Client Hello was initiated for TLS connection

Question

Created Jan ’22

Replies 3

Boosts 0

Views 2k

Participants 2

After 3 way handshake complete of TCP connection, TLS connection was not initiated. Client Hello was not available in wireshark or no failure.

Success case:

[Client][TCP][SYN] -> [Server][TCP][SYN, ACK] -> [Client][TCP][ACK] -> [Client][TLS][Client Hello] -> TLS established

Fail case 1: In case of fail case always started with Encrypted Alert

Client IP 49347 Server IP 5080 TLSv1.2 91 Encrypted Alert

-->> Unknown Encrypted Alert generated. Transport Layer Security TLSv1.2 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message: Encrypted Alert

Client IP	49347	Server IP	5080	TCP	60	49347 → 5080 [FIN, ACK] Seq=1651544 Ack=583068 Win=65535 Len=0
Server IP	5080	Client IP	49347	TCP	60	5080 → 49347 [ACK] Seq=583068 Ack=1651544 Win=65535 Len=0
Server IP	5080	Client IP	49347	TCP	60	5080 → 49347 [FIN, ACK] Seq=583068 Ack=1651544 Win=65535 Len=0
Server IP	5080	Client IP	49347	TCP	60	5080 → 49347 [ACK] Seq=583069 Ack=1651545 Win=65535 Len=0
Client IP	49347	Server IP	5080	TCP	60	[TCP Retransmission] 49347 → 5080 [FIN, ACK] Seq=1651544 Ack=583069 Win=65535 Len=0
Server IP	5080	Client IP	49347	TCP	60	[TCP Dup ACK 292970#1] 5080 → 49347 [ACK] Seq=583069 Ack=1651545 Win=65535 Len=0
Client IP	50201	Server IP	5080	TCP	84	50201 → 5080 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1340 WS=64 TSval=1315484363 TSecr=0 SACK_PERM=1
Server IP	5080	Client IP	50201	TCP	68	5080 → 50201 [SYN, ACK, ECN] Seq=0 Ack=1 Win=21440 Len=0 MSS=1440 SACK_PERM=1
Client IP	50201	Server IP	5080	TCP	60	50201 → 5080 [ACK] Seq=1 Ack=1 Win=65535 Len=0

--->>> Client is not sending client hello to setup TLS connection.

Server IP 5080 Client IP 50201 TCP 60 5080 → 50201 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Fail case 2: In case of fail case always started with Encrypted Alert

Client IP	50493	Server IP	5080	TLSv1.2	91	Encrypted Alert

-->> Unknown Encrypted Alert generated. Transport Layer Security TLSv1.2 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message: Encrypted Alert

Client IP	50493	Server IP	5080	TCP	60	50493 → 5080 [FIN, ACK] Seq=39328 Ack=38304 Win=65535 Len=0
Server IP	5080	Client IP	50493	TCP	60	5080 → 50493 [ACK] Seq=38304 Ack=39328 Win=59839 Len=0
Server IP	5080	Client IP	50493	TCP	60	5080 → 50493 [FIN, ACK] Seq=38304 Ack=39328 Win=59839 Len=0
Server IP	5080	Client IP	50493	TCP	60	5080 → 50493 [ACK] Seq=38305 Ack=39329 Win=59839 Len=0
Client IP	50493	Server IP	5080	TCP	60	[TCP Retransmission] 50493 → 5080 [FIN, ACK] Seq=39328 Ack=38305 Win=65535 Len=0
Server IP	5080	Client IP	50493	TCP	60	[TCP Dup ACK 183#1] 5080 → 50493 [ACK] Seq=38305 Ack=39329 Win=59839 Len=0
Client IP	50495	Server IP	5080	TCP	84	50495 → 5080 [SYN] Seq=0 Win=65535 Len=0 MSS=1282 WS=64 TSval=222259839 TSecr=0 SACK_PERM=1
Server IP	5080	Client IP	50495	TCP	68	5080 → 50495 [SYN, ACK] Seq=0 Ack=1 Win=20512 Len=0 MSS=1440 SACK_PERM=1
Client IP	50495	Server IP	5080	TCP	60	50495 → 5080 [ACK] Seq=1 Ack=1 Win=65535 Len=0

--->>> Client is not sending client hello to setup TLS connection.

Server IP 5080 Client IP 50495 TCP 60 5080 → 50495 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’22

What software are you running on the client? Specifically:

What platform?
What version of that platform?
What app?
And if it’s your app, what API are you calling?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mcpttdev OP

Jan ’22

What platform? -->> iOS 13+ versions. Provided pcap is from iOS 15.2

What version of that platform? -->> iOS 15.2

What app? -->> ptt app, which is using SIP protocol.

And if it’s your app, what API are you calling? -->> we are using open source BCD Sockets API. Open source RESIP.

0

Answer 3

DTS Engineer OP

Apple

Jan ’22

we are using open source [BSD] Sockets API. Open source RESIP.

BSD Sockets does not support TLS out of the box, which means you must have other code that implements the TLS side of this. Is that code using an Apple TLS stack? Or its own?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0