Wireshark mailing list archives

Re: Analyzing TLS handshake packets

From: Peter Wu <peter () lekensteyn nl>
Date: Sat, 16 Dec 2017 10:42:35 +0000

Hi Manjesh,

Is it possible to attach a pcap with just the Client Hello message (and optionally the messages preceding it)?

This looks quite unusual, normally the compression methods length is 1 (for null compression). 97 in hex is 0x61 which 
is the ASCII 'a' character and only occurs in the codepoint of an obscure cipher (0xC0,0x61      
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384). (A lot of cipher suites precede your compression methods, so if the problem 
was LF -> CRLF conversion, then perhaps one of the cipher shifted. That does not appear to be the case though.)

My guess is that an error message is somehow written to the same file descriptor as the socket. But without pcap it is 
hard to tell.

Kind regards,
Peter
https://lekensteyn.nl
(pardon my brevity, top-posting and formatting, sent from my phone)


On 14 December 2017 10:51:11 GMT+00:00, Manjesh HS <manjesh29hs () gmail com> wrote:

Hi Wireshark User Community,
In my project, there is a LDAP client utility and a LDAP server utility
running on different nodes in the TCP/IP network. There is a need to
establish TLS (LDAPS) connection mode of communication between them in
order to exchange some information.

This functionality is broken recently. A TCP dump file was generated on
the
problematic setup to analyze the TLS handshake mechanism. When it was
analyzed through Wireshark tool, it is reporting that the "Client
Hello"
packet generated by LDAPS client utility (the one that initiates TLS
handshake), as a malformed packet by reporting an error as "compression
methods length", incompatible as per the protocol specifications. We
are
suspectingthat the TLS protocol specifications are violated during this
TLS
handshake.

The screenshot of the same has been attached with this mail.

How this issue can happen ? What are the factors that can lead to such
an
issue ? Is it an issue with incompatible versions of openSSL/TLS/cipher
suite between client and server ?

Please share your suggestions/comments in order to investigate this
issue
further.


- Manjesh.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Analyzing TLS handshake packets Manjesh HS (Dec 15)
- Re: Analyzing TLS handshake packets Peter Wu (Dec 16)
- <Possible follow-ups>
- Re: Analyzing TLS handshake packets Andrew Hadenfeldt (Dec 17)