I have two queue manager servers running on two boxes. QM1 has a sender channel defined , and QM2 has a receiver channel with the same name.
I have created self signed certificate for each QM , extracted and added the public part of each certificate to the other QM's key db. Altered each channel to use CipherSpec TRIPLE_DES_SHA_US.
This setup works perfectly fine, if QM names don't contain any special character. If name of the sender QM is A_QM and the other one is B_QM , the sender channel never comes up and is in RETRYING state.
while creating self-signed certificate I am using label ibmwebspheremqa_qm
in case of A_QM and ibmwebspheremqqm1 when the queue manager is QM1. Similarly when adding the public part of the certificate I am preserving the other QM's label. This is the only difference in the whole setup.
Is there any restriction in defining QM names if I want to configure SSL or TLS ?
I had no trouble creating a pair of QMgrs and channels as described and getting them to run:
[mqm#rhel6base scripts]$ runmqsc A_QM
5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager A_QM.
dis chs(*) all
1 : dis chs(*) all
AMQ8417: Display Channel Status details.
CHANNEL(A_QM.B_QM) CHLTYPE(SDR)
BATCHES(0) BATCHSZ(50)
BUFSRCVD(1) BUFSSENT(1)
BYTSRCVD(268) BYTSSENT(268)
CHSTADA(2015-04-01) CHSTATI(10.57.43)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(127.0.0.1(3115)) CURLUWID(0C031C5501020010)
CURMSGS(0) CURRENT
CURSEQNO(0) EXITTIME(0,0)
HBINT(300) INDOUBT(NO)
JOBNAME(0000130700000001) LOCLADDR(127.0.0.1(53145))
LONGRTS(999999999) LSTLUWID(0000000000000000)
LSTMSGDA( ) LSTMSGTI( )
LSTSEQNO(0) MCASTAT(RUNNING)
MONCHL(OFF) MSGS(0)
NETTIME(0,0) NPMSPEED(FAST)
RQMNAME(B_QM) SHORTRTS(10)
SSLCERTI(CN=rhel6base.ioptconsulting.com)
SSLKEYDA( ) SSLKEYTI( )
SSLPEER(SERIALNUMBER=55:1C:06:B2,CN=rhel6base.ioptconsulting.com)
SSLRKEYS(0) STATUS(RUNNING)
STOPREQ(NO) SUBSTATE(MQGET)
XBATCHSZ(0,0) XMITQ(B_QM)
XQTIME(0,0) RVERSION(08000001)
RPRODUCT(MQMM)
[mqm#rhel6base ssl]$ runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! ibmwebspheremqb_qm
*- ibmwebspheremqa_qm
[mqm#rhel6base ssl]$ runmqakm -cert -list -db ../../B_QM/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! ibmwebspheremq_a_qm
*- ibmwebspheremqb_qm
[mqm#rhel6base ssl]$
REFRESH SECURITY TYPE(SSL)
The most likely cause for the behavior you are seeing is not issuing refresh security or restarting the QMgrs after updating their keystores. For example:
echo "REFRESH SECURITY TYPE(SSL)" | runmqsc A_QM
echo "REFRESH SECURITY TYPE(SSL)" | runmqsc B_QM
or
endmqm -i A_QM; strmqm A_QM
endmqm -i B_QM; strmqm B_QM
One aspect of security for the keystore is that there is only ever one version of it in memory at a time. If it were possible for one channel to have one version and another channel to have another version, it would become impossible to determine which was the "right" one in order to detect tampering. So when the KDB is updated, the refresh security command causes the QMgr to stop all running TLS channels, dump the KDB from memory, and reload the KDB when one of the channels starts.
(MQ doesn't use SSL, by the way, never has. It uses TLS with SSL ciphers and now that SSL itself is broken, best to get used to saying TLS because that will help to remember to use TLS ciphers exclusively going forward.)
So after updating the KDB if you did not run the refresh, it is likely that the refresh was not done and the QMgr doesn't yet know about the newly added certificate for the remote QMgr.
When SSLCAUTH(OPTIONAL) is not optional
Another common problem with TLS is a misunderstanding of SSLCAUTH(OPTIONAL). Many people believe that this always results in one-way authentication so they set SSLCAUTH(OPTIONAL) and then exchange certs in only one direction. For example, QM1 has TLS channels to QM2 so obviously has its own personal certificate. Then we try to connect A_QM to it. We import A_QM's personal cert to QM1's KDB, refresh security everywhere, DEF CHL(A_QM.QM1) ... SSLCAUTH(OPTIONAL) on both sides and try to start the channel.
The misunderstanding is that if the thing initiating the channel has a personal cert it will send it in all cases. To test with SSLCAUTH(OPTIONAL) requires removing any personal cert from the keystore on the side initiating the connection. Often people do not realize this and spend many hours (in some cases weeks) struggling to understand why this fails.
For your purposes always exchange the personal certs in both directions.
Incomplete cert exchange
The other common problem working with self-signed certs is when a cert is generated multiple times with the same label and/or CN value and there's a mismatch between the personal cert on one end versus the public portion on the other. This is easily checked by viewing the cert details and checking that the fingerprint and other details match like so:
[mqm#rhel6base ssl]$ runmqakm -cert -details -label ibmwebspheremqb_qm -db key.kdb -stashed
Label : ibmwebspheremqb_qm
Key Size : 1024
Version : X509 V3
Serial : 551c06b2
Issuer : CN=rhel6base.ioptconsulting.com
Subject : CN=rhel6base.ioptconsulting.com
Not Before : April 1, 2015 10:54:42 AM EDT
Not After : March 31, 2016 10:54:42 AM EDT
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 DF 0F 90
8C C2 CA D1 ED 16 E2 A8 DA E3 26 63 45 4B B2 29
37 04 65 A1 D3 30 23 2A 67 AB 61 06 75 E1 8B 87
D2 9A CD 38 4C 63 D6 CC AD 25 55 B3 8B BE 34 4E
32 CB EB FE E2 5D E0 49 2F 57 AC EC 5E 79 A2 52
F6 21 5A 5F 95 AB C4 70 C8 00 68 0B 22 32 8C 1F
4C DB 0C D9 85 B8 06 5A 7C DA 3A 3A BE 12 C8 C1
C0 92 5E FE 09 46 F7 E1 1F 3D 4A AA 63 F0 80 09
3D FE E7 A4 49 5D 86 09 4C B5 0E 1E 97 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
55 FC 2C 7C 00 8E A7 27 78 0D 99 AD FF 84 58 57
BF 16 1C 62
Fingerprint : MD5 :
90 66 AD 5D 71 AF 75 E8 9A 4A A3 5A DB 15 CD 21
Fingerprint : SHA256 :
7E 43 75 25 31 ED E7 76 FA 40 87 37 F3 B2 9E 6F
2D 55 2D 3C CB 52 60 9C 85 B2 53 F3 1C C0 D2 3C
Extensions
AuthorityKeyIdentifier
keyIdentifier: 8D BC 64 AF D9 12 02 34
authorityIdentifier:
authorityCertSerialNumber:
SubjectKeyIdentifier
keyIdentifier: 8D BC 64 AF D9 12 02 34
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
46 D4 8A D9 62 04 CF C4 0E 23 DB 4C F9 AD 25 9B
89 3B FD B9 4F 52 4C DE 36 96 15 92 0E 7B 03 05
E8 85 12 AD E7 40 DB E9 4D 77 8F B7 4B CC 43 1B
AD 6D 13 B1 2F 26 12 C8 1C 17 FE 51 A7 B7 7B EE
80 CA 82 37 98 E1 B4 17 3A B4 CC 20 E7 4E 53 42
C6 E1 C3 1C 54 BD DC 9A 14 86 9A 25 66 AC 11 2C
78 A0 B5 DC 22 FE 52 62 59 27 02 DA 82 07 64 42
38 99 8A A7 52 53 20 C3 B2 FF 8F 6D A6 A3 8F 72
Trust Status : Enabled
[mqm#rhel6base ssl]$ runmqakm -cert -details -label ibmwebspheremqb_qm -db ../../B_QM/ssl/key.kdb -stashed
Label : ibmwebspheremqb_qm
Key Size : 1024
Version : X509 V3
Serial : 551c06b2
Issuer : CN=rhel6base.ioptconsulting.com
Subject : CN=rhel6base.ioptconsulting.com
Not Before : April 1, 2015 10:54:42 AM EDT
Not After : March 31, 2016 10:54:42 AM EDT
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 DF 0F 90
8C C2 CA D1 ED 16 E2 A8 DA E3 26 63 45 4B B2 29
37 04 65 A1 D3 30 23 2A 67 AB 61 06 75 E1 8B 87
D2 9A CD 38 4C 63 D6 CC AD 25 55 B3 8B BE 34 4E
32 CB EB FE E2 5D E0 49 2F 57 AC EC 5E 79 A2 52
F6 21 5A 5F 95 AB C4 70 C8 00 68 0B 22 32 8C 1F
4C DB 0C D9 85 B8 06 5A 7C DA 3A 3A BE 12 C8 C1
C0 92 5E FE 09 46 F7 E1 1F 3D 4A AA 63 F0 80 09
3D FE E7 A4 49 5D 86 09 4C B5 0E 1E 97 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
55 FC 2C 7C 00 8E A7 27 78 0D 99 AD FF 84 58 57
BF 16 1C 62
Fingerprint : MD5 :
90 66 AD 5D 71 AF 75 E8 9A 4A A3 5A DB 15 CD 21
Fingerprint : SHA256 :
7E 43 75 25 31 ED E7 76 FA 40 87 37 F3 B2 9E 6F
2D 55 2D 3C CB 52 60 9C 85 B2 53 F3 1C C0 D2 3C
Extensions
AuthorityKeyIdentifier
keyIdentifier: 8D BC 64 AF D9 12 02 34
authorityIdentifier:
authorityCertSerialNumber:
SubjectKeyIdentifier
keyIdentifier: 8D BC 64 AF D9 12 02 34
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
46 D4 8A D9 62 04 CF C4 0E 23 DB 4C F9 AD 25 9B
89 3B FD B9 4F 52 4C DE 36 96 15 92 0E 7B 03 05
E8 85 12 AD E7 40 DB E9 4D 77 8F B7 4B CC 43 1B
AD 6D 13 B1 2F 26 12 C8 1C 17 FE 51 A7 B7 7B EE
80 CA 82 37 98 E1 B4 17 3A B4 CC 20 E7 4E 53 42
C6 E1 C3 1C 54 BD DC 9A 14 86 9A 25 66 AC 11 2C
78 A0 B5 DC 22 FE 52 62 59 27 02 DA 82 07 64 42
38 99 8A A7 52 53 20 C3 B2 FF 8F 6D A6 A3 8F 72
Trust Status : Enabled
Debugging
Check the error logs. In particular, it is good security design to give an attacker as little information as possible to always check the logs of the QMgr that is receiving the connection first. If it has detected the error it will have detailed logs and the sending side will have sparse logs like "the remote QMgr disconnected" which doesn't reveal much to an attacker.
