none
[MS-PPSEC] TLS Handshake

    Question

  • Hi,

    even though I managed to create certificates with all properties as outlined in the documentation, the remote windows 7 closes the connection after the client certificate is sent.

    I'm using OpenSSL 1.0.1 for TLS, doing the Frame/Message headers myself.
    Framing/Messages seem to work, if I break it, I get disconnected before the certificate exchange.

    I can create certificates for any given key/validity/Classifier and record pcaps of the authentication/handshake.

    I suspect TLS fails for something other than the certificate, OpenSSL splits the handshake in 5 TlsRecordLayer, Windows splits in 3, embedding the Client Key Exchange and Certificate Verify in the first TlsRecordLayer, where OpenSSL makes seperate TlsRecordLayers for these.

    It might be easier if the service would provide the TLS alert or something, or log something in the eventlogs, but I was unable to find anything there.

    Let me know what you need to track this down, I'll take care.

    Thanks for your assistance.

    Tuesday, January 01, 2013 12:53 PM

Answers

  • Resolved - I failed encoding the PNRPID in the SubjectAltName:DNS field properly.

    Proper encoding the PNRPID as domain name - and my certificates get accepted.

    Thanks Tarun Chopra for digging.

    • Marked as answer by msosilover Tuesday, January 15, 2013 5:54 PM
    Tuesday, January 15, 2013 5:49 PM

All replies

  • Hi msosilover,

    Thank you for your question. A member of the protocol documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Tuesday, January 01, 2013 7:35 PM
  • Hi Msosilover

    Thanks for contacting Microsoft support. I will be assisting you with this inquiry. Windows server expects final set of client-to-server TLS handshake messages (ClientKeyExchange, ChangeCipherSpec, and Finished, illustrated in [RFC2246] Figure 1), be sent together in a single frame.

    If you are not sending these 3 messages in single frame then kindly try it. Hopefully this should resolve the issue. If it doesn't kindly let us know.

    Regards


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, January 02, 2013 6:12 AM
  • Hi,

    in case "frame" refers to the PPGRH frame used by PPSEC, this is slightly misleading as PPSEC relies on PPGRH Message::MessageSize which define message boundaries.

    FrameSize | MessageSize | TLS - handshake data

    I already do this - drain the TLS buffer completely, prefix with the Frame & MessageSize.

    Does not cause the problem.

    The difference I was referring to is the TlsRecordLayers.

    But anyway, this should show how I'm doing things:

    ** Message: connection 0x80dd2a0 state any/none -> out/allocated
    ** Message: connection 0x80dd2a0 state out/allocated -> out/connected

    (process:25767): test-WARNING **: Message
    (process:25767): test-WARNING **:  MessageSize -1
    (process:25767): test-WARNING **:  Version 0x10
    (process:25767): test-WARNING **:  MessageType 1
    (process:25767): test-WARNING **:   AUTH_INFO
    (process:25767): test-WARNING **:    ConnectionType 1
    (process:25767): test-WARNING **:    GraphID 23de5533af7e80f3bb693c05c399e2b2796f808e.HomeGroupPeerGroupClassifier5ddcc2f7229ed0e2d70dfaa5fdbe0e18ad32a160.HomeGroupClassifier_2 (off 0)
    (process:25767): test-WARNING **:    SourcePeerID 5ddcc2f7229ed0e2d70dfaa5fdbe0e18ad32a160.HomeGroupClassifier_2 (off 0)
    (process:25767): test-WARNING **:    DestinationPeerID (null) (off 0)

    buffer 0x80e35b0 size 149 offset 149 (95)dumping 149 bytes from 0x80e3670
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  00-93 00-00 00-93 10-01  00-00 01-00 00-10 00-55   ........ .......U
    0010:  00-93 32-33 64-65 35-35  33-33 61-66 37-65 38-30   ..23de55 33af7e80
    0020:  66-33 62-62 36-39 33-63  30-35 63-33 39-39 65-32   f3bb693c 05c399e2
    0030:  62-32 37-39 36-66 38-30  38-65 2E-48 6F-6D 65-47   b2796f80 8e.HomeG
    0040:  72-6F 75-70 50-65 65-72  47-72 6F-75 70-43 6C-61   roupPeer GroupCla
    0050:  73-73 69-66 69-65 72-35  64-64 63-63 32-66 37-32   ssifier5 ddcc2f72
    0060:  32-39 65-64 30-65 32-64  37-30 64-66 61-61 35-66   29ed0e2d 70dfaa5f
    0070:  64-62 65-30 65-31 38-61  64-33 32-61 31-36 30-2E   dbe0e18a d32a160.
    0080:  48-6F 6D-65 47-72 6F-75  70-43 6C-61 73-73 69-66   HomeGrou pClassif
    0090:  69-65 72-5F 32-     -      -     -     -     -     ier_2            

