This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TLS handshake appears to fail after Encrypted Handshake Message.

-1

I have a customer who is trying to establish a TLS connection to my server. They have loaded my certificates and the certificate exchange appears to be working properly. However, their client does not send data after the server has ACKed the clients Encrypted Handshake Message.

Link to pcap added. link text alt text

Anyone have any ideas why the client wouldn't be sending application data?

asked 13 Sep '16, 11:35

RFB's gravatar image

RFB
5113
accept rate: 0%

edited 14 Sep '16, 09:55

For better help you should include a packet capture file, not just a screenshot.

(13 Sep '16, 15:27) Lekensteyn

Added link to pcap in original post.

(14 Sep '16, 14:30) RFB

The pcap strengthens my analysis below, SSLv2 was killed long time ago. Your client should not send a SSLv2-compatible hello message. Btw, the Certificate message contains the hostname of your server which is not anonimized.

(16 Sep '16, 01:34) Lekensteyn

One Answer:

0

If you look at the source address of the TCP RST, you will notice that it matches the IP address of the server (based on the source of the Server Hello).

There are multiple strange things about your report:

  • SSLv2 is reported in the Client Hello.
  • Encrypted Handshake Message is reported by the client after the ChangeCipherSpec. I would expect a Finish message here.
  • The server did not have the chance to send a ServerHelloDone after the Certificate (see RFC 5246 for the expected flow for a full handshake).

Check:

  • Are you using the latest Wireshark version? Currently 2.0.6 or 2.2.0 are considered recent.
  • Check the access/error logs of your webserver.
  • Check for possible compatibility issues of your client. (Why is it using SSLv2 for example?)

answered 13 Sep '16, 15:26

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%