Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
57038
Views
10
Helpful
2
Replies

SSL Content-type: Alert (21)

cisco_lite
Level 1
Level 1

‎02-15-2009 01:47 PM - edited ‎03-11-2019 07:50 AM

Hi,

During https connection after the handshake is successfully done, I am getting 'Encrypted Alert' message in Wireshark/Ethereal on one of the webpages. The alert error code is 21.

Does anyone know what Alert 21 means. Or is there any list for alert protocol error codes and its description.

3 people had this problem
Labels:
0 Helpful
2 Replies 2

robertson.michael
Level 3
Level 3

‎02-15-2009 07:00 PM

Hi,

It looks like alert code 21 means that the message could not be unencrypted:

http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Alert_protocol

I've never experienced this problem, so I'm not sure how to proceed in troubleshooting it. Could the packets be corrupted during transportation?

Also, you mentioned "one of the webpages". Does this mean that you are only having this error when visiting a single page and all other pages are working? If so, you may want to look at the application side of things on the web server.

Hope that helps.

-Mike

Prab
Level 1
Level 1

‎07-18-2018 11:57 AM - edited ‎07-18-2018 12:07 PM

In a nutshell TLS is all about different records. Different records serve different purposes. Records have Content-Type field and Message fields (Some other fields too).

 

Content-Type will state Record Layer Protocol Type. Depending upon the Content-Type field's value, you know what is the purpose of a particular record. For eg: Content-Type=21 means that this is an Alert protocol and Content-Type=22 means that this is a Handshake protocol. 

 

Message field will contain the actual message related to a particular Record Protocol type.

 

The Alert protocol further has a field called Description. This field contains the actual error information.

There are different Descriptions, the list could be found here: https://tools.ietf.org/html/rfc5246#page-29 

Each Description has a Code associated with it. A Description named decryption_failed_RESERVED has Code of 21.

 

Now coming to the wireshark:

The 21 shown in the wireshark capture is not a code but it is value in the Content-Type field of the TLS record. In plain words, the wireshark is telling us that this is a TLS Alert protocol. 

 

The Message field  is encrypted. The wireshark is not able to look further into this Message field as it is encrypted. So, wireshark doesn't show the actual Message.

Alert_ProtocolAlert_Protocol

There is a possibility to decrypt the captures in wireshark. https://wiki.wireshark.org/SSL 

 

Hope this helps.

Prab :)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card