On 22/10/2018 14:56, ramakrushna mishra wrote: > Hi, > > I am facing an issue after openssl upgrade to 1.1.1. > I have a odbc client with maximum version support up to TLSv1.2 and my > database is running with TLSv1.2,TLsv1.3. > > The handhake is failing and I am getting following contents on my BIO dump. > "15 03 03 00 02 02 56" . > If i have understood correctly this is for alert message and But I could > not find any reference to alert description at ( > https://tools.ietf.org/id/draft-ietf-tls-tls13-25.html#alert-protocol ) > corresponding to 56. 56 hex == 86 decimal == inappropriate_fallback i.e. this doesn't tell you any further information than you have below. > > So, Could you please help me figure out what does this correspond to ? > > Moreover I have following doubt. > > -- If my TLSv1.2 client does not handle the "downgrade sentinel " > present in server hello ( TLSv1.3 , will it create any problem ? No, this should not be a problem. > -- In the above example client is receving error such as "SSL Handshake > Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > alert inappropriate fallback]." ? Could you please help me to hint me > about how to debug this ? What version of OpenSSL are you using for the client? Is it possible for you to send me a wireshark trace of the failing handshake? In particular I am interested to see if the TLS_FALLBACK_SCSV ciphersuite is present in the ClientHello (RFC 7507). The TLS_FALLBACK_SCSV is only supposed to be sent if the client has already attempted an earlier handshake that failed, and it is now trying a downgraded protocol version. So, does the wireshark trace reveal the client attempting an initial handshake that is failing for some other reason, followed by a second attempt that fails with the inappropriate fallback error? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
