Wireshark-users: Re: [Wireshark-users] Analyzing TLS handshake packets
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Sat, 16 Dec 2017 10:42:35 +0000
Hi Manjesh,

Is it possible to attach a pcap with just the Client Hello message (and optionally the messages preceding it)?

This looks quite unusual, normally the compression methods length is 1 (for null compression). 97 in hex is 0x61 which is the ASCII 'a' character and only occurs in the codepoint of an obscure cipher (0xC0,0x61 	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384). (A lot of cipher suites precede your compression methods, so if the problem was LF -> CRLF conversion, then perhaps one of the cipher shifted. That does not appear to be the case though.)

My guess is that an error message is somehow written to the same file descriptor as the socket. But without pcap it is hard to tell.

Kind regards,
Peter
https://lekensteyn.nl
(pardon my brevity, top-posting and formatting, sent from my phone)


On 14 December 2017 10:51:11 GMT+00:00, Manjesh HS <manjesh29hs@xxxxxxxxx> wrote:
>Hi Wireshark User Community,
>In my project, there is a LDAP client utility and a LDAP server utility
>running on different nodes in the TCP/IP network. There is a need to
>establish TLS (LDAPS) connection mode of communication between them in
>order to exchange some information.
>
>This functionality is broken recently. A TCP dump file was generated on
>the
>problematic setup to analyze the TLS handshake mechanism. When it was
>analyzed through Wireshark tool, it is reporting that the "Client
>Hello"
>packet generated by LDAPS client utility (the one that initiates TLS
>handshake), as a malformed packet by reporting an error as "compression
>methods length", incompatible as per the protocol specifications. We
>are
>suspectingthat the TLS protocol specifications are violated during this
>TLS
>handshake.
>
>The screenshot of the same has been attached with this mail.
>
>How this issue can happen ? What are the factors that can lead to such
>an
>issue ? Is it an issue with incompatible versions of openSSL/TLS/cipher
>suite between client and server ?
>
>Please share your suggestions/comments in order to investigate this
>issue
>further.
>
>
>- Manjesh.