Wireshark-users: [Wireshark-users] What does "Encrypted Alert" mean?

From: mailinglist <mailinglist@xxxxxxxxxxxxxxxxx>
Date: Fri, 07 Nov 2008 10:25:04 +0100

Hello all,

i have to debug a script which uses a full SSL-Handshake. Full means that it requires Client Certificate, Server Certificate and a Keyfile. The script is written in PHP and uses Curl (it doesn´t matter if i use PHPs Curl extension or Curl on CLI - same error)

I also tried from my local machine and on the server.

The thing is, that as far as i can see the Handshake works, but then some error occures which neither i nor the hoster can explain. So maybe it´s a bug either on my side or on theirs. To come back to the topic, you find attached a wireshark capture which shows one connection from my PC to the server. At the bottom wireshark reports an "Encrypted Alert". "Encrypted Alert" is first send from my PC to the server followed by TCP/IP [FIN, ACK] to which the server reacts itself with "Encrypted Alert" (The following RST package then finally ends TCP/IP). From internet search i learned that "Encrypted Alert" usually means that either one Partner does not trust the other or an unclean shutdown of the SSL connection. However i am very unsure about this. Can anybody help?

A second thing:

How do i decrypt this full SSL Handshake with wireshark? I only found out something about the keyfile....

Here is the curl commandline i use, maybe this gives you a hint what i have to do:

c:\tools\curl\curl.exe https://some-url.com/ --header "Content-Type: text/xml" --basic --user "user" --data "<xml></xml>" --header "Content-Type: text/xml" --cacert C:\cacert.pem --cert C:\cert.pem --key C:\key.key --pass pass --show-error --verbose

p.s.: sorry that i only provide a screenshot, but the capture file would include too much secret information.

Regards from Germany

Sebastian Kratz