TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)

asked 2018-12-21 01:54:55 +0000

net_tech gravatar image

updated 2018-12-21 03:43:08 +0000


Nginx is running on CentOS as a reverse proxy with a public cert. When devices connect to the service they fail with the following errors.

RC:-500 MGMT_SSL:tera_mgmt_ssl_open_connection: SSL V3 cannot be set as min SSL protocol version. Ignoring.
RC:-500 MSS:(CERT_checkCertificateIssuer:1289) CERT_checkCertificateIssuerAux() failed: -7608
RC:-500 MSS:(CERT_validateCertificate:4038) CERT_checkCertificateIssuer() failed: -7608
RC:-7608 MGMT_SSL:tera_mgmt_ssl_open_connection: SSL_negotiateConnection() failed: Unknown Error
RC:-500 WEBSOCKET:tera_mgmt_ssl_open_connection failed (ssl_session_id: 4)

Software vendor was unable to help, so we turned to wireshark.

Looks like we are breaking right at the certificate key exchange

Google shows several posts with the same issue, however no solution is offered. TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)

Any suggestions on what to check are greatly appreciated

Content Type: Alert (21)
Level: Fatal (2)
Description: Internal Error (80)

image description


Client shows the following ciphers in the Hello
image description

Server offers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

edit retag flag offensive close merge delete


As is often the case, troubleshooting by screenshot of a a few columns from a capture is a frustrating exercise. Can you please provide the capture?

If not, who is providing the Fatal alert, client or server? If the client I suspect there's something it doesn't like about the server certificate.

grahamb gravatar imagegrahamb ( 2018-12-21 10:37:33 +0000 )edit

Sorry, yes we tried to sanitize with TraceWrangler but the output file becomes useless after sanitizing.

The fatal alert is from the Client and we were capturing on the server side. Wildcard certificate from GoDaddy is being used.

net_tech gravatar imagenet_tech ( 2018-12-21 11:40:12 +0000 )edit

I think you'll have to debug the client, is it a browser? If so have you tried another? Can you use openssl s_client ... to make a debuggable connection?

grahamb gravatar imagegrahamb ( 2018-12-21 11:50:04 +0000 )edit

no, the client is a teradici zero trying to establish a connection to it's management console over 5172.

if we try to access the url in ANY browser, we aren't able to reproduce the fatal alert. Chrome browser offers 17 cipher suites and agrees to use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) sent in the server Hello

net_tech gravatar imagenet_tech ( 2018-12-21 12:01:33 +0000 )edit

Looks like an issue in the client then.

grahamb gravatar imagegrahamb ( 2018-12-21 12:08:24 +0000 )edit