Got TLS error: HANDSHAKE_FAILURE , wireshark says Handshake failure (40)

Question

I am getting error Got TLS error: FATAL alert returned by server: HANDSHAKE_FAILURE while handshaking in the below code. what may be the issue ?

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from __future__ import with_statement
from __future__ import print_function
try:
    # This import works from the project directory
    from scapy_ssl_tls.ssl_tls import *
except ImportError:
    # If you installed this package via pip, you just need to execute this
    from scapy.layers.ssl_tls import *

tls_version = TLSVersion.TLS_1_2
# ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256]
# ciphers = [TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA384]
# ciphers = [TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA]
# ciphers = [TLSCipherSuite.RSA_WITH_RC4_128_SHA]
# ciphers = [TLSCipherSuite.DHE_RSA_WITH_AES_128_CBC_SHA]
# ciphers = [TLSCipherSuite.DHE_DSS_WITH_AES_128_CBC_SHA]
ciphers = [TLSCipherSuite.ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
extensions = [TLSExtension() / TLSExtECPointsFormat(),
              TLSExtension() / TLSExtSupportedGroups()]


def tls_client(ip):
    with TLSSocket(client=True) as tls_socket:
        try:
            print("kooo")
            tls_socket.connect(ip)
            print("Connected to server: %s" % (ip,))
        except socket.timeout:
            print("Failed to open connection to server: %s" % (ip,), file=sys.stderr)
        else:
            try:
                server_hello, server_kex = tls_socket.do_handshake(tls_version, ciphers, extensions)
                server_hello.show()
                tls_socket.setsockopt(socket.SOL_IP, socket.IP_TTL, 20)
            except TLSProtocolError as tpe:
                print("Got TLS error: %s" % tpe, file=sys.stderr)
                tpe.response.show()
            else:
                resp = tls_socket.do_round_trip(TLSPlaintext(data="GET / HTTP/1.1\r\nHost: pirate.trade\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n"))
                print("Got response from server")
                resp.show()
            # finally:
            #     print(tls_socket.tls_ctx)


if __name__ == "__main__":
    if len(sys.argv) > 2:
        server = (sys.argv[1], int(sys.argv[2]))
    else:
        server = ("pirate.trade", 443)
tls_client(server)

The above code is taken this link. https://github.com/tintinweb/scapy-ssl_tls/blob/master/examplesfull_rsa_connection_with_application_data.py

Client Hello packet while getting error

Server Hello packet while getting error (getting error in this packet)

Most of the discussions are saying this error is due to not any common cipher. But I verified there is common cipher. See below wireshark result while opening website through browser.

Is this because of missing SNI extension? if yes, how can I add that here ?

Answer 1

As you mentionned, the issue is probably that you're not using the right cipher suites. There's a problem with your capture : the ClientHello shows a 14 long cipher suites table but in your code you just add one and we expect to see 14 entries in your array.. You could expand the cipher suites table in the capture and check if ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is there or not.