SSL Failed Negotiation

sbaylis
sbaylis used Ask the Experts™
on
Hello, I'm currently troubleshooting a failed SSL negotiation between a client (69.172.221.9) and a server.  Wireshark traces are below.  

This appears to happen randomly between a server with openSSL 0.9.8k (server) and 0.9.8g (client).

Can anyone help me understand why the connection is being reset/dropped by the client?

535      31.827473      69.172.221.9      172.16.1.200      TLSv1      Client Hello
536      31.827822      172.16.1.200      69.172.221.9      TLSv1      Server Hello, Change Cipher Spec, Encrypted Handshake Message
538      31.888521      69.172.221.9      172.16.1.200      TLSv1      Alert (Level: Fatal, Description: Bad Record MAC)

00000000  16 03 01 01 18 01 00 01  14 03 01 4b 60 da 69 1c ........ ...K`.i.
00000010  e3 d1 c0 b9 93 60 77 0a  e9 f9 83 9c 25 87 9e e8 .....`w. ....%...
00000020  6e 9b 77 a6 8e f9 73 cd  02 8a 4d 00 00 26 00 39 n.w...s. ..M..&.9
00000030  00 38 00 35 00 16 00 13  00 0a 00 33 00 32 00 2f .8.5.... ...3.2./
00000040  00 05 00 04 00 15 00 12  00 09 00 14 00 11 00 08 ........ ........
00000050  00 06 00 03 02 01 00 00  c4 00 23 00 c0 96 a3 53 ........ ..#....S
00000060  2c ed e5 68 b4 07 ef 96  82 13 b7 1e 08 ca 68 6e ,..h.... ......hn
00000070  c0 fb 0c b5 9d e1 5c 7f  b9 65 30 18 05 51 6b 69 ......\. .e0..Qki
00000080  dd ce ad 53 3f ef a8 e3  04 6b d3 8c 0d 0c 46 23 ...S?... .k....F#
00000090  4f fd 9a 58 ff f0 5d ce  40 df ab df e9 67 78 1a O..X..]. @....gx.
000000A0  dc 27 30 e6 cb 8a de 18  2f d9 81 d2 92 18 55 e1 .'0..... /.....U.
000000B0  e1 0b 01 b3 23 2d 0b 70  06 46 0b db aa 3f 9e ee ....#-.p .F...?..
000000C0  7e 53 7b ae d7 9b b3 9b  8d a0 f8 54 b1 18 ff bb ~S{..... ...T....
000000D0  49 66 9d 30 39 1b 8c 68  a9 93 d0 62 79 b6 d5 53 If.09..h ...by..S
000000E0  98 e9 cd be a3 dd 4f 65  29 b6 cb 6a 2a 05 0f 94 ......Oe )..j*...
000000F0  80 96 9d d5 7e ce 29 a2  98 d4 d2 12 74 5f 87 1e ....~.). ....t_..
00000100  31 1a 4f 61 fa 77 fa 25  34 53 b2 bc 8e 34 7d 0a 1.Oa.w.% 4S...4}.
00000110  ef 5c 57 ff 37 7c 65 5a  64 cf 62 ff c5          .\W.7|eZ d.b..
    00000000  16 03 01 00 2a 02 00 00  26 03 01 4b 60 da 6b c3 ....*... &..K`.k.
    00000010  cf 62 18 0d 6d 56 8d 9a  55 14 9f d8 f1 f0 10 03 .b..mV.. U.......
    00000020  78 26 23 34 75 f4 a8 fb  92 d4 96 00 00 39 00 14 x&#4u... .....9..
    00000030  03 01 00 01 01 16 03 01  00 30 06 e8 ab 12 82 88 ........ .0......
    00000040  bf a0 3c 49 85 90 1e 50  84 1b 33 ba 3b 03 6d 31 ..<I...P ..3.;.m1
    00000050  d8 b9 30 9d eb 2c b3 0e  80 06 2e 1f 77 ab d3 9d ..0..,.. ....w...
    00000060  d3 09 e1 d9 36 3c b8 7c  a4 64                   ....6<.| .d
0000011D  15 03 01 00 02 02 14                             .......
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
system administrator
Top Expert 2007
Commented:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol

20       Bad record MAC       fatal       Possibly a bad SSL implementation, or payload has been tampered with. E.g., FTP firewall rule on FTPS server.


That means your packet has been modified. It may happen anywhere on it's way to server (even on physical layer in your NIC or NIC driver). BTW what are NICs, drivers and driver versions?

You may also use 'ssldump' tool to analyze  decoded SSL traffic if you have server's private key.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial