Reg issue in alert message

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Reg issue in alert message

ramakrushna mishra
Hi,

I am facing an issue after openssl upgrade to 1.1.1. 
I have a odbc client with maximum version support up to TLSv1.2 and  my database is running with TLSv1.2,TLsv1.3. 

The handhake is failing and I am getting following contents on my BIO dump. 
"15 03 03 00 02 02 56" . 
If i have understood correctly this is for alert message and But I could not find any reference to alert description at ( https://tools.ietf.org/id/draft-ietf-tls-tls13-25.html#alert-protocol )  corresponding to 56. 

So, Could you please help me figure out what does this correspond to ? 

Moreover I have following doubt. 

-- If my TLSv1.2 client does not handle the  "downgrade sentinel " present in server hello ( TLSv1.3 , will it create any problem ? 
-- In the above example client is receving error such as "SSL Handshake Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback]." ? Could you please help me to hint me about how to debug this ?

Thanks and Regards,
Ram Krushna

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Reg issue in alert message

Matt Caswell-2


On 22/10/2018 14:56, ramakrushna mishra wrote:

> Hi,
>
> I am facing an issue after openssl upgrade to 1.1.1. 
> I have a odbc client with maximum version support up to TLSv1.2 and  my
> database is running with TLSv1.2,TLsv1.3. 
>
> The handhake is failing and I am getting following contents on my BIO dump. 
> "15 03 03 00 02 02 56" . 
> If i have understood correctly this is for alert message and But I could
> not find any reference to alert description at (
> https://tools.ietf.org/id/draft-ietf-tls-tls13-25.html#alert-protocol ) 
> corresponding to 56.

56 hex == 86 decimal == inappropriate_fallback

i.e. this doesn't tell you any further information than you have below.

>
> So, Could you please help me figure out what does this correspond to ? 
>
> Moreover I have following doubt. 
>
> -- If my TLSv1.2 client does not handle the  "downgrade sentinel "
> present in server hello ( TLSv1.3 , will it create any problem ?

No, this should not be a problem.

> -- In the above example client is receving error such as "SSL Handshake
> Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert inappropriate fallback]." ? Could you please help me to hint me
> about how to debug this ?

What version of OpenSSL are you using for the client?

Is it possible for you to send me a wireshark trace of the failing
handshake?

In particular I am interested to see if the TLS_FALLBACK_SCSV
ciphersuite is present in the ClientHello (RFC 7507). The
TLS_FALLBACK_SCSV is only supposed to be sent if the client has already
attempted an earlier handshake that failed, and it is now trying a
downgraded protocol version. So, does the wireshark trace reveal the
client attempting an initial handshake that is failing for some other
reason, followed by a second attempt that fails with the inappropriate
fallback error?


Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users