If the error is actually on the sending side, then it will have most detailed error messages and the receiving side will have little or none. For example, if the sending side can't find its stash file the connection isn't ever attempted and the receiving side will have no record of the event.
Finally, there is always the possibility that you may discover a bug working with GSKit and MQ, or that you are trying to use features not relevant to version of MQ that you are working on. For this reason, it is always best to include a dspmqver -a in your question. If after all of this, you still can't get it to work, please update the question with the dspmqver -a output and the results of your further testing.
In summary
To sum up:
QMgr names like A_QM are perfectly valid.
First make sure that the QMgrs have picked up their new KDB files after changes by restarting the QMgrs or running REFRESH SECURITY TYPE(SSL).
Make sure to exchange certs in both directions every time.
Check the error logs on both sides starting with the side receiving the connection request.
Always include output from dspmqver -a when requesting help with GSKit, certs or TLS since the behavior varies by version and fix pack.
Related
Currently, I am attempting to generating a hash of a user password for PDF, given the encrypted PDF file and the plain password. I follow the instruction of this article. However, the hash I've computed is different from the hash stored in the PDF file.
The hashed user password (/U entry) is simply the 32-byte padding
string above, encrypted with RC4, using the 5-byte file key. Compliant
PDF viewers will check the password given by the user (by attempting
to decrypt the /U entry using the file key, and comparing it against
the padding string) and allow or refuse certain operations based on
the permission settings.
First, I padded my password "123456" using a hardcoded 32-byte string, which gives me
31 32 33 34 35 36 28 BF 4E 5E 4E 75 8A 41 64 00
4E 56 FF FA 01 08 2E 2E 00 B6 D0 68 3E 80 2F 0C
I tried to compute the hash with RC4 using the 5-byte file key as the key. According to the article:
The encryption key is generated as follows:
1. Pad the user password out to 32 bytes, using a hardcoded
32-byte string:
28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
2E 2E 00 B6 D0 68 3E 80 2F 0C A9 FE 64 53 69 7A
If the user password is null, just use the entire padding
string. (I.e., concatenate the user password and the padding
string and take the first 32 bytes.)
2. Append the hashed owner password (the /O entry above).
3. Append the permissions (the /P entry), treated as a four-byte
integer, LSB first.
4. Append the file identifier (the /ID entry from the trailer
dictionary). This is an arbitrary string of bytes; Adobe
recommends that it be generated by MD5 hashing various pieces
of information about the document.
5. MD5 hash this string; the first 5 bytes of output are the
encryption key. (This is a 40-bit key, presumably to meet US
export regulations.)
I appended the hashed owner key to the padded password, which gives me
31 32 33 34 35 36 28 BF 4E 5E 4E 75 8A 41 64 00
4E 56 FF FA 01 08 2E 2E 00 B6 D0 68 3E 80 2F 0C
C4 31 FA B9 CC 5E F7 B5 9C 24 4B 61 B7 45 F7 1A
C5 BA 42 7B 1B 91 02 DA 46 8E 77 12 7F 1E 69 D6
Then, I appended the /P entry (-4), treated as a four-byte integer, encoded with little endian, which gives me
31 32 33 34 35 36 28 BF 4E 5E 4E 75 8A 41 64 00
4E 56 FF FA 01 08 2E 2E 00 B6 D0 68 3E 80 2F 0C
C4 31 FA B9 CC 5E F7 B5 9C 24 4B 61 B7 45 F7 1A
C5 BA 42 7B 1B 91 02 DA 46 8E 77 12 7F 1E 69 D6
FC FF FF FF
Last, I appended the file identifier to it. The trailer of my PDF is:
trailer
<<
/Size 13
/Root 2 0 R
/Encrypt 1 0 R
/Info 4 0 R
/ID [<B5185D941CC0EA39ACA809F661EF36D4> <393BE725532F9158DC9E6E8EA97CFBF0>]
>>
and the result is
31 32 33 34 35 36 28 BF 4E 5E 4E 75 8A 41 64 00
4E 56 FF FA 01 08 2E 2E 00 B6 D0 68 3E 80 2F 0C
C4 31 FA B9 CC 5E F7 B5 9C 24 4B 61 B7 45 F7 1A
C5 BA 42 7B 1B 91 02 DA 46 8E 77 12 7F 1E 69 D6
FC FF FF FF B5 18 5D 94 1C C0 EA 39 AC A8 09 F6
61 EF 36 D4 39 3B E7 25 53 2F 91 58 DC 9E 6E 8E
A9 7C FB F0
MD5 hashing this block of data returns 942c5e7b2020ce57ce4408f531a65019. I RC4-ed the padded password with cryptii using the first 5 bytes of the MD5 hash as the key. However, it returns
90 e2 b5 21 2a 7d 53 05 70 d9 5d 26 95 c7 c2 05
6e 2a 28 40 63 e7 4a d4 e9 05 86 71 43 d1 39 d6
while the hash in PDF is
58 81 CA 74 65 DC 2E A7 5D D2 39 D4 43 9C 0D DE
28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
Which step am I doing wrong? I suspect that the problem happens because
I am appending the File Idenifier in a wrong format
I am using the wrong drop bytes with RC4.
The hash function is not for PDF 1.6
I make some mistake during those process
Or maybe the article is actually wrong
Files: Original PDF dummy.pdf, dummy-protected.pdf (Password: 123456)
Please help
There are two issues in your calculation:
The article to use refers to PDF encryption algorithms available for PDF-1.3 but your document is encrypted using an algorithm introduced with PDF-1.5.
You make an error when appending the file identifier - actually only the first entry of the ID array shall be appended, not both (which is not really clear from the article you use).
In a comment you asked accordingly
where can I find the password hashing detail for >V1.3 PDF?
I would propose using the PDF specification, ISO 32000.
As ISO specifications go, they are not free, but Adobe used to provide a version of ISO 32000-1 with merely the ISO header removed on their web site. Some days ago it has been removed (By design? By error? I don't know yet.) but you still find copies of it googl'ing for "PDF32000".
The relevant section in ISO 32000-1 is 7.6 Encryption and in particular 7.6.3 Standard Security Handler.
Following that information you should be able to correctly calculate the value in question.
(Alternatively you can also use old Adobe PDF references, the editions for PDF 1.5, 1.6, and 1.7 should also give you the information required for decrypting your document. But these references have been characterized as not normative in nature by prominent Adobe employees, so I would go for the ISO norm.)
Beware, though: After ISO 32000-1 had been published, Adobe introduced an AES-256 encryption scheme as an extension which obviously is not included in ISO 32000-1. You can find a specification in "Adobe Supplement to ISO 32000, base version 1.7, extension level 3".
Furthermore, with ISO 32000-2 that Adobe AES-256 encryption scheme and all older schemes became deprecated, the only encryption scheme to use with PDF-2.0 is a new AES-256 encryption scheme described in ISO 32000-2 which is based on the Adobe scheme but introduces some extra hashing iterations.
I am trying to debug the SSL connection of a client I do not have control over.
A possibility I discovered is to use openssl as a server to check whether the SSL connection is correctly initiated, and if not - why.
The basic connection ends with
root#elk:~# openssl s_server -key sonoff.key -cert sonoff.crt -accept 5555 -www
Using default temp DH parameters
ACCEPT
bad gethostbyaddr
140612029986456:error:140780E5:SSL routines:ssl23_read:ssl handshake failure:s23_lib.c:137:
What does this error actually mean?
The searches I did point to various bugs, but they all gravitate around "incorrect certificates". The certificates I use are correct, although self-signed. What in the message (or the -debug version below) could suggest this? Specifically: could this be an indication of the device checking the certificate and aborting on a self-signed?
root#elk:~# openssl s_server -key sonoff.key -cert sonoff.crt -accept 5555 -www -debug
Using default temp DH parameters
ACCEPT
bad gethostbyaddr
read from 0xb2ca20 [0xb32110] (11 bytes => 11 (0xB))
0000 - 16 03 01 00 4f 01 00 00-4b 03 03 ....O...K..
read from 0xb2ca20 [0xb3211e] (73 bytes => 73 (0x49))
0000 - 1b da e3 8f 9a d2 af 66-81 b5 62 95 7e 44 fc 3b .......f..b.~D.;
0010 - 75 48 90 da 51 03 f6 ad-33 81 ec 15 16 42 2b f2 uH..Q...3....B+.
0020 - 00 00 12 00 3d 00 35 00-3c 00 2f 00 b7 00 95 00 ....=.5.<./.....
0030 - b6 00 94 00 ff 01 00 00-10 00 0d 00 0c 00 0a 06 ................
0040 - 01 05 01 04 01 03 01 02-01 .........
write to 0xb2ca20 [0xb3bc00] (86 bytes => 86 (0x56))
0000 - 16 03 03 00 51 02 00 00-4d 03 03 2b ca 7c 43 47 ....Q...M..+.|CG
0010 - 06 ae 7e 1e b3 9c 71 7a-ca 5d 6d 98 54 4e 1c 5a ..~...qz.]m.TN.Z
0020 - b7 f9 38 2c 0d 3e de e0-62 a6 8a 20 2a 42 cf 9e ..8,.>..b.. *B..
0030 - ba 1e 8c a3 03 24 e1 34-9e 15 2e d8 90 77 73 74 .....$.4.....wst
0040 - 78 33 e6 45 83 34 ca 11-ae 97 4e 18 00 3d 00 00 x3.E.4....N..=..
0050 - 05 ff 01 00 01 .....
0056 - <SPACES/NULS>
write to 0xb2ca20 [0xb3bc00] (1298 bytes => 1298 (0x512))
0000 - 16 03 03 05 0d 0b 00 05-09 00 05 06 00 05 03 30 ...............0
0010 - 82 04 ff 30 82 02 e7 a0-03 02 01 02 02 09 00 df ...0............
0020 - 41 71 c6 48 ff eb 19 30-0d 06 09 2a 86 48 86 f7 Aq.H...0...*.H..
0030 - 0d 01 01 0b 05 00 30 16-31 14 30 12 06 03 55 04 ......0.1.0...U.
0040 - 03 0c 0b 65 78 61 6d 70-6c 65 2e 63 6f 6d 30 1e ...example.com0.
0050 - 17 0d 31 38 30 32 30 34-31 38 31 33 35 36 5a 17 ..180204181356Z.
0060 - 0d 32 38 30 32 30 32 31-38 31 33 35 36 5a 30 16 .280202181356Z0.
0070 - 31 14 30 12 06 03 55 04-03 0c 0b 65 78 61 6d 70 1.0...U....examp
0080 - 6c 65 2e 63 6f 6d 30 82-02 22 30 0d 06 09 2a 86 le.com0.."0...*.
0090 - 48 86 f7 0d 01 01 01 05-00 03 82 02 0f 00 30 82 H.............0.
00a0 - 02 0a 02 82 02 01 00 e0-22 b0 41 79 e5 60 92 2c ........".Ay.`.,
00b0 - c7 1c 97 84 f8 16 46 39-27 67 26 ad d7 c8 dc a4 ......F9'g&.....
00c0 - 18 2e 5a 1a aa f7 92 b0-71 8f f8 a5 e0 d9 52 d3 ..Z.....q.....R.
