Hello,
I'm using the IneoQuest Inspector Live v1.0.0.21 connector. The TLS handshake is failing on some servers only. I have changed the client side to allow TLS 1.0, 1.1 and 1.2 but the failure occurs with all versions. As far as I can tell the server side does support TLS 1.2 and has the required ciphers. Any ideas what else to check?
Wireshark Capture:
Frame 1422: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) on interface \Device\NPF_{A26B9439-7D62-47F3-A05A-E121F9BAD163}, id 0
Ethernet II, Src: VMware_a5:13:e6 (00:50:56:a5:13:e6), Dst: JuniperN_ff:10:01 (00:10:db:ff:10:01)
Internet Protocol Version 4, Src: 100.70.45.106, Dst: 100.126.23.160
Transmission Control Protocol, Src Port: 61368, Dst Port: 443, Seq: 1, Ack: 1, Len: 160
Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 155
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 151
Version: TLS 1.2 (0x0303)
Random: 619ec55dbee6234fd3c15ae419007cba4d560015bcd06b2e7f9145b7248a228b
Session ID Length: 0
Cipher Suites Length: 28
Cipher Suites (14 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 82
Extension: status_request (len=5)
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Extension: signature_algorithms (len=20)
Extension: session_ticket (len=0)
Extension: application_layer_protocol_negotiation (len=14)
Extension: extended_master_secret (len=0)
Extension: renegotiation_info (len=1)
Frame 1424: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface \Device\NPF_{A26B9439-7D62-47F3-A05A-E121F9BAD163}, id 0
Ethernet II, Src: JuniperN_ff:10:01 (00:10:db:ff:10:01), Dst: VMware_a5:13:e6 (00:50:56:a5:13:e6)
Internet Protocol Version 4, Src: 100.126.23.160, Dst: 100.70.45.106
Transmission Control Protocol, Src Port: 443, Dst Port: 61368, Seq: 1, Ack: 161, Len: 7
Transport Layer Security
TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
I have a Wireshark capture that I could provide you. I don’t see a server hello message. The client (DMA) initiates the tls hello and the server (iLive probe server) responds with a failure message. I don’t think the server side ever initiates the handshake.
Based on this I suspect the server may not allow some ciphers that the client is proposing. I’ll contact you offline so we can delve deeper in this
Hi Richard,
can you confirm you eventually found the solution together with Jens? Or is this still an ongoing issue?
If so, i would recommend to send an e-mail to techsupport@skyline.be for a more in depth investigation
Hi Richard, do you also have a capture of the Server Hello (from the TLS handshake)?