[openssl-users] Reg issue in alert message
Matt Caswell
matt at openssl.org
Mon Oct 22 14:10:55 UTC 2018
On 22/10/2018 14:56, ramakrushna mishra wrote:
> Hi,
>
> I am facing an issue after openssl upgrade to 1.1.1.
> I have a odbc client with maximum version support up to TLSv1.2 and my
> database is running with TLSv1.2,TLsv1.3.
>
> The handhake is failing and I am getting following contents on my BIO dump.
> "15 03 03 00 02 02 56" .
> If i have understood correctly this is for alert message and But I could
> not find any reference to alert description at (
> https://tools.ietf.org/id/draft-ietf-tls-tls13-25.html#alert-protocol )
> corresponding to 56.
56 hex == 86 decimal == inappropriate_fallback
i.e. this doesn't tell you any further information than you have below.
>
> So, Could you please help me figure out what does this correspond to ?
>
> Moreover I have following doubt.
>
> -- If my TLSv1.2 client does not handle the "downgrade sentinel "
> present in server hello ( TLSv1.3 , will it create any problem ?
No, this should not be a problem.
> -- In the above example client is receving error such as "SSL Handshake
> Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert inappropriate fallback]." ? Could you please help me to hint me
> about how to debug this ?
What version of OpenSSL are you using for the client?
Is it possible for you to send me a wireshark trace of the failing
handshake?
In particular I am interested to see if the TLS_FALLBACK_SCSV
ciphersuite is present in the ClientHello (RFC 7507). The
TLS_FALLBACK_SCSV is only supposed to be sent if the client has already
attempted an earlier handshake that failed, and it is now trying a
downgraded protocol version. So, does the wireshark trace reveal the
client attempting an initial handshake that is failing for some other
reason, followed by a second attempt that fails with the inappropriate
fallback error?
Matt
More information about the openssl-users
mailing list