00d0 - 6a c9 e1 ae 7c ce f1 1c-92 99 dd 77 b7 f7 db b3 j...|......w....
00e0 - 2b f4 96 23 d4 d8 08 e8-e2 f2 15 7b 41 16 30 3d +..#.......{A.0=
00f0 - 21 cd 5f b0 3d 5a 0c ec-60 9b d8 78 99 32 c4 9f !._.=Z..`..x.2..
0100 - 3c 1b 50 d9 d4 cf f0 4b-58 ca c6 6f 56 f5 57 04 <.P....KX..oV.W.
0110 - c9 d5 60 56 d2 25 66 ee-fe f0 da 79 d6 f2 a5 67 ..`V.%f....y...g
0120 - 08 7a 19 e6 82 90 5c e0-a1 63 cf 4b a8 43 c6 d3 .z....\..c.K.C..
0130 - 08 a0 22 4a df be 42 22-8b c9 6f 81 d1 b0 d8 e0 .."J..B"..o.....
0140 - 24 79 b3 3a ad 10 af bd-7a 43 56 a6 87 ad d2 d4 $y.:....zCV.....
0150 - 96 cf 12 f9 9a 42 7a c7-63 07 f7 cc a9 a5 50 1e .....Bz.c.....P.
0160 - bf 4d 2d ae e3 74 b7 a7-66 ca ab 44 66 db f5 e2 .M-..t..f..Df...
0170 - 28 dd a8 6f 76 0a 5a d4-8d 42 c6 a0 16 c2 bd d9 (..ov.Z..B......
0180 - 25 38 74 dc bc d3 95 03-b9 13 39 c0 4a cd d9 c9 %8t.......9.J...
0190 - cb 34 bf 9e 48 1e e4 56-8f 47 9c 33 ed eb d6 db .4..H..V.G.3....
01a0 - 5e b7 46 85 d4 49 48 f3-24 ec 01 c3 98 74 50 f9 ^.F..IH.$....tP.
01b0 - 05 71 01 b5 96 f4 b5 bc-a3 57 78 3f c7 4f 10 1e .q.......Wx?.O..
01c0 - da 96 59 c0 6d c1 13 64-52 7b f8 d7 88 59 29 ba ..Y.m..dR{...Y).
01d0 - b7 5a ec a2 a7 1e 86 bb-ea 8b f8 03 e3 73 b3 6e .Z...........s.n
01e0 - 70 27 29 b6 92 31 4f 52-73 f0 62 91 3e 90 53 40 p')..1ORs.b.>.S#
01f0 - d0 00 e2 1d 80 5e 82 a9-5e fc 56 2f 76 d9 40 39 .....^..^.V/v.#9
0200 - 85 e3 4e 55 d2 a7 47 06-27 92 d9 ec dd 7e 7d c2 ..NU..G.'....~}.
0210 - 07 6d 73 9b 58 75 da ba-cd 65 e3 d9 3b da 78 4e .ms.Xu...e..;.xN
0220 - 96 81 c1 d1 2f f2 c0 65-e0 a2 12 33 1c eb 0c 2a ..../..e...3...*
0230 - 10 c6 ea 87 4c 7a a5 d7-c3 4c a8 45 06 8d ca a5 ....Lz...L.E....
0240 - 90 7d e0 57 be e5 17 f0-13 41 28 6e f6 f3 cb b3 .}.W.....A(n....
0250 - d4 9b fa b1 f9 30 a1 b4-2e a4 de 73 39 35 82 32 .....0.....s95.2
0260 - de 55 f9 70 ee ca 8a d2-62 64 fc fb d7 56 17 c7 .U.p....bd...V..
0270 - 9a 3c 4f 3d b1 4a 1d 37-fb ad 40 ef c4 14 cf 08 .<O=.J.7..#.....
0280 - 57 8e 68 5f 2b d4 3b cc-bb 23 9f 83 64 e3 22 39 W.h_+.;..#..d."9
0290 - 53 30 5c 4d 0f d8 4d 2a-5a 23 e6 ee 06 b6 38 5d S0\M..M*Z#....8]
02a0 - 83 ef 91 f8 25 a6 e3 02-03 01 00 01 a3 50 30 4e ....%........P0N
02b0 - 30 1d 06 03 55 1d 0e 04-16 04 14 bf 22 b8 2a ec 0...U.......".*.
02c0 - f6 61 a9 05 50 d8 6a f5-35 bd 32 3e 7c 9b d7 30 .a..P.j.5.2>|..0
02d0 - 1f 06 03 55 1d 23 04 18-30 16 80 14 bf 22 b8 2a ...U.#..0....".*
02e0 - ec f6 61 a9 05 50 d8 6a-f5 35 bd 32 3e 7c 9b d7 ..a..P.j.5.2>|..
02f0 - 30 0c 06 03 55 1d 13 04-05 30 03 01 01 ff 30 0d 0...U....0....0.
0300 - 06 09 2a 86 48 86 f7 0d-01 01 0b 05 00 03 82 02 ..*.H...........
0310 - 01 00 35 e5 1e a9 74 4f-78 59 c0 fd da a4 71 7a ..5...tOxY....qz
0320 - 4e 9d b7 13 42 5b d5 f3-95 1b 48 a6 91 c8 84 be N...B[....H.....
0330 - fc 67 ed 92 4e 2e f2 e5-6e 14 38 a5 af 51 7f 54 .g..N...n.8..Q.T
0340 - 11 5f ed 15 bd a6 d9 ef-9c ef ee db ed fb 39 45 ._............9E
0350 - e2 5e a9 53 66 73 40 98-27 38 4d a3 1d 5f eb d3 .^.Sfs#.'8M.._..
0360 - f8 33 01 3d ce 08 61 60-e1 ee 91 28 98 0a a2 17 .3.=..a`...(....
0370 - 28 17 39 c1 af 1e d2 f7-42 c6 5f ff a2 fa 77 2a (.9.....B._...w*
0380 - f0 4b ed 4f ea d4 55 b4-4d 02 63 4f 9f 12 ab 86 .K.O..U.M.cO....
0390 - 26 a6 24 26 7e 26 e2 55-89 6b 7d 52 3c 48 ad 4c &.$&~&.U.k}R<H.L
03a0 - 0c 76 64 7d a7 8f ff 9e-23 28 4c d5 79 85 ea 0c .vd}....#(L.y...
03b0 - ee 54 31 24 e2 66 53 4c-ae a6 a6 43 c5 e1 16 c7 .T1$.fSL...C....
03c0 - 48 b3 af 49 c9 f6 30 e6-4a da 2f 9b 1a 9d 5f 15 H..I..0.J./..._.
03d0 - ff ac 9e c7 d3 e4 85 55-1d d6 42 af 58 1e 57 d1 .......U..B.X.W.
03e0 - 84 4f 87 a7 43 10 e8 13-42 fd 49 fa c1 a2 ba 6a .O..C...B.I....j
03f0 - 30 a4 1e fb db be 99 16-a1 dc 1e 45 45 54 c3 89 0..........EET..
0400 - b8 b6 b8 74 90 2f 8b 8c-68 49 07 a2 7c 0d a6 d6 ...t./..hI..|...
0410 - 3c 80 e2 94 66 b0 83 1f-e3 29 02 4d 76 44 1e 65 <...f....).MvD.e
0420 - 57 7c 9e f2 01 0a 77 cd-c5 85 43 53 9e e7 56 21 W|....w...CS..V!
0430 - 4b 55 05 78 0e 6b 7a 14-44 69 d8 cb 06 de 65 9a KU.x.kz.Di....e.
0440 - 0a 8b 15 11 4e 21 c6 1d-be d4 6c 45 96 88 f2 04 ....N!....lE....
0450 - d5 ff 03 fd d3 24 7d 25-22 8b 22 37 99 4b 22 fa .....$}%"."7.K".
0460 - 8f 99 ec 71 88 58 8e 03-9f 76 19 a2 05 a6 3b bc ...q.X...v....;.
0470 - 87 d8 90 db c1 cc 98 f9-1f c5 00 96 e4 90 3d ad ..............=.
0480 - d0 fa a1 d5 b6 71 74 7d-0c a3 f2 79 5a e6 31 fb .....qt}...yZ.1.
0490 - de 65 41 46 39 78 bd d6-c1 b0 1a 44 16 a1 ed 27 .eAF9x.....D...'
04a0 - c6 e7 d6 ab f0 2f 0f 78-a6 78 01 2c ed 18 bb 47 ...../.x.x.,...G
04b0 - 34 54 ee 73 1b 99 83 ca-bf d7 07 65 40 03 f2 75 4T.s.......e#..u
04c0 - 98 d4 f3 22 6c 2f 77 1e-ec e7 1e bf 31 28 90 c4 ..."l/w.....1(..
04d0 - 0c 7a 37 cc 85 37 59 42-94 21 90 05 9e e0 60 51 .z7..7YB.!....`Q
04e0 - 0a 83 b8 29 45 37 06 5a-5e a3 b3 e0 08 cf 48 9b ...)E7.Z^.....H.
04f0 - 51 17 7b 4c fb 6d 06 e9-4f dd 45 42 42 83 c2 f6 Q.{L.m..O.EBB...
0500 - b3 70 29 86 08 c4 28 f7-b4 d6 1f a1 63 94 f7 75 .p)...(.....c..u
0510 - 8f ba ..
write to 0xb2ca20 [0xb3bc00] (9 bytes => 9 (0x9))
0000 - 16 03 03 00 04 0e ......
