4

I am trying to debug a TLS related issue. TLS is setup between two application Client A & Server B. Both A & B have certificates exchanged and I have verified that certificates have the right extensions and is also verified successfully with its Root CA. The Root CA of the leaf certs are uploaded and is available to the applications trust store. During TLS in the wireshark , I see the following message flows : 

CLIENT : Client Hello 
SERVER : Server Hello , Certificate , Certificate request , Server Hello Done
CLIENT : Certificate , Client key exchange 
CLIENT : Certificate Verify , Change Cipher spec , Encrypted Handshake Message 
SERVER : Alert : Level Fatal, Description : Decrypt Error )

Also TLS logs shows : 

TLS protocol error(ssl reason
code=block type is not 01 [106]),lib=rsa routines
[4],fun=RSA_padding_check_PKCS1_type_1 [112], errno=12 for
192956|<CLID::StandAloneCluster><NID::xxx.xxx.xxx.xxx><CT::0,0,0,0.0><IP::>
192956|<DE
V::><LVL::Error><MASK::0800>

Any pointers what could be causing the Decrypt error by the server side ? The certificates during the exchange in TLS are fine and can be chained up to their Root certificate properly.

Any pointers will be of great help !

Thanks in advance!

user839917
  • 851
  • 5
  • 13
  • 20

2 Answers2

3

What is obviously happening is that the server is not able to decrypt the very first encrypted message addressed to him by the client ("Finished" after the Change Cipher spec) which should be encrypted and verified by the cipher suite specified in the client's "Change Cipher spec"-message.

This means that the server for example doesn't really possess the private key from the public key it provided to the client with the certificate or something like this.

Vic
  • 102
  • 7
-1

Try the following command: 

openssl s_client -connect mail.example.com:25 -starttls smtp
J0e3gan
  • 8,740
  • 10
  • 53
  • 80
Matt
  • 1