Need to see if your shared folder is taking up space on your dropbox 👨‍💻? Find out how to check here.

Forum Discussion

sundares80's avatar
sundares80
Explorer | Level 3
2 years ago

OTA update fails in CC3200

Hi All,   We are using the Dropbox API to do an OTA upgrade. We have a webclient application running on the TI microcontroller CC3200. We are using the Drop Box API from 2017 onwards, and it is wor...
API
Здравко's avatar
Здравко
Legendary | Level 20
2 years ago
Greg-DB wrote:

..., TLS Alerts like this can be expected in standard use of the TLS protocol. For example, they can be used to close the connection after successfully sending data. ...

Definitely NO!

Such a message (code 21) means incorrect encryption! Yes, it's known that many servers misbehave and most SSL/TLS libraries are ignoring this error and treat such as a break (as you said - even more, it's something mandatory with such a code), but this is definitely not something that should be expected. This is rather known bug in many implementation, but definitely not something that should be treated as "expected". The connection should be canceled exactly because the state is unexpected! By the way, most present day web servers (and not only) have corrected this issue; servers like yours are rather exceptions at present.

Greg-DB's avatar
Greg-DB
Icon for Dropbox Community Moderator rankDropbox Community Moderator
2 years ago

Здравко Can you clarify where/how you're seeing code 21 exactly and what type that is? I initially thought I had reproduced an AlertDescription 21, but I believe what I saw was actually just a record ContentType 21, which just means "alert", not a specific alert. In that case, it wouldn't necessarily indicate incorrect encryption or not. The actual alert content was still encrypted.

 

I was able to configure curl with SSLKEYLOGFILE and point Wireshark at the file so that it could decrypt the alerts though, in which case when I performed a /2/files/get_temporary_link Dropbox API call, I only saw TLS records with Content Type 21 and Alert Description 0, which is just Close Notify. I did not observe any Alert Description 21.

  • Здравко's avatar
    Здравко
    Legendary | Level 20
    2 years ago

    Hi Greg-DB,

    Yes, I may got confused about the exact code. I tried to reproduce it right now - unsuccessful.

     

    There is other strange situation though. Dropbox server refuses to renegotiate! Despite this activity support is optional, it's highly recommended (according to RFC 5246). About Client Hello:

    When this message will be sent:

       When a client first connects to a server, it is required to send

       the ClientHello as its first message. The client can also send a

       ClientHello in response to a HelloRequest or on its own initiative

       in order to renegotiate the security parameters in an existing

       connection.

    About "TLS protocol issues":

    While renegotiation is an optional feature, supporting it is
    highly recommended.

    When some client tries renegotiation, Dropbox response is:

    Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Alert (21)
  Length = 18
    Level=fatal(2), description=no renegotiation(100)

     Hm...🤔 According documentation, such a message should be warning, not fatal!  Again, RFC 5246 states:

    no_renegotiation

       Sent by the client in response to a hello request or by the server

       in response to a client hello after initial handshaking. Either

       of these would normally lead to renegotiation; when that is not

       appropriate, the recipient should respond with this alert. At

       that point, the original requester can decide whether to proceed

       with the connection. One case where this would be appropriate is

       where a server has spawned a process to satisfy a request; the

       process might receive security parameters (key length,

       authentication, etc.) at startup, and it might be difficult to

       communicate changes to these parameters after that point. This

      message is always a warning.

    This is a step aside from OP, but I just discovered it and that's why I'm mentioning. Such a message doesn't let a chance to client to decide whether to proceed further (without renegotiation) or not! This is not an issue in particular situation since there is no preceding handshake in the shared pcap, so that alert cannot be such a type (despite no way to be certain since encrypted).

     

    There is another thing that may be interesting in context of OP. As can be seen (if we assume the alert is "close notify"), it comes from server side, not from client side (as it usually does). Such thing is possible only when in the request is header "Connection: close" or I was not able to reproduce it in other situation at least. So to be possible confirmation or rejection of this supposing (inappropriate header), sundares80  should send plain request to pseudo-server (like netcat, for instance) and see if there is some unintentional header. I suppose wouldn't be possible SSLKEYLOGFILE usage since most probably the application doesn't support it.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Community Moderator rankDropbox Community Moderator
    2 years ago

    Здравко Thanks for writing that up! I'll pass it along to the team.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!