0009 - <SPACES/NULS>
read from 0xb2ca20 [0xb32113] (5 bytes => 0 (0x0))
140570414024344:error:140780E5:SSL routines:ssl23_read:ssl handshake failure:s23_lib.c:137:
EDIT: a K12 dump of the session:
+---------+---------------+----------+
18:19:07,529,418 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|2c|05|fb|00|00|7f|06|16|28|0a|64|0a|71|0a|c8|00|0d|58|a7|15|b3|00|36|bf|c5|00|00|00|00|60|02|16|d0|33|57|00|00|02|04|05|b4|
+---------+---------------+----------+
18:19:07,529,450 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|2c|00|00|40|00|40|06|1b|23|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d4|6d|00|36|bf|c6|60|12|72|10|1f|c8|00|00|02|04|05|b4|
+---------+---------------+----------+
18:19:07,668,343 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|7c|05|fc|00|00|7f|06|15|d7|0a|64|0a|71|0a|c8|00|0d|58|a7|15|b3|00|36|bf|c6|62|61|d4|6e|50|18|16|d0|67|d0|00|00|16|03|01|00|4f|01|00|00|4b|03|03|6e|30|37|19|a3|c0|a4|d5|d1|3c|8b|ed|76|72|e2|9f|d5|5e|57|3e|9e|98|b7|33|a9|12|54|de|40|32|df|34|00|00|12|00|3d|00|35|00|3c|00|2f|00|b7|00|95|00|b6|00|94|00|ff|01|00|00|10|00|0d|00|0c|00|0a|06|01|05|01|04|01|03|01|02|01|
+---------+---------------+----------+
18:19:07,668,359 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|28|39|19|40|00|40|06|e2|0d|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d4|6e|00|36|c0|1a|50|10|72|10|1f|c4|00|00|
+---------+---------------+----------+
18:19:07,668,617 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|05|99|39|1a|40|00|40|06|dc|9b|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d4|6e|00|36|c0|1a|50|18|72|10|25|35|00|00|16|03|01|00|51|02|00|00|4d|03|01|e9|4e|66|d1|56|43|c2|f8|df|95|62|d2|a1|8f|99|85|39|d3|22|4e|92|64|85|75|47|8f|29|f5|15|11|8e|10|20|b7|07|bc|84|e7|15|1e|6b|53|ed|6c|d5|1c|f6|15|10|ab|03|94|db|15|19|47|b7|43|04|30|59|fb|f2|52|e5|00|35|00|00|05|ff|01|00|01|00|16|03|01|05|0d|0b|00|05|09|00|05|06|00|05|03|30|82|04|ff|30|82|02|e7|a0|03|02|01|02|02|09|00|df|41|71|c6|48|ff|eb|19|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|1e|17|0d|31|38|30|32|30|34|31|38|31|33|35|36|5a|17|0d|32|38|30|32|30|32|31|38|31|33|35|36|5a|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|82|02|22|30|0d|06|09|2a|86|48|86|f7|0d|01|01|01|05|00|03|82|02|0f|00|30|82|02|0a|02|82|02|01|00|e0|22|b0|41|79|e5|60|92|2c|c7|1c|97|84|f8|16|46|39|27|67|26|ad|d7|c8|dc|a4|18|2e|5a|1a|aa|f7|92|b0|71|8f|f8|a5|e0|d9|52|d3|6a|c9|e1|ae|7c|ce|f1|1c|92|99|dd|77|b7|f7|db|b3|2b|f4|96|23|d4|d8|08|e8|e2|f2|15|7b|41|16|30|3d|21|cd|5f|b0|3d|5a|0c|ec|60|9b|d8|78|99|32|c4|9f|3c|1b|50|d9|d4|cf|f0|4b|58|ca|c6|6f|56|f5|57|04|c9|d5|60|56|d2|25|66|ee|fe|f0|da|79|d6|f2|a5|67|08|7a|19|e6|82|90|5c|e0|a1|63|cf|4b|a8|43|c6|d3|08|a0|22|4a|df|be|42|22|8b|c9|6f|81|d1|b0|d8|e0|24|79|b3|3a|ad|10|af|bd|7a|43|56|a6|87|ad|d2|d4|96|cf|12|f9|9a|42|7a|c7|63|07|f7|cc|a9|a5|50|1e|bf|4d|2d|ae|e3|74|b7|a7|66|ca|ab|44|66|db|f5|e2|28|dd|a8|6f|76|0a|5a|d4|8d|42|c6|a0|16|c2|bd|d9|25|38|74|dc|bc|d3|95|03|b9|13|39|c0|4a|cd|d9|c9|cb|34|bf|9e|48|1e|e4|56|8f|47|9c|33|ed|eb|d6|db|5e|b7|46|85|d4|49|48|f3|24|ec|01|c3|98|74|50|f9|05|71|01|b5|96|f4|b5|bc|a3|57|78|3f|c7|4f|10|1e|da|96|59|c0|6d|c1|13|64|52|7b|f8|d7|88|59|29|ba|b7|5a|ec|a2|a7|1e|86|bb|ea|8b|f8|03|e3|73|b3|6e|70|27|29|b6|92|31|4f|52|73|f0|62|91|3e|90|53|40|d0|00|e2|1d|80|5e|82|a9|5e|fc|56|2f|76|d9|40|39|85|e3|4e|55|d2|a7|47|06|27|92|d9|ec|dd|7e|7d|c2|07|6d|73|9b|58|75|da|ba|cd|65|e3|d9|3b|da|78|4e|96|81|c1|d1|2f|f2|c0|65|e0|a2|12|33|1c|eb|0c|2a|10|c6|ea|87|4c|7a|a5|d7|c3|4c|a8|45|06|8d|ca|a5|90|7d|e0|57|be|e5|17|f0|13|41|28|6e|f6|f3|cb|b3|d4|9b|fa|b1|f9|30|a1|b4|2e|a4|de|73|39|35|82|32|de|55|f9|70|ee|ca|8a|d2|62|64|fc|fb|d7|56|17|c7|9a|3c|4f|3d|b1|4a|1d|37|fb|ad|40|ef|c4|14|cf|08|57|8e|68|5f|2b|d4|3b|cc|bb|23|9f|83|64|e3|22|39|53|30|5c|4d|0f|d8|4d|2a|5a|23|e6|ee|06|b6|38|5d|83|ef|91|f8|25|a6|e3|02|03|01|00|01|a3|50|30|4e|30|1d|06|03|55|1d|0e|04|16|04|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|1f|06|03|55|1d|23|04|18|30|16|80|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|0c|06|03|55|1d|13|04|05|30|03|01|01|ff|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|03|82|02|01|00|35|e5|1e|a9|74|4f|78|59|c0|fd|da|a4|71|7a|4e|9d|b7|13|42|5b|d5|f3|95|1b|48|a6|91|c8|84|be|fc|67|ed|92|4e|2e|f2|e5|6e|14|38|a5|af|51|7f|54|11|5f|ed|15|bd|a6|d9|ef|9c|ef|ee|db|ed|fb|39|45|e2|5e|a9|53|66|73|40|98|27|38|4d|a3|1d|5f|eb|d3|f8|33|01|3d|ce|08|61|60|e1|ee|91|28|98|0a|a2|17|28|17|39|c1|af|1e|d2|f7|42|c6|5f|ff|a2|fa|77|2a|f0|4b|ed|4f|ea|d4|55|b4|4d|02|63|4f|9f|12|ab|86|26|a6|24|26|7e|26|e2|55|89|6b|7d|52|3c|48|ad|4c|0c|76|64|7d|a7|8f|ff|9e|23|28|4c|d5|79|85|ea|0c|ee|54|31|24|e2|66|53|4c|ae|a6|a6|43|c5|e1|16|c7|48|b3|af|49|c9|f6|30|e6|4a|da|2f|9b|1a|9d|5f|15|ff|ac|9e|c7|d3|e4|85|55|1d|d6|42|af|58|1e|57|d1|84|4f|87|a7|43|10|e8|13|42|fd|49|fa|c1|a2|ba|6a|30|a4|1e|fb|db|be|99|16|a1|dc|1e|45|45|54|c3|89|b8|b6|b8|74|90|2f|8b|8c|68|49|07|a2|7c|0d|a6|d6|3c|80|e2|94|66|b0|83|1f|e3|29|02|4d|76|44|1e|65|57|7c|9e|f2|01|0a|77|cd|c5|85|43|53|9e|e7|56|21|4b|55|05|78|0e|6b|7a|14|44|69|d8|cb|06|de|65|9a|0a|8b|15|11|4e|21|c6|1d|be|d4|6c|45|96|88|f2|04|d5|ff|03|fd|d3|24|7d|25|22|8b|22|37|99|4b|22|fa|8f|99|ec|71|88|58|8e|03|9f|76|19|a2|05|a6|3b|bc|87|d8|90|db|c1|cc|98|f9|1f|c5|00|96|e4|90|3d|ad|d0|fa|a1|d5|b6|71|74|7d|0c|a3|f2|79|5a|e6|31|fb|de|65|41|46|39|78|bd|d6|c1|b0|1a|44|16|a1|ed|27|c6|e7|d6|ab|f0|2f|0f|78|a6|78|01|2c|ed|18|bb|47|34|54|ee|73|1b|99|83|ca|bf|d7|07|65|40|03|f2|75|98|d4|f3|22|6c|2f|77|1e|ec|e7|1e|bf|31|28|90|c4|0c|7a|37|cc|85|37|59|42|94|21|90|05|9e|e0|60|51|0a|83|b8|29|45|37|06|5a|5e|a3|b3|e0|08|cf|48|9b|51|17|7b|4c|fb|6d|06|e9|4f|dd|45|42|42|83|c2|f6|b3|70|29|86|08|c4|28|f7|b4|d6|1f|a1|63|94|f7|75|8f|ba|16|03|01|00|04|0e|00|00|00|
+---------+---------------+----------+
18:19:08,150,907 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|05|99|39|1b|40|00|40|06|dc|9a|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d4|6e|00|36|c0|1a|50|18|72|10|25|35|00|00|16|03|01|00|51|02|00|00|4d|03|01|e9|4e|66|d1|56|43|c2|f8|df|95|62|d2|a1|8f|99|85|39|d3|22|4e|92|64|85|75|47|8f|29|f5|15|11|8e|10|20|b7|07|bc|84|e7|15|1e|6b|53|ed|6c|d5|1c|f6|15|10|ab|03|94|db|15|19|47|b7|43|04|30|59|fb|f2|52|e5|00|35|00|00|05|ff|01|00|01|00|16|03|01|05|0d|0b|00|05|09|00|05|06|00|05|03|30|82|04|ff|30|82|02|e7|a0|03|02|01|02|02|09|00|df|41|71|c6|48|ff|eb|19|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|1e|17|0d|31|38|30|32|30|34|31|38|31|33|35|36|5a|17|0d|32|38|30|32|30|32|31|38|31|33|35|36|5a|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|82|02|22|30|0d|06|09|2a|86|48|86|f7|0d|01|01|01|05|00|03|82|02|0f|00|30|82|02|0a|02|82|02|01|00|e0|22|b0|41|79|e5|60|92|2c|c7|1c|97|84|f8|16|46|39|27|67|26|ad|d7|c8|dc|a4|18|2e|5a|1a|aa|f7|92|b0|71|8f|f8|a5|e0|d9|52|d3|6a|c9|e1|ae|7c|ce|f1|1c|92|99|dd|77|b7|f7|db|b3|2b|f4|96|23|d4|d8|08|e8|e2|f2|15|7b|41|16|30|3d|21|cd|5f|b0|3d|5a|0c|ec|60|9b|d8|78|99|32|c4|9f|3c|1b|50|d9|d4|cf|f0|4b|58|ca|c6|6f|56|f5|57|04|c9|d5|60|56|d2|25|66|ee|fe|f0|da|79|d6|f2|a5|67|08|7a|19|e6|82|90|5c|e0|a1|63|cf|4b|a8|43|c6|d3|08|a0|22|4a|df|be|42|22|8b|c9|6f|81|d1|b0|d8|e0|24|79|b3|3a|ad|10|af|bd|7a|43|56|a6|87|ad|d2|d4|96|cf|12|f9|9a|42|7a|c7|63|07|f7|cc|a9|a5|50|1e|bf|4d|2d|ae|e3|74|b7|a7|66|ca|ab|44|66|db|f5|e2|28|dd|a8|6f|76|0a|5a|d4|8d|42|c6|a0|16|c2|bd|d9|25|38|74|dc|bc|d3|95|03|b9|13|39|c0|4a|cd|d9|c9|cb|34|bf|9e|48|1e|e4|56|8f|47|9c|33|ed|eb|d6|db|5e|b7|46|85|d