    ** (process:25767): WARNING **: send 0x80e3670 149
    dumping 149 bytes from 0x80e3670
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  00-93 00-00 00-93 10-01  00-00 01-00 00-10 00-55   ........ .......U
    0010:  00-93 32-33 64-65 35-35  33-33 61-66 37-65 38-30   ..23de55 33af7e80
    0020:  66-33 62-62 36-39 33-63  30-35 63-33 39-39 65-32   f3bb693c 05c399e2
    0030:  62-32 37-39 36-66 38-30  38-65 2E-48 6F-6D 65-47   b2796f80 8e.HomeG
    0040:  72-6F 75-70 50-65 65-72  47-72 6F-75 70-43 6C-61   roupPeer GroupCla
    0050:  73-73 69-66 69-65 72-35  64-64 63-63 32-66 37-32   ssifier5 ddcc2f72
    0060:  32-39 65-64 30-65 32-64  37-30 64-66 61-61 35-66   29ed0e2d 70dfaa5f
    0070:  64-62 65-30 65-31 38-61  64-33 32-61 31-36 30-2E   dbe0e18a d32a160.
    0080:  48-6F 6D-65 47-72 6F-75  70-43 6C-61 73-73 69-66   HomeGrou pClassif
    0090:  69-65 72-5F 32-     -      -     -     -     -     ier_2            
    ** Message: connection 0x80dd2a0 state out/connected -> out/sentauth

    ** (process:25767): WARNING **: ctx 0x80e4150 ssl 0x80e7d00
    ** (process:25767): WARNING **: SSL state before/connect initialization
    ** (process:25767): WARNING **: SSL state before/connect initialization
    ** (process:25767): WARNING **: SSL state SSLv3 write client hello A
    ** (process:25767): WARNING **: SSL state SSLv3 read server hello A
    ** (process:25767): WARNING **: read 145 from bio
    ** (process:25767): WARNING **: send 0x7fefffc80 6
    dumping 6 bytes from 0x7fefffc80
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  00-95 00-00 00-95   -      -     -     -     -     ......           

    ** (process:25767): WARNING **: send 0x7fefffbe0 145
    dumping 145 bytes from 0x7fefffbe0
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  16-03 01-00 8C-01 00-00  88-03 01-50 E4-39 01-C3   ........ ...P.9..
    0010:  AC-04 86-EF 3A-25 29-D0  58-1E 3B-6D EE-78 81-83   ....:%). X.;m.x..
    0020:  1C-E1 33-F5 96-D0 DA-F7  FB-AC D1-00 00-1A 00-2F   ..3..... ......./
    0030:  00-35 00-05 00-0A C0-13  C0-14 C0-09 C0-0A 00-13   .5...... ........
    0040:  00-32 00-38 00-04 00-FF  01-00 00-45 00-0B 00-04   .2.8.... ...E....
    0050:  03-00 01-02 00-0A 00-34  00-32 00-0E 00-0D 00-19   .......4 .2......
    0060:  00-0B 00-0C 00-18 00-09  00-0A 00-16 00-17 00-08   ........ ........
    0070:  00-06 00-07 00-14 00-15  00-04 00-05 00-12 00-13   ........ ........
    0080:  00-01 00-02 00-03 00-0F  00-10 00-11 00-0F 00-01   ........ ........
    0090:  01-     -     -     -      -     -     -     -     .                

