5 443→2103 [FIN, ACK] Seq=2489 Ack=3369 Win=22080 Len=0

Frame 918: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2489, Ack: 3369, Len: 0

No. Source Destination Info 919 192.168.1.5 162.254.186.105 2103→443 [ACK] Seq=3369 Ack=2490 Win=16486 Len=0

Frame 919: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 3369, Ack: 2490, Len: 0

No. Source Destination Info 920 192.168.1.5 162.254.186.105 2103→443 [FIN, ACK] Seq=3369 Ack=2490 Win=16486 Len=0

Frame 920: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 3369, Ack: 2490, Len: 0

No. Source Destination Info 921 162.254.186.105 192.168.1.5 [TCP Out-Of-Order] Encrypted Alert

Frame 921: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2462, Ack: 3369, Len: 27 Secure Sockets Layer TLSv1 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 22 Alert Message: Encrypted Alert

No. Source Destination Info 922 192.168.1.5 162.254.186.105 [TCP Dup ACK 920#1] 2103→443 [ACK] Seq=3370 Ack=2490 Win=16486 Len=0

Frame 922: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d), Dst: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 162.254.186.105 (162.254.186.105) Transmission Control Protocol, Src Port: 2103 (2103), Dst Port: 443 (443), Seq: 3370, Ack: 2490, Len: 0

No. Source Destination Info 923 162.254.186.105 192.168.1.5 443→2103 [ACK] Seq=2490 Ack=3370 Win=22080 Len=0

Frame 923: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0 Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2490, Ack: 3370, Len: 0

Frame 917 Detail

No. Source Destination Info 917 162.254.186.105 192.168.1.5 Encrypted Alert

Frame 917: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0 Interface id: 0 (\Device\NPF_{94709F0A-58A6-48CE-BF58-EDC79A764A2D}) Encapsulation type: Ethernet (1) Arrival Time: Nov 15, 2014 16:22:07.239508000 Pacific Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1416097327.239508000 seconds [Time delta from previous captured frame: -0.029312000 seconds] [Time delta from previous displayed frame: 0.528386000 seconds] [Time since reference or first frame: 4.874656000 seconds] Frame Number: 917 Frame Length: 81 bytes (648 bits) Capture Length: 81 bytes (648 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:ssl] [Coloring Rule Name: conversation_color_filter05] [Coloring Rule String: ip.addr eq 162.254.186.105 and ip.addr eq 192.168.1.5] Ethernet II, Src: Netgear_2b:72:26 (20:4e:7f:2b:72:26), Dst: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Destination: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) Address: IntelCor_6b:4d:3d (00:19:d2:6b:4d:3d) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Netgear_2b:72:26 (20:4e:7f:2b:72:26) Address: Netgear_2b:72:26 (20:4e:7f:2b:72:26) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 162.254.186.105 (162.254.186.105), Dst: 192.168.1.5 (192.168.1.5) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 67 Identification: 0x0a1b (2587) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 51 Protocol: TCP (6) Header checksum: 0x1e85 [validation disabled] [Good: False] [Bad: False] Source: 162.254.186.105 (162.254.186.105) Destination: 192.168.1.5 (192.168.1.5) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 443 (443), Dst Port: 2103 (2103), Seq: 2462, Ack: 3369, Len: 27 Source Port: 443 (443) Destination Port: 2103 (2103) [Stream index: 5] [TCP Segment Len: 27] Sequence number: 2462 (relative sequence number) [Next sequence number: 2489 (relative sequence number)] Acknowledgment number: 3369 (relative ack number) Header Length: 20 bytes .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 22080 [Calculated window size: 22080] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0xd5e8 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.048485000 seconds] [Bytes in flight: 27] Secure Sockets Layer TLSv1 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 22 Alert Message: Encrypted Alert

asked 21 Nov '14, 12:02

EricRobinson's gravatar image

EricRobinson
11112
accept rate: 0%

edited 21 Nov '14, 14:35

grahamb's gravatar image

grahamb ♦
19.8k330206

Debugging a wall of text isn't fun or very productive.

Can you share a capture in a publicly accessible spot, e.g. CloudShark, DropBox or Google Drive etc.?

(21 Nov '14, 14:37) grahamb ♦

Hello grahamb, thanks for the advice. I'll upload the wireshark capture file on DropBox and then post a link to it. I am new here. Regards, ERIC

(21 Nov '14, 17:34) EricRobinson

2 Answers:

2

The encrypted alert is the start of the orderly termination of the secured TCP connection.
It is a 'Close Notify' being sent by the server indicating that the socket application issued a SSL_shutdown
Packet 918 is showing the FIN packet coming from the server.

See https://www.openssl.org/docs/ssl/SSL_shutdown.html

Regards Matthias

answered 24 Nov '14, 02:36

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

0

While the Matthias answer is probably correct in normal operation, we can not be sure. Since this is the top search hit for "Encrypted Alert", and other newbies may make the same wrong assumption I just did, I hope to save them some struggle:

If you look up "Alert 21", you might find this: https://tools.ietf.org/html/rfc5246#page-29

The Transport Layer Security (TLS) Protocol Version 1.2

enum {
    close_notify(0),
    unexpected_message(10),
    bad_record_mac(20),
    decryption_failed_RESERVED(21), ...

You might conclude your connection was killed by a decryption failure.

http://superuser.com/questions/1029094/tls-and-alert-21-after-handshake

21 is not the alert number, and this is not an "encryption alert". 21 is the record type of all alert records but the alert record is encrypted and Wireshark can't decrypt it so it displays "Encrypted Alert". It might be a normal close notify, but check the server logs to find out if it thinks there was an error and if so what. – dave_thompson_085 Jan 21 '16 at 9:01

This is NOT AlertDescription 21. Instead this is ContentType 21.

  enum {
      change_cipher_spec(20), alert(21), handshake(22),
      application_data(23), (255)
  } ContentType;

What now? So we know that it IS an alert, but, okay what kind? An AlertDescription field is one byte wide. So which one is this? And, sadly, the answer is...

Alert Message: Encrypted Alert ...we just don't know. It's encrypted.

So while it will usually be a normal close_notify, it might not be.

answered 16 Jan '17, 13:49

LorenAmelang's gravatar image

LorenAmelang
6112
accept rate: 0%