4|49|48|f3|24|ec|01|c3|98|74|50|f9|05|71|01|b5|96|f4|b5|bc|a3|57|78|3f|c7|4f|10|1e|da|96|59|c0|6d|c1|13|64|52|7b|f8|d7|88|59|29|ba|b7|5a|ec|a2|a7|1e|86|bb|ea|8b|f8|03|e3|73|b3|6e|70|27|29|b6|92|31|4f|52|73|f0|62|91|3e|90|53|40|d0|00|e2|1d|80|5e|82|a9|5e|fc|56|2f|76|d9|40|39|85|e3|4e|55|d2|a7|47|06|27|92|d9|ec|dd|7e|7d|c2|07|6d|73|9b|58|75|da|ba|cd|65|e3|d9|3b|da|78|4e|96|81|c1|d1|2f|f2|c0|65|e0|a2|12|33|1c|eb|0c|2a|10|c6|ea|87|4c|7a|a5|d7|c3|4c|a8|45|06|8d|ca|a5|90|7d|e0|57|be|e5|17|f0|13|41|28|6e|f6|f3|cb|b3|d4|9b|fa|b1|f9|30|a1|b4|2e|a4|de|73|39|35|82|32|de|55|f9|70|ee|ca|8a|d2|62|64|fc|fb|d7|56|17|c7|9a|3c|4f|3d|b1|4a|1d|37|fb|ad|40|ef|c4|14|cf|08|57|8e|68|5f|2b|d4|3b|cc|bb|23|9f|83|64|e3|22|39|53|30|5c|4d|0f|d8|4d|2a|5a|23|e6|ee|06|b6|38|5d|83|ef|91|f8|25|a6|e3|02|03|01|00|01|a3|50|30|4e|30|1d|06|03|55|1d|0e|04|16|04|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|1f|06|03|55|1d|23|04|18|30|16|80|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|0c|06|03|55|1d|13|04|05|30|03|01|01|ff|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|03|82|02|01|00|35|e5|1e|a9|74|4f|78|59|c0|fd|da|a4|71|7a|4e|9d|b7|13|42|5b|d5|f3|95|1b|48|a6|91|c8|84|be|fc|67|ed|92|4e|2e|f2|e5|6e|14|38|a5|af|51|7f|54|11|5f|ed|15|bd|a6|d9|ef|9c|ef|ee|db|ed|fb|39|45|e2|5e|a9|53|66|73|40|98|27|38|4d|a3|1d|5f|eb|d3|f8|33|01|3d|ce|08|61|60|e1|ee|91|28|98|0a|a2|17|28|17|39|c1|af|1e|d2|f7|42|c6|5f|ff|a2|fa|77|2a|f0|4b|ed|4f|ea|d4|55|b4|4d|02|63|4f|9f|12|ab|86|26|a6|24|26|7e|26|e2|55|89|6b|7d|52|3c|48|ad|4c|0c|76|64|7d|a7|8f|ff|9e|23|28|4c|d5|79|85|ea|0c|ee|54|31|24|e2|66|53|4c|ae|a6|a6|43|c5|e1|16|c7|48|b3|af|49|c9|f6|30|e6|4a|da|2f|9b|1a|9d|5f|15|ff|ac|9e|c7|d3|e4|85|55|1d|d6|42|af|58|1e|57|d1|84|4f|87|a7|43|10|e8|13|42|fd|49|fa|c1|a2|ba|6a|30|a4|1e|fb|db|be|99|16|a1|dc|1e|45|45|54|c3|89|b8|b6|b8|74|90|2f|8b|8c|68|49|07|a2|7c|0d|a6|d6|3c|80|e2|94|66|b0|83|1f|e3|29|02|4d|76|44|1e|65|57|7c|9e|f2|01|0a|77|cd|c5|85|43|53|9e|e7|56|21|4b|55|05|78|0e|6b|7a|14|44|69|d8|cb|06|de|65|9a|0a|8b|15|11|4e|21|c6|1d|be|d4|6c|45|96|88|f2|04|d5|ff|03|fd|d3|24|7d|25|22|8b|22|37|99|4b|22|fa|8f|99|ec|71|88|58|8e|03|9f|76|19|a2|05|a6|3b|bc|87|d8|90|db|c1|cc|98|f9|1f|c5|00|96|e4|90|3d|ad|d0|fa|a1|d5|b6|71|74|7d|0c|a3|f2|79|5a|e6|31|fb|de|65|41|46|39|78|bd|d6|c1|b0|1a|44|16|a1|ed|27|c6|e7|d6|ab|f0|2f|0f|78|a6|78|01|2c|ed|18|bb|47|34|54|ee|73|1b|99|83|ca|bf|d7|07|65|40|03|f2|75|98|d4|f3|22|6c|2f|77|1e|ec|e7|1e|bf|31|28|90|c4|0c|7a|37|cc|85|37|59|42|94|21|90|05|9e|e0|60|51|0a|83|b8|29|45|37|06|5a|5e|a3|b3|e0|08|cf|48|9b|51|17|7b|4c|fb|6d|06|e9|4f|dd|45|42|42|83|c2|f6|b3|70|29|86|08|c4|28|f7|b4|d6|1f|a1|63|94|f7|75|8f|ba|16|03|01|00|04|0e|00|00|00|
+---------+---------------+----------+
18:19:08,556,603 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|7c|05|fd|00|00|7f|06|15|d6|0a|64|0a|71|0a|c8|00|0d|58|a7|15|b3|00|36|bf|c6|62|61|d4|6e|50|18|16|d0|67|d0|00|00|16|03|01|00|4f|01|00|00|4b|03|03|6e|30|37|19|a3|c0|a4|d5|d1|3c|8b|ed|76|72|e2|9f|d5|5e|57|3e|9e|98|b7|33|a9|12|54|de|40|32|df|34|00|00|12|00|3d|00|35|00|3c|00|2f|00|b7|00|95|00|b6|00|94|00|ff|01|00|00|10|00|0d|00|0c|00|0a|06|01|05|01|04|01|03|01|02|01|
+---------+---------------+----------+
18:19:08,556,617 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|28|39|1c|40|00|40|06|e2|0a|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d9|df|00|36|c0|1a|50|10|72|10|1f|c4|00|00|
+---------+---------------+----------+
18:19:08,683,863 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|28|05|fe|00|00|7f|06|16|29|0a|64|0a|71|0a|c8|00|0d|58|a7|15|b3|00|36|c0|1a|62|61|d9|df|50|11|11|5f|13|df|00|00|
+---------+---------------+----------+
18:19:08,683,932 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|28|39|1d|40|00|40|06|e2|09|0a|c8|00|0d|0a|64|0a|71|15|b3|58|a7|62|61|d9|df|00|36|c0|1b|50|11|72|10|1f|c4|00|00|
+---------+---------------+----------+
18:19:08,762,143 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|28|05|ff|00|00|7f|06|16|28|0a|64|0a|71|0a|c8|00|0d|58|a7|15|b3|00|36|c0|1b|62|61|d9|e0|50|10|11|5e|13|df|00|00|
+---------+---------------+----------+
18:19:16,784,169 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|2c|06|00|00|00|7f|06|16|23|0a|64|0a|71|0a|c8|00|0d|18|30|15|b3|00|36|e7|9f|00|00|00|00|60|02|16|d0|4b|f4|00|00|02|04|05|b4|
+---------+---------------+----------+
18:19:16,784,184 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|2c|00|00|40|00|40|06|1b|23|0a|c8|00|0d|0a|64|0a|71|15|b3|18|30|98|bc|9a|61|00|36|e7|a0|60|12|72|10|1f|c8|00|00|02|04|05|b4|
+---------+---------------+----------+
18:19:16,886,424 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|7c|06|01|00|00|7f|06|15|d2|0a|64|0a|71|0a|c8|00|0d|18|30|15|b3|00|36|e7|a0|98|bc|9a|62|50|18|16|d0|70|29|00|00|16|03|01|00|4f|01|00|00|4b|03|03|e5|7a|5a|74|be|6f|f0|54|cf|60|fd|45|d1|15|6e|25|28|82|23|11|ce|26|76|8f|3a|9b|db|bf|31|93|66|24|00|00|12|00|3d|00|35|00|3c|00|2f|00|b7|00|95|00|b6|00|94|00|ff|01|00|00|10|00|0d|00|0c|00|0a|06|01|05|01|04|01|03|01|02|01|
+---------+---------------+----------+
18:19:16,886,440 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|28|6c|15|40|00|40|06|af|11|0a|c8|00|0d|0a|64|0a|71|15|b3|18|30|98|bc|9a|62|00|36|e7|f4|50|10|72|10|1f|c4|00|00|
+---------+---------------+----------+
18:19:16,886,658 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|05|99|6c|16|40|00|40|06|a9|9f|0a|c8|00|0d|0a|64|0a|71|15|b3|18|30|98|bc|9a|62|00|36|e7|f4|50|18|72|10|25|35|00|00|16|03|01|00|51|02|00|00|4d|03|01|24|c5|4f|88|a2|2e|d6|95|40|f4|42|c1|97|78|b8|4a|33|43|32|94|d8|81|88|7f|09|44|df|3a|6c|79|d2|3a|20|1d|a7|32|d9|88|67|21|c6|69|f6|70|a7|20|28|0c|ac|a4|da|d0|95|3f|02|4f|51|68|78|7e|bf|1c|53|46|69|00|35|00|00|05|ff|01|00|01|00|16|03|01|05|0d|0b|00|05|09|00|05|06|00|05|03|30|82|04|ff|30|82|02|e7|a0|03|02|01|02|02|09|00|df|41|71|c6|48|ff|eb|19|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|1e|17|0d|31|38|30|32|30|34|31|38|31|33|35|36|5a|17|0d|32|38|30|32|30|32|31|38|31|33|35|36|5a|30|16|31|14|30|12|06|03|55|04|03|0c|0b|65|78|61|6d|70|6c|65|2e|63|6f|6d|30|82|02|22|30|0d|06|09|2a|86|48|86|f7|0d|01|01|01|05|00|03|82|02|0f|00|30|82|02|0a|02|82|02|01|00|e0|22|b0|41|79|e5|60|92|2c|c7|1c|97|84|f8|16|46|39|27|67|26|ad|d7|c8|dc|a4|18|2e|5a|1a|aa|f7|92|b0|71|8f|f8|a5|e0|d9|52|d3|6a|c9|e1|ae|7c|ce|f1|1c|92|99|dd|77|b7|f7|db|b3|2b|f4|96|23|d4|d8|08|e8|e2|f2|15|7b|41|16|30|3d|21|cd|5f|b0|3d|5a|0c|ec|60|9b|d8|78|99|32|c4|9f|3c|1b|50|d9|d4|cf|f0|4b|58|ca|c6|6f|56|f5|57|04|c9|d5|60|56|d2|25|66|ee|fe|f0|da|79|d6|f2|a5|67|08|7a|19|e6|82|90|5c|e0|a1|63|cf|4b|a8|43|c6|d3|08|a0|22|4a|df|be|42|22|8b|c9|6f|81|d1|b0|d8|e0|24|79|b3|3a|ad|10|af|bd|7a|43|56|a6|87|ad|d2|d4|96|cf|12|f9|9a|42|7a|c7|63|07|f7|cc|a9|a5|50|1e|bf|4d|2d|ae|e3|74|b7|a7|66|ca|ab|44|66|db|f5|e2|28|dd|a8|6f|76|0a|5a|d4|8d|42|c6|a0|16|c2|bd|d9|25|38|74|dc|bc|d3|95|03|b9|13|39|c0|4a|cd|d9|c9|cb|34|bf|9e|48|1e|e4|56|8f|47|9c|33|ed|eb|d6|db|5e|b7|46|85|d4|49|48|f3|24|ec|01|c3|98|74|50|f9|05|71|01|b5|96|f4|b5|bc|a3|57|78|3f|c7|4f|10|1e|da|96|59|c0|6d|c1|13|64|52|7b|f8|d7|88|59|29|ba|b7|5a|ec|a2|a7|1e|86|bb|ea|8b|f8|03|e3|73|b3|6e|70|27|29|b6|92|31|4f|52|73|f0|62|91|3e|90|53|40|d0|00|e2|1d|80|5e|82|a9|5e|fc|56|2f|76|d9|40|39|85|e3|4e|55|d2|a7|47|06|27|92|d9|ec|dd|7e|7d|c2|07|6d|73|9b|58|75|da|ba|cd|65|e3|d9|3b|da|78|4e|96|81|c1|d1|2f|f2|c0|65|e0|a2|12|33|1c|eb|0c|2a|10|c6|ea|87|4c|7a|a5|d7|c3|4c|a8|45|06|8d|ca|a5|90|7d|e0|57|be|e5|17|f0|13|41|28|6e