TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

zyf01234@gmail.com
This time the client hello and server hello is done,but when client key exchange the server reply Alert (Level: Fatal, Description: Protocol Version).Shows bellow, what wrong with this? And I kown this alert means the client is not using the same protocol, but why client hello ,and server hello done?


Reply | Threaded
Open this post in threaded view
|

Re: TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

Jeffrey Walton-3



On Wed, Apr 30, 2014 at 3:04 AM, [hidden email] <[hidden email]> wrote:
This time the client hello and server hello is done,but when client key exchange the server reply Alert (Level: Fatal, Description: Protocol Version).Shows bellow, what wrong with this? And I kown this alert means the client is not using the same protocol, but why client hello ,and server hello done?

According to RFC 5246, section 7.2.2 (http://tools.ietf.org/html/rfc5246#section-7.2.2):

   protocol_version
      The protocol version the client has attempted to negotiate is
      recognized but not supported.  (For example, old protocol versions
      might be avoided for security reasons.)  This message is always
      fatal.

Try diagnosing further with:

    openssl s_client -ssl3 -connect server:port

And

    openssl s_client -tls1 -connect server:port -servername:server

The docs on s_client can be found at https://www.openssl.org/docs/apps/s_client.html.

The server should be capable of TLS 1.0 in 2014. However, it might want TLS 1.2 too if its taking a defensive posture or providing only TLS 1.2 cipher suites. You can test for TLS 1.2 with '-tls1_2'.

Jeff

Reply | Threaded
Open this post in threaded view
|

Re: Re: TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

zyf01234@gmail.com
I have tryed, it works well. So ,what wrong with my appliction?


 
Date: 2014-04-30 15:27
Subject: Re: TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)



On Wed, Apr 30, 2014 at 3:04 AM, [hidden email] <[hidden email]> wrote:
This time the client hello and server hello is done,but when client key exchange the server reply Alert (Level: Fatal, Description: Protocol Version).Shows bellow, what wrong with this? And I kown this alert means the client is not using the same protocol, but why client hello ,and server hello done?

According to RFC 5246, section 7.2.2 (http://tools.ietf.org/html/rfc5246#section-7.2.2):

   protocol_version
      The protocol version the client has attempted to negotiate is
      recognized but not supported.  (For example, old protocol versions
      might be avoided for security reasons.)  This message is always
      fatal.

Try diagnosing further with:

    openssl s_client -ssl3 -connect server:port

And

    openssl s_client -tls1 -connect server:port -servername:server

The docs on s_client can be found at https://www.openssl.org/docs/apps/s_client.html.

The server should be capable of TLS 1.0 in 2014. However, it might want TLS 1.2 too if its taking a defensive posture or providing only TLS 1.2 cipher suites. You can test for TLS 1.2 with '-tls1_2'.

Jeff

Reply | Threaded
Open this post in threaded view
|

Re: Re: TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)

zyf01234@gmail.com
In reply to this post by zyf01234@gmail.com
I have debuged it and get wrong version number while client exchange
 

 
Date: 2014-04-30 15:27
Subject: Re: TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)



On Wed, Apr 30, 2014 at 3:04 AM, [hidden email] <[hidden email]> wrote:
This time the client hello and server hello is done,but when client key exchange the server reply Alert (Level: Fatal, Description: Protocol Version).Shows bellow, what wrong with this? And I kown this alert means the client is not using the same protocol, but why client hello ,and server hello done?

According to RFC 5246, section 7.2.2 (http://tools.ietf.org/html/rfc5246#section-7.2.2):

   protocol_version
      The protocol version the client has attempted to negotiate is
      recognized but not supported.  (For example, old protocol versions
      might be avoided for security reasons.)  This message is always
      fatal.

Try diagnosing further with:

    openssl s_client -ssl3 -connect server:port

And

    openssl s_client -tls1 -connect server:port -servername:server

The docs on s_client can be found at https://www.openssl.org/docs/apps/s_client.html.

The server should be capable of TLS 1.0 in 2014. However, it might want TLS 1.2 too if its taking a defensive posture or providing only TLS 1.2 cipher suites. You can test for TLS 1.2 with '-tls1_2'.

Jeff