Wireshark mailing list archives
Re: Analyzing TLS handshake packets
From: Peter Wu <peter () lekensteyn nl>
Date: Sat, 16 Dec 2017 10:42:35 +0000
Hi Manjesh, Is it possible to attach a pcap with just the Client Hello message (and optionally the messages preceding it)? This looks quite unusual, normally the compression methods length is 1 (for null compression). 97 in hex is 0x61 which is the ASCII 'a' character and only occurs in the codepoint of an obscure cipher (0xC0,0x61 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384). (A lot of cipher suites precede your compression methods, so if the problem was LF -> CRLF conversion, then perhaps one of the cipher shifted. That does not appear to be the case though.) My guess is that an error message is somehow written to the same file descriptor as the socket. But without pcap it is hard to tell. Kind regards, Peter https://lekensteyn.nl (pardon my brevity, top-posting and formatting, sent from my phone) On 14 December 2017 10:51:11 GMT+00:00, Manjesh HS <manjesh29hs () gmail com> wrote:
Hi Wireshark User Community, In my project, there is a LDAP client utility and a LDAP server utility running on different nodes in the TCP/IP network. There is a need to establish TLS (LDAPS) connection mode of communication between them in order to exchange some information. This functionality is broken recently. A TCP dump file was generated on the problematic setup to analyze the TLS handshake mechanism. When it was analyzed through Wireshark tool, it is reporting that the "Client Hello" packet generated by LDAPS client utility (the one that initiates TLS handshake), as a malformed packet by reporting an error as "compression methods length", incompatible as per the protocol specifications. We are suspectingthat the TLS protocol specifications are violated during this TLS handshake. The screenshot of the same has been attached with this mail. How this issue can happen ? What are the factors that can lead to such an issue ? Is it an issue with incompatible versions of openSSL/TLS/cipher suite between client and server ? Please share your suggestions/comments in order to investigate this issue further. - Manjesh.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Analyzing TLS handshake packets Manjesh HS (Dec 15)
- Re: Analyzing TLS handshake packets Peter Wu (Dec 16)
- <Possible follow-ups>
- Re: Analyzing TLS handshake packets Andrew Hadenfeldt (Dec 17)