How can I tell if an SSL Alert of 21 is a real decode failure?

Document ID : KB000031712
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

Looking in a PCAP file, I see an SSL Alert of 21. How can I tell if this is a real decode failure?

SSL Alert KB.jpg

 

Answer:

There are several reasons to have an SSL Alert 21 (Decode Failure). These include the following:

 

1.  It may be the normal termination of either side of the SSL Conversation. If this is the case, you will see FIN packets after the alert.

 

     This is the most typical cause and is not a real decode failure.

 

2.  Issues reading a private key in a certificate chain. Re-adding the private key as not a part of the certificate chain may resolve this.

 

3. Other factors

 

 

Additional Information:

 

https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html   -- More on SSL Shutdown

 

http://tools.ietf.org/html/rfc5246#appendix-A.3  -- List of SSL Alerts

 

https://wiki.apache.org/httpd/DebuggingSSLProblems  -- Reference on SSL Debugging

 

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec614161.aspx  -- TIM and SSL Certificate chains.