Topic: [SOLVED] err = -313, revcd alert fatal error

Hi,
   After I compiled wolfSSL v3.9.8 in my Linux computer, I started to learn this library by CyaSSL-Manual.pdf.
   But, when I run below command, I received error -313. I don't know why, could you please give some help?
   ./examples/client/client -h xxx.yyy.com -p zzz -d

    Note:
    1)all compile setting is default, I haven't changed any settings.
     2)In command line, the web address and port number is correct. I just can't disclose them here.....

Share

Re: [SOLVED] err = -313, revcd alert fatal error

I get the same problem:

> ./client -h gmail.google.com -p 443 -d -g
err = -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed

Share

Re: [SOLVED] err = -313, revcd alert fatal error

Hi,

"-313" means that the server has sent back a Fatal Alert to the client.  If this happens after the ClientHello message is sent, this most likely means that the client is not broadcasting support for a cipher suite or extension that the server requires.

To more accurately suggest a fix for the issue, can you provide:

1. wolfSSL debug log.  You can enable debugging by compiling wolfSSL with "--enable-debug".

2. Is this a publicly available server?  If so, can you share the host:port where we can reproduce the issue?

Some common solutions to this problem may be:

- If using ECC, the server requires the Supported Curves Extension to be enabled.  Compile wolfSSL with "--enable-supportedcurves" to resolve.
- wolfSSL has static key cipher suites disabled by default for security.  Please see note at the top of the README for instructions on re-enabling static-key cipher suites if your server requires them.

Thanks,
Chris

4 (edited by cxdinter 2016-08-16 02:30:12)

Re: [SOLVED] err = -313, revcd alert fatal error

chrisc wrote:

Hi,

"-313" means that the server has sent back a Fatal Alert to the client.  If this happens after the ClientHello message is sent, this most likely means that the client is not broadcasting support for a cipher suite or extension that the server requires.

To more accurately suggest a fix for the issue, can you provide:

1. wolfSSL debug log.  You can enable debugging by compiling wolfSSL with "--enable-debug".

2. Is this a publicly available server?  If so, can you share the host:port where we can reproduce the issue?

Some common solutions to this problem may be:

- If using ECC, the server requires the Supported Curves Extension to be enabled.  Compile wolfSSL with "--enable-supportedcurves" to resolve.
- wolfSSL has static key cipher suites disabled by default for security.  Please see note at the top of the README for instructions on re-enabling static-key cipher suites if your server requires them.

Thanks,
Chris

Hi,
thanks for your quick help.
I added debug information, and enabled some parameters by your suggestion. But still receive same error.
Actually, I using agency to visit this server. And you can't visit this server without  agency.

configure:
./configure --enable-opensslextra --enable-ecc --enable-supportedcurves --enable-debug --enable-psk --enable-aesccm

Debug information:

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
err = -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed

can I get more detail information in debug log for this error?
error 40 means what??

Share

Re: [SOLVED] err = -313, revcd alert fatal error

Hi,

The "40" error is simply reflecting the Fatal Alert message being received by the client.

It would be helpful to try and find out what cipher suites your server supports.  My guess is that the cipher suites you have enabled in wolfSSL don't include ones that are enabled on the server.  Do you have a way to find out what cipher suites are supported by your server?

If you can access your server IP:port, you could use nmap to scan the server for supported cipher suites:

$ nmap --script ssl-enum-ciphers -p 443 <host>

A few other options which you can try enabling in wolfSSL:

1. AES-GCM support (--enable-aesgcm)

2.  Static key RSA cipher suites (./configure <options> C_EXTRA_FLAGS="-DWOLFSSL_STATIC_RSA"

Best Regards,
Chris

Re: [SOLVED] err = -313, revcd alert fatal error

As an addition to my last email, it could be the SSL/TLS protocol version as well.  The wolfSSL example client uses the "-v" option to specify the protocol version, where:

-v 1 TLS 1.0
-v 2 TLS 1.1
-v 3 TLS 1.2

If you have access to the "openssl s_client" application, that might also be a helpful way to test what a different implementation connects to your server with regards to protocol version and cipher suite.  To use s_client, you can connect using:

$ openssl s_client -connect host:port

Best Regards,
Chris

Re: [SOLVED] err = -313, revcd alert fatal error

Hi Chirs,
     After add configure C_EXTRA_FLAGS="-DWOLFSSL_STATIC_RSA".  The client test program works normally!
     It's a magic, thank you very much.
     But I still have a little doubt : when I configured --enable-debug, I still can see some error; But without debug information, every is ok. Could please kindly explain the difference? why debug log still have error?
     
     --enable-debug (below is the end part of debug log)

wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
Embed receive connection closed
wolfSSL error occurred, error = -308
Peer reset or closed, connection done
wolfSSL error occurred, error = -397
wolfSSL Leaving wolfSSL_read_internal(), return 0
wolfSSL Entering SSL_shutdown()
wolfSSL Leaving SSL_shutdown(), return -1
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Entering BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup

without debug information(every thing is ok)

SSL version is TLSv1.2
SSL cipher suite is TLS_RSA_WITH_AES_128_GCM_SHA256
SSL connect ok, sending GET...
Server response: HTTP/1.1 403 Forbidden
Date: Wed, 17 Aug 2016 06:25:01 GMT
Content-Length: 28
2
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE
HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</tit
le>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /in
dex.html
on this server.</p>
<hr>
<address>IBM_HTTP_Server at jazz.visteon.com
Port 9443</address>
</body></html>

on the other hand, I also learn  some skills from you.
Like "$ openssl s_client -connect host:port",  part of information is below

-----END CERTIFICATE-----
subject=/C=GB/ST=UK/L=CTS Slough/O=Visteon/OU=EIT/CN=s619784shvl22.ukslou1.savvis.net
issuer=/DC=com/DC=visteon/DC=ad/DC=vistcorp/CN=Visteon Corp. CA
---
No client certificate CA names sent
---
SSL handshake has read 4202 bytes and written 635 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 7542000030FF5E127E03F091B919A5297F29208258585858A1FEB357000000E6
    Session-ID-ctx:
    Master-Key: AFA4A2F6256DD4DB0DF0740CCDD1E4DD4C6566CD6A4D7878F7BE222583BD0FBDA56CA0F475773C629EE4DD1DAA44D4E9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1471460100
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

Share

Re: [SOLVED] err = -313, revcd alert fatal error

The error you are seeing in the debug log is just showing that the peer closed the connection.  This isn't showing up in a non-debug log since the example client is not treating it as an error.

Glad you are getting the chance to learn about SSL/TLS!  What type of application are you working on?

Re: [SOLVED] err = -313, revcd alert fatal error

Hi,
    Now I am working on a project which have the secure communication feature through TLS(between car radio and mobile phone). And our architect choose wolfSSL library to implement the secure communication.
    Before, I have experience on crypto algorithms(like SHA/HMAC/RSA/ECDSA), but I haven't experience about SSL/TLS protocol. I appreciate I have chance to learn more knowledge in this forum,   thanks a lot.

    By the way, our project team and purchase team already started to contact with your company for buying commercial license. But I don't know the business details, I am just a engineer.

Share

Re: [SOLVED] err = -313, revcd alert fatal error

Thanks for the info, and glad to help!