Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Inspection KEY_TYPE__UNKNOWN

Hi,

an application tried to decrypt a SSL/TLS connection but was getting an error "unknown ca(48)" :

messageid="19018" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="<changed>" src_ip="<changed>" dst_ip="194.149.233.199" user_group="<changed>" src_country="R1" dst_country="ITA" src_port="57985" dst_port="3048" app_name="" category="IPAddress" con_id="3862505024" rule_id="2" profile_id="4" rule_name="<changed>" profile_name="<changed>" bitmask="Invalid issuer" key_type="KEY_TYPE__RSA" key_param="RSA 4096 bits" fingerprint="d2:ae:51:0e:ec:fe:5c:f7:32:81:0d:70:84:51:03:fe:22:48:30:3a" resumed="0" cert_chain_served="FALSE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" sni="194.149.233.199" tls_version="TLS1.2" reason="TLS handshake fatal alert: unknown CA(48)." exception="" message=""

I imported the certificate from the CA and now I get following error: KEY_TYPE__UNKNOWN.

messageid="19017" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="<changed>" src_ip="<changed>" dst_ip="80.84.99.20" user_group="<changed>" src_country="R1" dst_country="ITA" src_port="58012" dst_port="3048" app_name="" category="IPAddress" con_id="282071680" rule_id="2" profile_id="4" rule_name="<changed>" profile_name="<changed>" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="" sni="80.84.99.20" tls_version="Unknown" reason="TLS handshake fatal alert: unexpected message(10)." exception="" message=""

Can someone give me a hint whats wrong?



This thread was automatically locked due to age.
Parents
  • The KEY_TYPE__UNKNOWN value simply indicates that the key has not yet been negotiated completely by the time the connection ended. Similarly, you will see some other "unknown" values in that log message.  

    The actual reason for connection failure is that one of the endpoints (client or server) does not "understand" what the other one is sending it, and thus replies with the unexpected_message TLS alert. The firewall notices the alert, and logs it as part of the log message:  

     reason="TLS handshake fatal alert: unexpected message(10)

    Per RFC 5246 (TLS 1.2 - since the connection did not reach TLS 1.3 negotiation before being aborted):

    unexpected_message

    An inappropriate message was received. This alert is always fatal
    and should never be observed in communication between proper
    implementations.

    Implementations MUST NOT send record types not defined in this
    document unless negotiated by some extension. If a TLS
    implementation receives an unexpected record type, it MUST send an
    unexpected_message alert.

    You can possibly view the traffic with Wireshark to try and understand the endpoint behavior better.

Reply
  • The KEY_TYPE__UNKNOWN value simply indicates that the key has not yet been negotiated completely by the time the connection ended. Similarly, you will see some other "unknown" values in that log message.  

    The actual reason for connection failure is that one of the endpoints (client or server) does not "understand" what the other one is sending it, and thus replies with the unexpected_message TLS alert. The firewall notices the alert, and logs it as part of the log message:  

     reason="TLS handshake fatal alert: unexpected message(10)

    Per RFC 5246 (TLS 1.2 - since the connection did not reach TLS 1.3 negotiation before being aborted):

    unexpected_message

    An inappropriate message was received. This alert is always fatal
    and should never be observed in communication between proper
    implementations.

    Implementations MUST NOT send record types not defined in this
    document unless negotiated by some extension. If a TLS
    implementation receives an unexpected record type, it MUST send an
    unexpected_message alert.

    You can possibly view the traffic with Wireshark to try and understand the endpoint behavior better.

Children
No Data