Decode error

[Smuul]

Description:

I am attempting to perform a TLS handshake using a PSK cipher (TLS_PSK_WITH_AES_256_CBC_SHA), and I’m encountering issues where the OpenSSL server sends a "Decode Error" alert at the end of the handshake. Additionally, when trying to decrypt the captured trace in Wireshark, only the "Finished" message from the OpenSSL server is being decrypted successfully.

Scenario:

TLS-Attacker Client Command:
java -jar apps/TLS-Client.jar -connect 127.0.0.1:4433 -version TLS12 -config client_config.xml -cipher TLS_PSK_WITH_AES_256_CBC_SHA -debug

OpenSSL Server Command:
openssl s_server -tls1_2 -accept 4433 -nocert -psk 316132623363346435653666 -psk_identity Client_Identity -cipher PSK-AES256-CBC-SHA -keylogfile /tmp/.ssl-key.log -no_ticket
client_config.xml

server_config.xml

Observations:

• The handshake is initiated successfully, but at the end, the OpenSSL server sends an Alert(Decode Error).

• When trying to decrypt the trace in Wireshark, it is only able to decrypt the "Finished" message sent by the OpenSSL server.

• Similar behavior is observed when using both TLS-Attacker’s client and server: despite not receiving the Decode Error, none of the Finished messages are decrypted in Wireshark.

In addition, in Wireshark it appears the Decrypted TLS tag and the packet seems to be fine:

Any guidance or support would be greatly appreciated. Thank you!

[mmaehren]

Hey,
according to your TLS-Attacker command, you are not defining a custom workflow trace. In this case, TLS-Client will only perform a handshake and immediately terminate the connection after receiving the server's Finished message. The decode error you are observing is likely the result of the improperly terminated TLS session.
To test if you can actually transmit application data you can use the following trace:

<workflowTrace>
    <Send>
        <configuredMessages>
            <ClientHello>
            <extensions>
                <ECPointFormat/>
                <EllipticCurves/>
                <SignatureAndHashAlgorithmsExtension/>
                <RenegotiationInfoExtension/>
                <ExtendedMasterSecretExtension/>
                <EncryptThenMacExtension/>
            </extensions>
            </ClientHello>
        </configuredMessages>
    </Send>
    <ReceiveTill>
        <ServerHelloDone/>
    </ReceiveTill>
    <SendDynamicClientKeyExchange/>
    <Send>
        <configuredMessages>
            <ChangeCipherSpec/>
            <Finished/>
        </configuredMessages>
    </Send>
    <ReceiveTill>
        <Finished/>
    </ReceiveTill>
    <Send>
        <configuredMessages>
            <Application>
                <dataConfig>0A0A546869732069732061206D6573736167652066726F6D20544C532D41747461636B65720A0A</dataConfig>
            </Application>
        </configuredMessages>
    </Send>
</workflowTrace>

You can pass this xml file to TLS-Client.jar with -workflow_input <path to xml>.
You should then see the text This is a message from TLS-Attacker in OpenSSL's CLI output. Note that the connection is still not properly closed. Hence, there should still be an error message below this line and OpenSSL should still issue a decode error alert.

[Smuul]

That wasn't my main problem.
I used your workflow adding a close connection alert

<workflowTrace>
    <Send>
        <configuredMessages>
            <ClientHello>
            <extensions>
                <ECPointFormat/>
                <EllipticCurves/>
                <SignatureAndHashAlgorithmsExtension/>
                <RenegotiationInfoExtension/>
                <ExtendedMasterSecretExtension/>
                <EncryptThenMacExtension/>
            </extensions>
            </ClientHello>
        </configuredMessages>
    </Send>
    <ReceiveTill>
        <ServerHelloDone/>
    </ReceiveTill>
    <SendDynamicClientKeyExchange/>
    <Send>
        <configuredMessages>
            <ChangeCipherSpec/>
            <Finished/>
        </configuredMessages>
    </Send>
    <ReceiveTill>
        <Finished/>
    </ReceiveTill>
    <Send>
        <configuredMessages>
            <Application>
                <dataConfig>0A0A546869732069732061206D6573736167652066726F6D20544C532D41747461636B65720A0A</dataConfig>
            </Application>
        </configuredMessages>
    </Send>
        <Send>
        <configuredMessages>
            <Alert>
                <level>warning</level>
                <description>close_notify</description>
            </Alert>
        </configuredMessages>
    </Send>
    <ReceiveTill>
        <Alert>
            <level>warning</level>
            <description>close_notify</description>
        </Alert>
    </ReceiveTill>
</workflowTrace>

And now i don't get the Decode Error, but I still only manage to properly decrypt one Finished Message

[mmaehren]

I assume this is an issue in Wireshark as OpenSSL is able to process our message correctly. Does it work if you use both OpenSSL s_client and s_server with PSK?

[Smuul]

Yes, it does.

OpenSSL Server Command:
openssl s_server -accept 4433 -nocert -psk 1a2b3c4d5e6f -cipher PSK-AES256-CBC-SHA -no_ticket

OpenSSL Client Command:
openssl s_client -connect 127.0.0.1:4433 -tls1_2 -psk 1a2b3c4d5e6f -cipher PSK-AES256-CBC-SHA

By using both sides with OpenSSL, I am able to visualize the Finished message.

It might be a bug with Wireshark, because as I mentioned earlier, the decrypted content seems to be fine. Additionally, as you mentioned, the OpenSSL side processes the TLS-Attacker correctly.

Furthermore, when I send Application Data, I can see the decrypted message.

I’m not sure why Wireshark isn’t interpreting it correctly.