|f6|f3|cb|b3|d4|9b|fa|b1|f9|30|a1|b4|2e|a4|de|73|39|35|82|32|de|55|f9|70|ee|ca|8a|d2|62|64|fc|fb|d7|56|17|c7|9a|3c|4f|3d|b1|4a|1d|37|fb|ad|40|ef|c4|14|cf|08|57|8e|68|5f|2b|d4|3b|cc|bb|23|9f|83|64|e3|22|39|53|30|5c|4d|0f|d8|4d|2a|5a|23|e6|ee|06|b6|38|5d|83|ef|91|f8|25|a6|e3|02|03|01|00|01|a3|50|30|4e|30|1d|06|03|55|1d|0e|04|16|04|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|1f|06|03|55|1d|23|04|18|30|16|80|14|bf|22|b8|2a|ec|f6|61|a9|05|50|d8|6a|f5|35|bd|32|3e|7c|9b|d7|30|0c|06|03|55|1d|13|04|05|30|03|01|01|ff|30|0d|06|09|2a|86|48|86|f7|0d|01|01|0b|05|00|03|82|02|01|00|35|e5|1e|a9|74|4f|78|59|c0|fd|da|a4|71|7a|4e|9d|b7|13|42|5b|d5|f3|95|1b|48|a6|91|c8|84|be|fc|67|ed|92|4e|2e|f2|e5|6e|14|38|a5|af|51|7f|54|11|5f|ed|15|bd|a6|d9|ef|9c|ef|ee|db|ed|fb|39|45|e2|5e|a9|53|66|73|40|98|27|38|4d|a3|1d|5f|eb|d3|f8|33|01|3d|ce|08|61|60|e1|ee|91|28|98|0a|a2|17|28|17|39|c1|af|1e|d2|f7|42|c6|5f|ff|a2|fa|77|2a|f0|4b|ed|4f|ea|d4|55|b4|4d|02|63|4f|9f|12|ab|86|26|a6|24|26|7e|26|e2|55|89|6b|7d|52|3c|48|ad|4c|0c|76|64|7d|a7|8f|ff|9e|23|28|4c|d5|79|85|ea|0c|ee|54|31|24|e2|66|53|4c|ae|a6|a6|43|c5|e1|16|c7|48|b3|af|49|c9|f6|30|e6|4a|da|2f|9b|1a|9d|5f|15|ff|ac|9e|c7|d3|e4|85|55|1d|d6|42|af|58|1e|57|d1|84|4f|87|a7|43|10|e8|13|42|fd|49|fa|c1|a2|ba|6a|30|a4|1e|fb|db|be|99|16|a1|dc|1e|45|45|54|c3|89|b8|b6|b8|74|90|2f|8b|8c|68|49|07|a2|7c|0d|a6|d6|3c|80|e2|94|66|b0|83|1f|e3|29|02|4d|76|44|1e|65|57|7c|9e|f2|01|0a|77|cd|c5|85|43|53|9e|e7|56|21|4b|55|05|78|0e|6b|7a|14|44|69|d8|cb|06|de|65|9a|0a|8b|15|11|4e|21|c6|1d|be|d4|6c|45|96|88|f2|04|d5|ff|03|fd|d3|24|7d|25|22|8b|22|37|99|4b|22|fa|8f|99|ec|71|88|58|8e|03|9f|76|19|a2|05|a6|3b|bc|87|d8|90|db|c1|cc|98|f9|1f|c5|00|96|e4|90|3d|ad|d0|fa|a1|d5|b6|71|74|7d|0c|a3|f2|79|5a|e6|31|fb|de|65|41|46|39|78|bd|d6|c1|b0|1a|44|16|a1|ed|27|c6|e7|d6|ab|f0|2f|0f|78|a6|78|01|2c|ed|18|bb|47|34|54|ee|73|1b|99|83|ca|bf|d7|07|65|40|03|f2|75|98|d4|f3|22|6c|2f|77|1e|ec|e7|1e|bf|31|28|90|c4|0c|7a|37|cc|85|37|59|42|94|21|90|05|9e|e0|60|51|0a|83|b8|29|45|37|06|5a|5e|a3|b3|e0|08|cf|48|9b|51|17|7b|4c|fb|6d|06|e9|4f|dd|45|42|42|83|c2|f6|b3|70|29|86|08|c4|28|f7|b4|d6|1f|a1|63|94|f7|75|8f|ba|16|03|01|00|04|0e|00|00|00|
+---------+---------------+----------+
18:19:16,933,784 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|28|06|02|00|00|7f|06|16|25|0a|64|0a|71|0a|c8|00|0d|18|30|15|b3|00|36|e7|f4|98|bc|9f|d3|50|11|11|5f|30|2d|00|00|
+---------+---------------+----------+
18:19:16,933,874 ETHER
|0 |1e|33|c8|aa|1b|40|8a|4b|47|20|ce|e4|08|00|45|00|00|28|6c|17|40|00|40|06|af|0f|0a|c8|00|0d|0a|64|0a|71|15|b3|18|30|98|bc|9f|d3|00|36|e7|f5|50|11|72|10|1f|c4|00|00|
+---------+---------------+----------+
18:19:16,973,340 ETHER
|0 |8a|4b|47|20|ce|e4|1e|33|c8|aa|1b|40|08|00|45|00|00|28|06|03|00|00|7f|06|16|24|0a|64|0a|71|0a|c8|00|0d|18|30|15|b3|00|36|e7|f5|98|bc|9f|d4|50|10|11|5e|30|2d|00|00|
What does this error actually mean?
At the risk of stating the obvious it literally means "the handshake failed" and doesn't give you any more information than that. It could be caused by any number of possible issues. From your debug output we can see that:
The client issues a ClientHello to the server
The server responds with a ServerHello, a Certificate and a ServerHelloDone.
The server then attempts to read a response from the client but this read fails (most probably because the client has aborted - but without sending any kind of alert to indicate the cause of the problem).
Clearly something in the response that your server has sent back to the client has caused the client to just give up. The most likely culprit is the certificate, but its also possible that there is something about the ServerHello it doesn't like (e.g. the server didn't understand some extension that the client sent in its ClientHello, which it refuses to work without...although this is quite unlikely)
When looking in details to your debug log, it looks like a normal client/server handshake, in TLS 1.2. The last 9 bytes written mean the SERVER HELLO DONE is accomplished, and then the client (the last "read from") is sending 5 bytes that unfortunately we don't have. 5 bytes is a normal thing at this moment, these bytes are supposed to continue with the TLS exchange (Client key exchange,..) and they contain the "hello" byte, the protocol version (2 bytes), and the data length (2 bytes).
All this work would be easier for me if you provided a network capture. But OK, we have some information.
There is one reason to make openssl bug at this moment, when we receive 5 bytes instead of 11. This code will later generate the same handshake failure that you get :
* Request this many bytes in initial read.
* We can detect SSL 3.0/TLS 1.0 Client Hellos
* ('type == 3') correctly only when the following
* is in a single record, which is not guaranteed by
* the protocol specification:
* Byte Content
* 0 type \
* 1/2 version > record header
* 3/4 length /
* 5 msg_type \
* 6-8 length > Client Hello message
* 9/10 client_version /
*/
char buf_space[11];
But without any capture, it's almost impossible to say whether the client is sending a wrong Client key exchange, or if it's your openssl version which is faulty (more likely, it's the client).
Can you check what openssl version you are running ?
This appears to be a network or stack problem.
Assuming we are the server at 10.200.0.13 and the client is 10.100.10.113 your network dump decodes as follows:
18:19:07,529,418 receive connect request (SYN) from port 22695 to port 5555 with starting seq 0x0036bfc5
18:19:07,529,450 send accept (SYN ACK) with starting seq 0x6261d46d
18:19:07,668,343 receive segment containing ClientHello message with seq 0x0036bfc6 len 0x54
18:19:07,668,359 send ack (through 0x0036c01a)
18:19:07,668,617 send segment containing ServerHello, Certificate, ServerHelloDone with seq 0x6261d46e len 0x56+0x512+9=0x571
18:19:08,150,907 after no response ~0.5s, resend segment
18:19:08,556,603 receive resend of client 0x0036bfc6, which does NOT ack our data;
this implies client didn't get our data-ack and didn't get or accept (either copy of) our 0x6261d46e
18:19:08,556,617 send probe (ACK with no additional data)
18:19:08,683,863 receive probe from client, again neg-acking data but pos-acking SYN
18:19:08,683,932 after 2x neg-ack, send FIN (seq 0x6261d9df)
18:19:08,762,143 receive ACK of our FIN (and data?) (ack=0x6261d9e0)
18:19:16,784,169 receive new connect (SYN) from port 6192
...
This is screwy. If the client is any normal computer with an OS, usually those ack data at TCP level in the protocol stack even if their user program doesn't read (or accept) the data, at least up to some reasonable buffersize. The client is clearly getting at least some of our frames, since it correctly acks SYN and FIN, but it apparently refuses to ack our data.
If the client is something like a thermostat or an Arduino, where there is no actual OS but often instead a heap of code someone mashed together, often by copying from websites (including Stack?) without understanding it, so it doesn't work right. Or possibly the actual client is correct, but there is some broken middlebox like a firewall, IDS, 'smart' router, etc. in between.
Anyway if you can't get the TLS protocol messages, which are TCP data, delivered to the client at the TCP level, nothing else can work, so without any more useful info about or control over the client you're out of luck.
