PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

Server Hello parsing failed


Sep 13, 2017 13:52
muralikrishna

Hi Support,

We are using MBED TLS for our application. We are getting error message while parsing the server Hello message saying "bad server hello message" with error code -7980.

Please find the MBED client and wireshark logs for the same.

  MBED Client logs :
 ***** SEND: mbedtls_ssl_send success *****
./mbed-os/features/mbedtls/src/ssl_tls.c:2850: <= write record
./mbed-os/features/mbedtls/src/ssl_cli.c:1049: <= write client hello
./mbed-os/features/mbedtls/src/ssl_cli.c:3284: client state: 2
 Client handshake----->>>>
 sendWncCmd
 ***** SEND: mbedtls_ssl_send success *****
 ./mbed-os/features/mbedtls/src/ssl_cli.c:1410: => parse server hello
 ***** RECV: mbedtls_ssl_recv success *****
 ./mbed-os/features/mbedtls/src/ssl_tls.c:3479: dumping 'input record header' (5 bytes)
 ./mbed-os/features/mbedtls/src/ssl_tls.c:3479: 0000:  16 03 03 00 3d                                   ....=
 ./mbed-os/features/mbedtls/src/ssl_tls.c:3488: input record: msgtype = 22, version = [3:3], msglen = 61
 ***** RECV: mbedtls_ssl_recv success *****
 ./mbed-os/features/mbedtls/src/ssl_tls.c:3089: handshake message: msglen = 61, type = 0, hslen = 4
 ===>> in_hslen = 4
 ./mbed-os/features/mbedtls/src/ssl_cli.c:1469: bad server hello message
 ./mbed-os/features/mbedtls/src/ssl_tls.c:4032: => send alert message
 ./mbed-os/features/mbedtls/src/ssl_tls.c:2701: => write record
 ./mbed-os/features/mbedtls/src/ssl_tls.c:2838: output record: msgtype = 21, version = [3:3], msglen = 2
 ./mbed-os/features/mbedtls/src/ssl_tls.c:2841: dumping 'output record sent to network' (7 bytes)
 ./mbed-os/features/mbedtls/src/ssl_tls.c:2841: 0000:  15 03 03 00 02 02 32                             ......2
 sendWncCmd
 ***** SEND: mbedtls_ssl_send success *****
 ./mbed-os/features/mbedtls/src/ssl_tls.c:2850: <= write record
 ret = -31104 mbedtls_ssl_handshake



 Wireshark Captures:-

      No.     Time                        Source                Destination           Protocol Length Info
     51 2017/256 18:28:48.775283919 172.16.20.140         172.16.20.110         TLSv1.2  256    Client Hello

     Frame 51: 256 bytes on wire (2048 bits), 256 bytes captured (2048 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: 172.16.20.140, Dst: 172.16.20.110
    Transmission Control Protocol
    Secure Sockets Layer
   TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 183
    Handshake Protocol: Client Hello

   No.     Time                        Source                Destination           Protocol Length Info
    53 2017/256 18:28:48.792091439 172.16.20.110         172.16.20.140         TLSv1.2  1516   Server Hello

    Frame 53: 1516 bytes on wire (12128 bits), 1516 bytes captured (12128 bits) on interface 0
    Linux cooked capture
    Internet Protocol Version 4, Src: 172.16.20.110, Dst: 172.16.20.140
    Transmission Control Protocol
    Secure Sockets Layer
   TLSv1.2 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 61
    Handshake Protocol: Server Hello

      No.     Time                        Source                Destination           Protocol Length Info
     54 2017/256 18:28:48.792222148 172.16.20.110         172.16.20.140         TLSv1.2  895    Certificate

      Frame 54: 895 bytes on wire (7160 bits), 895 bytes captured (7160 bits) on interface 0
      Linux cooked capture
      Internet Protocol Version 4, Src: 172.16.20.110, Dst: 172.16.20.140
      Transmission Control Protocol
      [2 Reassembled TCP Segments (1862 bytes): #53(1382), #54(480)]
      Secure Sockets Layer
          TLSv1.2 Record Layer: Handshake Protocol: Certificate
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 1857
    Handshake Protocol: Certificate
      Secure Sockets Layer
          TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 333
    Handshake Protocol: Server Key Exchange
   TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 4
    Handshake Protocol: Server Hello Done

      No.     Time                        Source                Destination           Protocol Length Info
   57 2017/256 18:28:48.884288886 172.16.20.140         172.16.20.110         TLSv1.2  256    Client Hello

      Frame 57: 256 bytes on wire (2048 bits), 256 bytes captured (2048 bits) on interface 0
      Linux cooked capture
      Internet Protocol Version 4, Src: 172.16.20.140, Dst: 172.16.20.110
      Transmission Control Protocol
      Secure Sockets Layer
          TLSv1.2 Record Layer: Handshake Protocol: Client Hello
              Content Type: Handshake (22)
              Version: TLS 1.2 (0x0303)
              Length: 183
              Handshake Protocol: Client Hello

      No.     Time                        Source                Destination           Protocol Length Info
 58 2017/256 18:28:48.884380888 172.16.20.110         172.16.20.140         TLSv1.2  75     
       Alert (Level:      Fatal,         Description: Unexpected Message)

      Frame 58: 75 bytes on wire (600 bits), 75 bytes captured (600 bits) on interface 0
      Linux cooked capture
      Internet Protocol Version 4, Src: 172.16.20.110, Dst: 172.16.20.140
      Transmission Control Protocol
      Secure Sockets Layer
          TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unexpected Message)
              Content Type: Alert (21)
              Version: TLS 1.2 (0x0303)
              Length: 2
              Alert Message
         Level: Fatal (2)
        Description: Unexpected Message (10)

      No.     Time                        Source                Destination           Protocol Length Info
           62 2017/256 18:28:49.084167767 172.16.20.140         172.16.20.110         TLSv1.2  75     
      Alert (Level: Fatal, Description: Decode Error)

       Frame 62: 75 bytes on wire (600 bits), 75 bytes captured (600 bits) on interface 0
      Linux cooked capture
      Internet Protocol Version 4, Src: 172.16.20.140, Dst: 172.16.20.110
      Transmission Control Protocol
      Secure Sockets Layer
          TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Decode Error)
     Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Decode Error (50)

Please let us what changes we need to make for the successful handshake.

Thanks & Regards, Murali.

 
Sep 15, 2017 04:40
muralikrishna

Hi team,

Can you please respond the above issue?? 
I got stuck in this issue.

Regards,
 Murali
 
Sep 17, 2017 10:03
Ron Eldor

Hi muralikrishna,
The wireshark capture does not correspond to the client logs.
The client log show that the server hello is not read correct by the client, so the client sends the FATAL Alert to the server.
According to the wireshark capture, which is not so clear in this text form, after a first successful Server Hello + Certificate+Server Hello Done messages are sent, there is a new client hello message sent by the client, and then the Server sends the Fatal Alert with unexpected message.
It is reasonable, because Client hello should not be sent after receiving Server Hello Done.
As I suggested in your previous post

You should look at full logs and wireshark capture to understand what message the server is sending, so you would analyze the problem better.

Please check full logs on both peers, from the beginning of the flow, so you could understand why your messages are sent out of order.
Regards,
Mbed TLS Team member
Ron