    ** (process:25767): WARNING **: SSL_ERROR_WANT_READ
     
    ** (process:25767): WARNING **: recv() 2655 (Success)

    ** (process:25767): WARNING **: SSL state SSLv3 read server hello A
    ** (process:25767): WARNING **: SSL state SSLv3 read server certificate A
    ** (process:25767): WARNING **: SSL state SSLv3 read server certificate request A
    ** (process:25767): WARNING **: SSL state SSLv3 read server done A
    ** (process:25767): WARNING **: SSL state SSLv3 write client certificate A
    ** (process:25767): WARNING **: SSL state SSLv3 write client key exchange A
    ** (process:25767): WARNING **: SSL state SSLv3 write certificate verify A
    ** (process:25767): WARNING **: SSL state SSLv3 write change cipher spec A
    ** (process:25767): WARNING **: SSL state SSLv3 write finished A
    ** (process:25767): WARNING **: SSL state SSLv3 flush data
    ** (process:25767): WARNING **: SSL state SSLv3 read finished A
    ** (process:25767): WARNING **: read 1151 from bio

    ** (process:25767): WARNING **: send 0x7feffed30 6
    dumping 6 bytes from 0x7feffed30
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  04-83 00-00 04-83   -      -     -     -     -     ......           

    ** (process:25767): WARNING **: send 0x7feffe8a0 1151
    dumping 1151 bytes from 0x7feffe8a0
           0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F    01234567 89ABCDEF
    0000:  16-03 01-03 29-0B 00-03  25-00 03-22 00-03 1F-30   ....)... %.."...0
    0010:  82-03 1B-30 82-02 84-A0  03-02 01-02 02-10 79-59   ...0.... ......yY
    0020:  68-9F B4-F4 8E-FE A2-E9  83-CF C5-A6 13-73 30-0D   h....... .....s0.
    0030:  06-09 2A-86 48-86 F7-0D  01-01 05-05 00-30 35-31   ..*.H... .....051
    0040:  33-30 31-06 03-55 04-03  1E-2A 00-48 00-6F 00-6D   301..U.. .*.H.o.m
    0050:  00-65 00-47 00-72 00-6F  00-75 00-70 00-20 00-49   .e.G.r.o .u.p. .I
    0060:  00-64 00-65 00-6E 00-74  00-69 00-74 00-79 00-5F   .d.e.n.t .i.t.y._
    0070:  00-32 00-00 30-20 17-0D  31-33 30-31 30-31 31-33   .2..0 .. 13010113
    0080:  34-31 31-39 5A-18 0F-33  30-31 32-30 35-30 34-31   4119Z..3 01205041
    0090:  33-34 31-31 39-5A 30-35  31-33 30-31 06-03 55-04   34119Z05 1301..U.
    00a0:  03-1E 2A-00 48-00 6F-00  6D-00 65-00 47-00 72-00   ..*.H.o. m.e.G.r.
    00b0:  6F-00 75-00 70-00 20-00  49-00 64-00 65-00 6E-00   o.u.p. . I.d.e.n.
    00c0:  74-00 69-00 74-00 79-00  5F-00 32-00 00-30 81-9F   t.i.t.y. _.2..0..
    00d0:  30-0D 06-09 2A-86 48-86  F7-0D 01-01 01-05 00-03   0...*.H. ........
    00e0:  81-8D 00-30 81-89 02-81  81-00 C0-20 DC-70 85-A5   ...0.... ... .p..
    00f0:  05-AB 7A-BA 83-EC EB-B0  C0-75 2B-B4 E2-2E 87-48   ..z..... .u+....H
    0100:  F4-F6 D1-0F B7-B8 AC-AB  EA-64 F7-CF 94-99 34-98   ........ .d....4.
    0110:  20-73 2D-E5 F4-0C 65-AF  E9-8C E1-83 D6-77 2C-CA    s-...e. .....w,.