Sorry.
bad gethostbyaddr
A reverse DNS is not working well on your server. With your server IP, run these commands and check if they return anything (I suppose you're on Linux) :
dig -x XXX.XXX.XXX.XXX
host XXX.XXX.XXX.XXX
Check that your hosts file solves correctly your hostname. If you have to configure a DNS server (/etc/resolv.conf), do it.
My application is using SSL over SMTP.
But I faced a problem of extra byte at the end.
The packet which I recieved is as follows: (Hex dump of SSL Record packet)
17 03 01 01 00 9A 07 74 E3 4B E0 07 17 71 38 BF 29 7E 70
E9 14 CC B1 97 77 4C B9 AB A0 9F 88 7B D4 ED 14 8E 97 F2
5A BE 46 56 D4 12 BC 15 01 49 EE CE A1 ED 3F D3 6E 7F AA
DC 6B DF 41 11 74 7B 55 B8 D3 3E 8D EF 96 52 B0 BD 50 35
09 E7 2A FF 0E 39 58 C7 91 99 95 22 6F B0 73 57 28 B4 EA
C6 28 4C DC 5C DA 6C 31 FB 63 71 7D 08 F0 DD 78 C4 08 C5
27 90 04 C7 09 59 E4 83 F4 4D 9A 7B 65 E9 AF 38 44 B4 CD
9E 4D BE 80 0D 07 24 8D C3 79 99 DC 02 81 D7 97 21 16 0B
28 44 82 ED E4 5F E6 91 81 A5 28 C1 C8 92 60 36 4E DE 27
AF D0 2B EE FB 9D 12 9C 2B 4F 3F 29 F2 04 8F DC 21 39 4F
80 23 7E 78 3C A0 29 E0 67 E7 9F 90 B6 1F D4 08 63 3E CE
73 E1 17 72 8D B1 8C 3D A8 59 C0 0F 03 59 7A A6 5D F9 7A
40 57 D6 8D 94 48 93 BF D8 17 C6 70 79 36 13 D0 F1 D1 D2
69 D4 05 9D 67 86 6D E9 66 D0 83 4A D8 5E 20
The length of this packet as seen from SSL 3.1 protocol is 256 Bytes.
But there is one extra byte at the end (shown in bold at the end).
Due to this extra byte at the end, when next packet is being read, then this 20 is also read and causes error of SSL_R_WRONG_VERSION_NUMBER (I am using OpenSSL Library for SSL).
Next packet which I recieved is like (as per packet sniffer)
17 03 01 00 18 ...
But when next read is being done, OpenSSL reads packet as 20 17 03 01 .. which causes the error (since 17 03 is wrong version for 03 01)
I would like to know if this (extra byte at the end) is a part of SSL standard.
Please suggest me how to handle this case in OpenSSL. OpenSSL version is 1.0.0.
No. The extra byte is not as a part of SSL Standard.
As per SSL Standard (RFC 2246 for TLS 1.0, Latest is RFC 5246 for TLS 1.2) the record of SSL is as below:
struct {
ContentType type;
ProtocolVersion version;
uint16 length;
select (CipherSpec.cipher_type) {
case stream: GenericStreamCipher;
case block: GenericBlockCipher;
} fragment;
} TLSCiphertext;
The fragment will be exactly of the length as specified by uint16 length member. So, the 20 must be getting inserted either incorrectly by the Server Implementation, or some other software in the middle is inserting it when the data is in network.
Openssl reads exactly the number of bytes as specified by uint16 length member which is why it doesn't read 20.
Some of the points which you can focus on are:
1. Does this happen with the first application data packet which is transferred immediately after handshake? (From the content type I assumed this packet dump is for application data)
2. Is this a random occurance? Do all connections with that particular server exhibit the same behavior?
3. You can try to get the dump of the packet sent at the Server to see if 20 is present when the packet is being sent at the Server side itself or it is getting added during it's flight.
4. Could there be a Firewall related problem? (I don't know about Firewall, so didn't give more details here)
Hope this helps!
I was bashing my head with this one today; finally resorted to this:
_sslStream.Write(merged, 0, merged.Length - 1)
Problem solved, move along!
My Connection to my test application keeps terminating in the same place without any errors.
I think perhaps something is triggering the channel/connection to close, but I don't know what it could be. Where exactly it closes changes slightly if I change printouts in the code, so the timing appears to be on a different thread.
I've been working on this for four days now and list myself as officially stuck.
Here is my connection code:
final HttpQueryRequestImpl realRequest = (HttpQueryRequestImpl) getPredecessorQueryResolver().resolvePredecessorResults(getPredecessorResults(), getQueryRequest(), getId());
// Configure the client.
// TODO determine if this ClientBootstrap object can be reused. Indications in the doucmentation
// seem to say yes, with caveats. Reusing the pool would improve performance. Caveats must be investigated.
final ClientBootstrap bootstrap = new ClientBootstrap(
new NioClientSocketChannelFactory(
Executors.newCachedThreadPool(),
Executors.newCachedThreadPool()));
// Set up the event pipeline factory.
bootstrap.setPipelineFactory(new HttpSnoopClientPipelineFactory());
// TODO audit and timestamp logging
if (logger.isInfoEnabled()) {
logger.info("Starting connection to !" + realRequest.getUri());
}
// Start the connection attempt.
// ChannelFuture future = bootstrap.connect(new InetSocketAddress(realRequest.getHost(), realRequest.getPort()));
logger.info(realRequest.getHost() + " " + realRequest.getPort());
ChannelFuture future = bootstrap.connect(new InetSocketAddress("myname.organization.com", 8443));
// register some things to happen after the channel completes
future.addListener(new ChannelFutureListener() {
#Override
public void operationComplete(ChannelFuture future) throws Exception {
if (!future.isSuccess()) {
logger.error("Error connecting to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri());
bootstrap.releaseExternalResources();
} else {
if (logger.isInfoEnabled()) {
logger.info("Connected to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri());
}
// Send the HTTP request.
Channel channel = future.getChannel();
HttpRequest request = new DefaultHttpRequest(
HttpVersion.HTTP_1_1, HttpMethod.GET, "/factorial");
request.setHeader(HttpHeaders.Names.HOST, "myname.organization.com");
request.setHeader(HttpHeaders.Names.CONNECTION, HttpHeaders.Values.CLOSE);
request.setHeader(HttpHeaders.Names.ACCEPT_ENCODING, HttpHeaders.Values.GZIP);
ChannelFuture writeFuture = channel.write(request);
writeFuture.addListener(new ChannelFutureListener() {
#Override
public void operationComplete(ChannelFuture future) throws Exception {
logger.info("Wrote data complete");
// TODO once bootstrap is reused, get rid of this
// Shut down executor threads to exit.
// bootstrap.releaseExternalResources();
}
});
}
}
});
This is what my output looks like with SSL debugging enabled:
32 [main] INFO nettyliteserver.remotequeries.HttpsQuery - Starting connection to !https://myname.organization.com:8443/factorial
32 [main] INFO nettyliteserver.remotequeries.HttpsQuery - myname.organization.com 8443
***
found key for : myname.organization.com
chain [0] = [
[
Version: V1
Subject: CN=myname.organization.com, OU=myname.organization.com, O=myname.organization.com, L=myname.organization.com, ST=myname.organization.com, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 94642469145065852073118930371145672868332389407646565010478303790446281089121119363888463093443199472593726155607365724815252704927244864250811984977900576391208121343883948799873869280369621492901495505803717080952775289840654752626694613842653754724186814688913115288788127483906065658243886585022651573993
public exponent: 65537
Validity: [From: Fri Mar 09 13:29:22 EST 2012,
To: Sat Mar 09 13:29:22 EST 2013]
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
SerialNumber: [ 71c8]
]
Algorithm: [SHA1withRSA]
Signature:
0000: C5 55 9C 1D 76 CE 05 87 45 0D C3 15 9C DB 0B 3A .U..v...E......:
0010: 70 0E 50 0C DB DB B4 62 2F BA A3 30 48 C0 D2 E9 p.P....b/..0H...
0020: 45 9C 3C C0 4A 84 7B 21 51 78 93 F1 63 4C 61 37 E.<.J..!Qx..cLa7
0030: 21 97 E8 38 F9 62 C5 EA 02 53 28 4F F8 EC 01 F2 !..8.b...S(O....
0040: 08 70 DB 96 D5 1D 9E 0A 89 33 D3 1D C8 79 8B C1 .p.......3...y..
0050: 6E 07 C4 98 FA 55 85 80 D4 10 AF A7 E5 A7 94 FA n....U..........
0060: 45 CB DA 7C FA 66 C6 FC 69 A4 B2 05 01 C6 DC 8E E....f..i.......
0070: AC 15 7D A2 FC 25 DF FE 19 80 D4 27 07 EA D6 3F .....%.....'...?
0080: 5C 73 5F 63 0B 4E 02 FC 49 EA 76 69 FA 82 5B 1B \s_c.N..I.vi..[.
0090: 3B 45 6B 95 DC 8F C2 E8 A9 6C 10 CD 9B E0 59 D7 ;Ek......l....Y.
00A0: DC E6 69 2C F9 DB 99 F7 7F E3 76 81 13 CD B3 FE ..i,......v.....
00B0: 1D AD 32 7D 6F 74 A9 12 4B 06 E2 9F E9 1F EF 8A ..2.ot..K.......
00C0: 1F CA 1D B8 08 47 00 1D 19 53 87 0A E3 FA B4 B5 .....G...S......
00D0: 99 4F B9 97 5D D0 EE 0D DD 09 5F 3C 41 31 D6 18 .O..]....._<A1..
00E0: 5C 39 01 8E DA D9 27 85 FE 0F C5 EE 00 A3 27 44 \9....'.......'D
00F0: C0 A1 42 EA 13 5B 66 3B 64 E3 EA 9B 23 20 0B C6 ..B..[f;d...# ..
0100: 66 DB AB 79 77 97 3E 4A D0 C7 79 C4 D2 E7 BD 1A f..yw.>J..y.....
0110: F3 90 39 A2 A4 69 A9 A1 4E A3 0B 92 93 9F 8F 4F ..9..i..N......O
0120: C3 4F CE E7 20 D6 45 4D 9B E0 B2 58 EC 96 19 99 .O.. .EM...X....
0130: E0 F3 BB E4 EF 7E 1D C7 C3 48 8B D0 7D 2D 8C 3A .........H...-.:
0140: 1A AF 77 3A 83 F4 51 C9 D6 DE BE 24 3B 03 7C A9 ..w:..Q....$;...
0150: 4B 5C C4 6E 59 AB E2 02 63 73 CE 98 8A D0 45 D5 K\.nY...cs....E.
0160: 6C FE 23 79 93 69 D5 74 0D AF FE 23 AE BB 3F E4 l.#y.i.t...#..?.
0170: 9C 05 87 E1 2E 91 51 D6 44 55 7E 66 73 1D BB C2 ......Q.DU.fs...
0180: F3 E8 4D CA 50 D9 6D 2A AD 84 EF C7 70 4B 15 EA ..M.P.m*....pK..
