[openssl-users] Reg issue in alert message

Matt Caswell matt at openssl.org
Mon Oct 22 14:10:55 UTC 2018

On 22/10/2018 14:56, ramakrushna mishra wrote:
> Hi,
> I am facing an issue after openssl upgrade to 1.1.1. 
> I have a odbc client with maximum version support up to TLSv1.2 and  my
> database is running with TLSv1.2,TLsv1.3. 
> The handhake is failing and I am getting following contents on my BIO dump. 
> "15 03 03 00 02 02 56" . 
> If i have understood correctly this is for alert message and But I could
> not find any reference to alert description at (
> https://tools.ietf.org/id/draft-ietf-tls-tls13-25.html#alert-protocol> corresponding to 56. 

56 hex == 86 decimal == inappropriate_fallback

i.e. this doesn't tell you any further information than you have below.

> So, Could you please help me figure out what does this correspond to ? 
> Moreover I have following doubt. 
> -- If my TLSv1.2 client does not handle the  "downgrade sentinel "
> present in server hello ( TLSv1.3 , will it create any problem ? 

No, this should not be a problem.

> -- In the above example client is receving error such as "SSL Handshake
> Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert inappropriate fallback]." ? Could you please help me to hint me
> about how to debug this ?

What version of OpenSSL are you using for the client?

Is it possible for you to send me a wireshark trace of the failing

In particular I am interested to see if the TLS_FALLBACK_SCSV
ciphersuite is present in the ClientHello (RFC 7507). The
TLS_FALLBACK_SCSV is only supposed to be sent if the client has already
attempted an earlier handshake that failed, and it is now trying a
downgraded protocol version. So, does the wireshark trace reveal the
client attempting an initial handshake that is failing for some other
reason, followed by a second attempt that fails with the inappropriate
fallback error?


More information about the openssl-users mailing list