Looking in a PCAP file, I see an SSL Alert of 21. How can I tell if this is a real decode failure?
There are several reasons to have an SSL Alert 21 (Decode Failure). These include the following:
1. It may be the normal termination of either side of the SSL Conversation. If this is the case, you will see FIN packets after the alert.
This is the most typical cause and is not a real decode failure.
2. Issues reading a private key in a certificate chain. Re-adding the private key as not a part of the certificate chain may resolve this.
3. Other factors
https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html -- More on SSL Shutdown
http://tools.ietf.org/html/rfc5246#appendix-A.3 -- List of SSL Alerts
https://wiki.apache.org/httpd/DebuggingSSLProblems -- Reference on SSL Debugging
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec614161.aspx -- TIM and SSL Certificate chains.