0190: C4 E0 33 3E 44 89 A3 97 8C 32 17 FD B9 DD 22 FB ..3>D....2....".
01A0: 08 CF 1E 49 78 B7 2F 8E 60 66 58 3D 57 6F 21 72 ...Ix./.`fX=Wo!r
01B0: D3 87 38 9C DD EB 60 D8 BD 06 A8 04 FD 2D 59 EA ..8...`......-Y.
01C0: 82 A8 E8 E7 73 81 1E DE FD 51 33 0C F7 47 AE 34 ....s....Q3..G.4
01D0: 58 57 DD CE FD 12 68 A6 A8 2E 58 4F C7 6A 1E 27 XW....h...XO.j.'
01E0: 39 EF C7 BE 75 32 96 99 6B 1B E6 23 2A A5 0E 2F 9...u2..k..#*../
01F0: 35 0A 0C 0C FA 92 65 1D DC 17 56 57 C4 08 89 48 5.....e...VW...H
]
chain [1] = [
[
Version: V1
Subject: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 4096 bits
modulus: 806866056348410276765741718640530245144236832502515305762072630647553277327953919063172921502880537921571234334570551528531888439605163701867371172813984927986527584575335107418628498623377289440387978453125866503947773575289298639780740830349842738718874502642354354786938153803982142709595698253667527748252780647208422256786989310056682111281793756866001585577762899819782647308899956239433307951381179494148030342543127196354965114705680137760255253494869690234155019595101679874833401305309080790668924554791611347641826073186513714032079267845800910995372117962695304732667441462587341743926848435668491205343373472147947564642450777593350053051331533112897445884090255314793988795654376385927964164743689070718825504556057816253883950563232708345137230621100544965407234099088514072120925433729718654307794068734283314839693884400349895261851764957828001331060077733384251643023885026867016629337741393451760864161087662305445338147618921663305526880031574988450298248773113067904762125722376437187045162922144483754266350990810318433387352520742359961188082219224300651116723774686748606066644650420169490565673256120050113505389581136874611045622641221693918773655462724374483166653830081719164259720121105179323613660081321
public exponent: 65537
Validity: [From: Fri Mar 09 13:29:15 EST 2012,
To: Sat Mar 09 13:29:15 EST 2013]
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
SerialNumber: [ c1e2c18c f327ad81]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 8A EB 65 0E 88 09 BE 9A BA 88 FB CA 9A D4 53 F4 ..e...........S.
0010: B0 5C 91 67 BD C9 35 67 2D 37 78 2D 5C E6 4B 26 .\.g..5g-7x-\.K&
0020: E9 8E 20 3D DE 92 9B 29 A7 CB CC 5F 4E E3 CD 1A .. =...)..._N...
0030: FA 5B EB 0D 42 DC 17 05 4E D6 34 72 43 46 6C 55 .[..B...N.4rCFlU
0040: 99 FF AC 00 2E BF 28 5D 4A 6A 21 DE 72 9E 6C 7A ......(]Jj!.r.lz
0050: A6 10 28 27 21 72 0F 69 09 04 D3 FB A7 83 DF 81 ..('!r.i........
0060: E2 78 BD 0B 4F D7 AA B4 CC E2 E4 3B A5 30 A3 14 .x..O......;.0..
0070: B4 83 75 DC E6 8C 01 9A B2 BA FF 0D 3F AA F1 30 ..u.........?..0
0080: A0 33 A9 CC 13 08 72 8F E2 75 1D 3B 30 B8 82 3C .3....r..u.;0..<
0090: 9A A0 A3 68 18 60 C0 1F E4 2E 06 D6 1B B8 46 6F ...h.`........Fo
00A0: AB D3 C9 AD 89 E6 E7 48 12 0F 90 A5 B8 A2 17 51 .......H.......Q
00B0: 41 AF 1E 62 6C D2 48 B2 41 C6 CE 1D 4E B1 F7 90 A..bl.H.A...N...
00C0: 34 26 E0 5D 95 7B BD 93 BA 4C D1 7A 08 A9 1E 57 4&.].....L.z...W
00D0: 03 EE F2 EC BD 8E 36 43 1D 4F 9E 39 56 A8 E4 B6 ......6C.O.9V...
00E0: 44 6C D5 D3 8C F0 FE 1F 87 87 67 2D E6 05 7E BA Dl........g-....
00F0: 18 FB 6C 0B D8 80 19 08 27 8F 60 09 A6 BA 68 55 ..l.....'.`...hU
0100: 05 13 A8 9C 04 06 F8 24 A1 52 DB 67 69 2E FE 12 .......$.R.gi...
0110: A5 23 D1 2E 56 EA 54 08 83 DD 91 43 45 8B F6 97 .#..V.T....CE...
0120: 01 65 CC 32 4C FA D6 89 81 83 B4 21 92 F4 EC 29 .e.2L......!...)
0130: 68 87 51 A0 FC B7 7D BD 90 F8 A1 F8 68 82 CF 03 h.Q.........h...
0140: 4E 9C C2 FA AF 4A D3 AD 0B AB AB 73 4B B4 95 B0 N....J.....sK...
0150: EC 64 6B 8E 2B D4 E1 41 96 19 EC E9 6B 92 51 8A .dk.+..A....k.Q.
0160: D8 C1 87 FC DB B4 12 BD 14 AB 5C 07 73 AA DE CE ..........\.s...
0170: E5 05 8F E9 CC 9F C4 2A B6 0F 5D 40 8E 7A 82 7E .......*..]#.z..
0180: CD 28 88 8F 01 3E 6C EF E7 01 58 2E C9 3F 0E 44 .(...>l...X..?.D
0190: 4D 1A 2B BB 0D 51 76 38 26 D4 89 5C 9B AB 63 FA M.+..Qv8&..\..c.
01A0: 4B 63 7C DC 0E 05 01 BB E4 97 73 03 4F 83 71 1E Kc........s.O.q.
01B0: B6 CB A6 62 F9 21 1B F2 24 D3 85 1D E6 31 87 E4 ...b.!..$....1..
01C0: D6 74 09 70 C3 D0 4C 35 7E F1 49 5A 60 B7 02 72 .t.p..L5..IZ`..r
01D0: 04 C9 83 AD 5E 63 1F 7B 97 4C 35 7F 15 88 D5 5D ....^c...L5....]
01E0: DA 3B F6 80 9B 07 E5 86 4B 67 F6 B2 66 DE 81 6C .;......Kg..f..l
01F0: FF B6 99 D1 06 EF 3A 27 68 8D F2 EE 72 C4 48 64 ......:'h...r.Hd
]
***
adding as trusted cert:
Subject: CN=myname.organization.com, OU=myname.organization.com, O=myname.organization.com, L=myname.organization.com, ST=myname.organization.com, C=US
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Algorithm: RSA; Serial number: 0x71c8
Valid from Fri Mar 09 13:29:22 EST 2012 until Sat Mar 09 13:29:22 EST 2013
adding as trusted cert:
Subject: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Algorithm: RSA; Serial number: 0xc1e2c18cf327ad81
Valid from Fri Mar 09 13:29:15 EST 2012 until Sat Mar 09 13:29:15 EST 2013
trigger seeding of SecureRandom
done seeding SecureRandom
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
985 [main] INFO nettyliteserver.ssl.FlexibleErrorSslHandler - handleDownstream
That's where it terminates. I've changed the printouts around a bit so that sometimes I also get one more line, the printout from logger.info("Connected to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri()); but I really don't know what is causing it to shut down.
I tried overriding the netty SSLHandler and on all it's public operations added a printout, but the close(), channelConnected(), channelDisconnected(), etc methods are never being called. Neither is handshake().
My pipeline is set up to do a handshake:
public class HttpSnoopClientPipelineFactory implements ChannelPipelineFactory {
public ChannelPipeline getPipeline() throws Exception {
// Create a default pipeline implementation.
ChannelPipeline pipeline = pipeline();
// Enable HTTPS
SSLEngine engine =
SecureChatSslContextFactory.getClientContext().createSSLEngine();
engine.setUseClientMode(true);
System.out.println("HERE!!!!!!!!!!!!");
pipeline.addLast("ssl", new SslHandler(engine));
pipeline.addLast("codec", new HttpClientCodec());
// Remove the following line if you don't want automatic content decompression.
pipeline.addLast("inflater", new HttpContentDecompressor());
// Uncomment the following line if you don't want to handle HttpChunks.
//pipeline.addLast("aggregator", new HttpChunkAggregator(1048576));
pipeline.addLast("handler", new HttpSnoopClientHandler());
return pipeline;
}
}
My custom SSLHandler is really the same as the library's SslHandler, I just overrode the methods to add printouts before delegating to the super version.
It looks like the only thing being called on it is handleDownstream()
You need to call SslHandler.handshake() by yourself after the connect success.
Something like:
future.getChannel().getPipeline(SslHandler.class).handshake();
This needs to get done in your ChannelFuture that gets returned by the connect method or a SimpleChannelUpstreamHandler implementation that you add to the ChannelPipeline
Netty documentation states:
Handshake
If isIssueHandshake() is false (default) you will need to take care of
calling handshake() by your own. In most situations were SslHandler is
used in 'client mode' you want to issue a handshake once the
connection was established. if setIssueHandshake(boolean) is set to
true you don't need to worry about this as the SslHandler will take
care of it.
see javadoc
So, you should set isIssueHandshake on SslHandler before estamblishing the connection:
SslHandler sslHandler = new SslHandler(engine);
setIssueHandshake(boolean);
pipeline.addLast("ssl", sslHandler);
I capture packets sent/received by Win Xp machine when connecting to SQL Server 2005 Express using TLS encryption.
Server and Client exchange Hello messages
Server and Client send ChangeCipherSpec message
Then Server and Client server send strange message that is not described in TLS protocol
What is the message?
Server side capture:
16 **SSL Handshake**
03 01
00 4a
02 ServerHello
00 00 46
03 01
4b dd 68 59 GMT
33 13 37 98 10 5d 57 9d ff 71 70 dc d6 6f 9e 2c Random[00..13]
cb 96 c0 2e b3 2f 9b 74 67 05 cc 96 Random[14..27]
20 72 26 00 00 0f db 7f d9 b0 51 c2 4f cd 81 4c Session ID
3f e3 d2 d1 da 55 c0 fe 9b 56 b7 6f 70 86 fe bb Session ID
54 Session ID
00 04 Cipher Suite
00 Compression
14 03 01 00 01 01 **ChangeCipherSpec**
16 03 01 ???? Finished ???
00 20 d0 da cc c4 36 11 43 ff 22 25 8a e1 38 2b ???? ???
71 ce f3 59 9e 35 b0 be b2 4b 1d c5 21 21 ce 41 ???? ???
8e 24
16 03 01
00 20 d0 da cc c4 36 11 43 ff 22 25 8a e1 38 2b
71 ce f3 59 9e 35 b0 be b2 4b 1d c5 21 21 ce 41
8e 24
This message is already encrypted, therefore to see
14 03 01 00 00 0c
it needs to be decrypted first