Ask Your Question
0

Client sends [RST,ACK] on client certificate authentication

asked 2023-06-21 06:25:22 +0000

mbc gravatar image

updated 2023-06-21 06:27:35 +0000

Hi.

I'm debugging an issue with a SSL client certificate authentication (RFC5246) that always fails with HTTP 400. In wireshark on client side I can see a [RST,ACK] (Reset connection) after encrypted handshake message. On a working connection both server and client are sending a [FIN,ACK]. Eventhough on the failing session using curl --trace I can see that the client starts sending content after the handshakes as usual, nothing to see about that Reset, then receiving the HTTP 400.

What could that be? I like to confirm that both handshakes for server certificate and client certificate are successful and the issue is based on the payload.

Here is what wireshark shows:

From client: Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
From server: Change Cipher Spec, Encrypted Handshake Message
Application data... Application data...
From server: Encrypted Alert
From client: Encrypted Alert
From server: [FIN, ACK]
From client: [RST, ACK]      <- There the client sends a reset.
From server: [RST]
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-07-17 20:02:38 +0000

André gravatar image

Both "Encrypted Alert" after the "Application data" are most likely a "TLS Close Notify". If the server sends a "HTTP 400" on HTTP level, than it makes sense it also closes the TLS layer after that (Encrypted Alert), followed by closing the TCP connection (the FIN).

"Application data" (= HTTP request or response) is only possible after a successful TLS handshake.

The TCP Reset is just a unclean shutdown of the TCP connection by the client.

The --verbose option of curl will show the TLS and HTTP communication.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-06-21 06:25:22 +0000

Seen: 794 times

Last updated: Jul 17 '23

Related questions

ssl_client_cert header truncated

Looking for a detailed explanation on the SSL debug file

Help to read this trace

How to verify what protocol was used in an encrypted file transfer?

Application data isn't decrypted whether I choose spdy, data, http or tcp as protocol.

Is it possible that wireshark doesn't recognize protocol?

Step by step SSL decrypt with wireshark

SSL/TLS Handshake Immediately Fails

Decryted SSL tab not visible/not appearing

Can't see encrypted application data in SSL session

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2