    0120:  18-2B 74-29 2D-77 A8-5D  A4-58 A0-11 AE-62 85-7A   .+t)-w.] .X...b.z
    0130:  3F-47 87-9E 7E-F9 DE-2F  46-02 95-F7 47-3A 85-22   ?G..~../ F...G:."
    0140:  03-7F 1E-1F 3A-34 8A-C1  12-F3 D8-0B 42-63 47-10   ....:4.. ....BcG.
    0150:  60-87 D0-7C AE-59 05-32  AC-47 6A-A7 8E-68 0B-20   `..|.Y.2 .Gj..h.
    0160:  78-5E 26-0D 08-CF 77-2F  D3-15 02-03 01-00 01-A3   x^&...w/ ........
    0170:  82-01 28-30 82-01 24-30  15-06 0A-2B 06-01 04-01   ..(0..$0 ...+....
    0180:  82-37 2C-00 04-01 01-FF  04-04 01-00 02-00 30-15   .7,..... ......0.
    0190:  06-0A 2B-06 01-04 01-82  37-2C 00-01 01-01 FF-04   ..+..... 7,......
    01a0:  04-03 00-00 00-30 5C-06  03-55 1D-07 01-01 FF-04   .....0\. .U......
    01b0:  52-30 50-A0 4E-06 0A-2B  06-01 04-01 82-37 2C-00   R0P.N..+ .....7,.
    01c0:  02-A0 40-0C 3E-35 64-64  63-63 32-66 37-32 32-39   ..@.>5dd cc2f7229
    01d0:  65-64 30-65 32-64 37-30  64-66 61-61 35-66 64-62   ed0e2d70 dfaa5fdb
    01e0:  65-30 65-31 38-61 64-33  32-61 31-36 30-2E 48-6F   e0e18ad3 2a160.Ho
    01f0:  6D-65 47-72 6F-75 70-43  6C-61 73-73 69-66 69-65   meGroupC lassifie
    0200:  72-5F 32-30 5B-06 03-55  1D-11 01-01 FF-04 51-30   r_20[..U ......Q0
    0210:  4F-82 4D-6F 6D-65 72-6F  75-70 6C-61 73-73 69-66   O.Momero uplassif
    0220:  69-65 72-32 2D-66 38-61  35-65 71-35 31-63 2E-35   ier2-f8a 5eq51c.5
    0230:  64-64 63-63 32-66 37-32  32-39 65-64 30-65 32-64   ddcc2f72 29ed0e2d
    0240:  37-30 64-66 61-61 35-66  64-62 65-30 65-31 38-61   70dfaa5f dbe0e18a
    0250:  64-33 32-61 31-36 30-2E  70-6E 72-70 2E-6E 65-74   d32a160. pnrp.net
    0260:  30-15 06-0A 2B-06 01-04  01-82 37-2C 02-02 01-01   0...+... ..7,....
    0270:  FF-04 04-00 00-00 00-30  22-06 03-55 1D-25 01-01   .......0 "..U.%..
    0280:  FF-04 18-30 16-06 0A-2B  06-01 04-01 82-37 2C-03   ...0...+ .....7,.
    0290:  04-06 08-2B 06-01 05-05  07-03 01-30 0D-06 09-2A   ...+.... ...0...*
    02a0:  86-48 86-F7 0D-01 01-05  05-00 03-81 81-00 6A-6F   .H...... ......jo
    02b0:  D6-9C 93-E5 F6-65 85-8C  7D-1D 3C-FB 67-22 50-7C   .....e.. }.<.g"P|
    02c0:  85-30 29-61 A3-BC EE-B0  9B-CF 9E-E4 E2-00 E1-09   .0)a.... ........
    02d0:  8B-96 4E-5B F3-76 4C-C9  8D-F4 80-5A 2F-0E B1-E3   ..N[.vL. ...Z/...
    02e0:  29-3E 5B-5B 87-3A 06-C6  60-39 99-CC DD-D4 CA-D5   )>[[.:.. `9......
    02f0:  44-70 CB-CF 29-24 3F-85  80-70 E7-BE 63-32 6F-57   Dp..)$?. .p..c2oW
    0300:  AB-AC CF-F0 A4-2A 37-72  86-86 AB-5E BE-F8 53-EC   .....*7r ...^..S.
    0310:  48-41 3C-E3 6F-DA 9A-80  7B-5E DF-79 31-E0 2B-D2   HA<.o... {^.y1.+.
    0320:  D5-41 0B-67 84-B6 40-B3  BF-D0 E0-50 73-51 16-03   .A.g..@. ...PsQ..
    0330:  01-00 86-10 00-00 82-00  80-7A 25-D2 9B-B5 ED-FB   ........ .z%.....
    0340:  AD-FF 71-E2 7F-DB 83-15  C8-DA C4-C7 DA-79 EA-B8   ..q..... .....y..
