Mbed TLS is now part of TrustedFirmware.org.

shakehand failed and return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE


May 11, 2017 07:57
vernon

Hello, I am connecting to the server by using mbedtls, but it return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE when shaking hand with remote server. please what resason may cause that?

 
May 11, 2017 11:07
Ron Eldor

Hi Vernon,
MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE is returned when the other side (the server in your case) sends a FATAL Alert message.
According to RFC5246:

Upon transmission or receipt of a fatal alert message, both
 parties immediately close the connection.

You will need to check what caused the server to send the fatal alert message.
Regards,
mbed TLS Team member
Ron

 
May 12, 2017 03:20
vernon

Hello Ron,

Following is my connecting log, is it something missing define in config.h?

Performing the SSL/TLS handshake...ssl_tls.c:5952: => handshake

ssl_cli.c:2944: client state: 0

ssl_tls.c:2410: => flush output

ssl_tls.c:2422: <= flush output

ssl_cli.c:2944: client state: 1

ssl_tls.c:2410: => flush output

ssl_tls.c:2422: <= flush output

ssl_cli.c:0522: => write client hello

ssl_cli.c:0560: client hello, max version: [3:3]

ssl_cli.c:0569: dumping 'client hello, random bytes' (32 bytes)

ssl_cli.c:0569: 0000: ec 48 86 4c 8c 2a 0c be bd 3c c0 ae 47 0a 94 ca .H.L.*...<..G...

ssl_cli.c:0569: 0010: 3b 93 e3 c4 c1 fb 5f 7f f3 ce ec 58 5d 51 a9 38 ;....._....X]Q.8

ssl_cli.c:0622: client hello, session id len.: 0

ssl_cli.c:0623: dumping 'client hello, session id' (0 bytes)

ssl_cli.c:0684: client hello, add ciphersuite: 49196

ssl_cli.c:0684: client hello, add ciphersuite: 49195

ssl_cli.c:0717: client hello, got 3 ciphersuites

ssl_cli.c:0748: client hello, compress len.: 1

ssl_cli.c:0750: client hello, compress alg.: 0

ssl_cli.c:0163: client hello, adding signature_algorithms extension

ssl_cli.c:0228: client hello, adding supported_elliptic_curves extension

ssl_cli.c:0267: client hello, adding supported_point_formats extension

ssl_cli.c:0816: client hello, total extension length: 42

ssl_tls.c:2695: => write record

ssl_tls.c:2830: output record: msgtype = 22, version = [3:1], msglen = 93

ssl_tls.c:2833: dumping 'output record sent to network' (98 bytes)

ssl_tls.c:2833: 0000: 16 03 01 00 5d 01 00 00 59 03 03 ec 48 86 4c 8c ....]...Y...H.L.

ssl_tls.c:2833: 0010: 2a 0c be bd 3c c0 ae 47 0a 94 ca 3b 93 e3 c4 c1 *...<..G...;....

ssl_tls.c:2833: 0020: fb 5f 7f f3 ce ec 58 5d 51 a9 38 00 00 06 c0 2c ._....X]Q.8....,

ssl_tls.c:2833: 0030: c0 2b 00 ff 01 00 00 2a 00 0d 00 16 00 14 06 03 .+.....*........

ssl_tls.c:2833: 0040: 06 01 05 03 05 01 04 03 04 01 03 03 03 01 02 03 ................

ssl_tls.c:2833: 0050: 02 01 00 0a 00 06 00 04 00 18 00 17 00 0b 00 02 ................

ssl_tls.c:2833: 0060: 01 00 ..

ssl_tls.c:2410: => flush output

ssl_tls.c:2429: message length: 98, out_left: 98

ssl_tls.c:2435: ssl->f_send() returned 98 (-0xffffff9e)

ssl_tls.c:2454: <= flush output

ssl_tls.c:2842: <= write record

ssl_cli.c:0842: <= write client hello

ssl_cli.c:2944: client state: 2

ssl_tls.c:2410: => flush output

ssl_tls.c:2422: <= flush output

ssl_cli.c:1157: => parse server hello

ssl_tls.c:3493: => read record

ssl_tls.c:2202: => fetch input

ssl_tls.c:2360: in_left: 0, nb_want: 5

ssl_tls.c:2384: in_left: 0, nb_want: 5

ssl_tls.c:2385: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

ssl_tls.c:2397: <= fetch input

ssl_tls.c:3265: dumping 'input record header' (5 bytes)

ssl_tls.c:3265: 0000: 15 03 03 00 02 .....

ssl_tls.c:3274: input record: msgtype = 21, version = [3:3], msglen = 2

ssl_tls.c:2202: => fetch input

ssl_tls.c:2360: in_left: 5, nb_want: 7

ssl_tls.c:2384: in_left: 5, nb_want: 7

ssl_tls.c:2385: ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)

ssl_tls.c:2397: <= fetch input

ssl_tls.c:3419: dumping 'input record from network' (7 bytes)

ssl_tls.c:3419: 0000: 15 03 03 00 02 02 28 ......(

ssl_tls.c:3673: got an alert message, type: [2:40]

ssl_tls.c:3681: is a fatal alert message (msg 40)

ssl_cli.c:1163: mbedtls_ssl_read_record() returned -30592 (-0x7780)

ssl_tls.c:5962: <= handshake

failed

Kind Regards,

 
May 14, 2017 08:06
Ron Eldor

Hi Vernon,
As you can see from the log, the server sends its FATAL ALERT message after it receives the ClientHello message. This is probably because the server can't handle this ClientHello. At the moment, I can think of the reason that the client sends ciphersuites that the server doesn't support. You can see from the log, that the client is sending only two supported cipher suites: MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
To verify this, please enable more ciphersuites.
Regards,
mbed TLS Team member
Ron