    0350:  95-37 CC-7E 69-AE 14-27  0F-09 4A-53 9E-18 4A-85   .7.~i..' ..JS..J.
    0360:  21-E1 F9-89 D0-BC EC-74  2F-D9 7C-DF 7F-BB B7-2A   !......t /.|....*
    0370:  31-FE D6-57 40-95 FD-67  29-0F E2-70 5C-38 85-E0   1..W@..g )..p\8..
    0380:  EA-20 6E-AF 09-B6 3B-C2  07-C6 A7-15 6A-51 46-79   . n...;. ....jQFy
    0390:  F7-E5 BD-7B C5-36 A5-04  91-57 81-75 63-59 E3-A2   ...{.6.. .W.ucY..
    03a0:  96-F0 D7-CC 3F-E9 C2-6D  27-40 37-E5 76-AC 9B-A1   ....?..m '@7.v...
    03b0:  DC-F0 78-5B 63-DD 93-41  35-16 03-01 00-86 0F-00   ..x[c..A 5.......
    03c0:  00-82 00-80 58-B0 B3-62  18-0D 49-2C 72-88 AF-5F   ....X..b ..I,r.._
    03d0:  55-28 12-22 6B-F4 50-07  63-D3 61-DF C0-A6 88-80   U(."k.P. c.a.....
    03e0:  99-2B 37-52 84-9F 89-77  E1-5D 0A-62 3A-25 CC-4F   .+7R...w .].b:%.O
    03f0:  40-62 72-A4 7A-74 8F-1B  D0-A9 43-FB D1-EC 08-4F   @br.zt.. ..C....O
    0400:  88-1D 00-B9 CA-A3 ED-94  A9-76 AE-3B D6-CA 1B-73   ........ .v.;...s
    0410:  7A-E9 40-FD 5F-F5 0F-B4  EC-D2 7D-F1 BC-AA 30-DD   z.@._... ..}...0.
    0420:  7A-DA CA-E5 E3-AF 2A-8A  39-C6 5F-75 73-0D D7-A6   z.....*. 9._us...
    0430:  47-81 E1-AB B6-B7 63-13  CA-39 07-10 FC-F7 13-8E   G.....c. .9......
    0440:  3A-E6 37-38 14-03 01-00  01-01 16-03 01-00 30-46   :.78.... ......0F
    0450:  F5-56 F8-48 16-85 E7-E6  CD-5D B4-1E 56-93 FC-37   .V.H.... .]..V..7
    0460:  5E-30 9D-FB D3-F6 D9-1F  2F-43 B0-5B C9-FD 73-6A   ^0...... /C.[..sj
    0470:  91-90 33-C3 B1-BE C8-DB  DC-B4 1F-6D 95-A1 13-     ..3..... ...m...

    ** (process:25767): WARNING **: SSL_ERROR_WANT_READ

    ** (process:25767): WARNING **: recv() 0 (Success)

    Wednesday, January 02, 2013 1:48 PM
  • Hi Msosilover

    Thanks for the details. I might be needing decrypted traces and have to share some tools to capture traces on win7 client to analyze the behaviour. Would it be Ok if we do follow up offline, i will drop you a note on your mail id ? Please confirm.

    I'll make sure to update this thread with final outcome so that others can benefit.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team


    Wednesday, January 02, 2013 3:54 PM
  • We'll proceed as you proposed.
    Wednesday, January 02, 2013 11:02 PM
  • Thanks Msosilover for confirmation. I have dropped you a note on your mail id.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, January 03, 2013 6:36 PM
  • Resolved - I failed encoding the PNRPID in the SubjectAltName:DNS field properly.

    Proper encoding the PNRPID as domain name - and my certificates get accepted.

    Thanks Tarun Chopra for digging.

    • Marked as answer by msosilover Tuesday, January 15, 2013 5:54 PM
    Tuesday, January 15, 2013 5:49 PM
  • Thanks Msosilover for the update. It was nice working with you.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, January 15, 2013 5:54 PM