Topic: Which cipher is actually being used in connect process.

I do a wolfSSL_get_ciphers() to get a list of the cipher suite currently being supported given my user_settings.h.

I'm trying to see the difference in stack and heap usage based on the cipher suite used.

I am printing out your debug message and watching the process flow.

I have tried forcing a cipher by using wolfSSL_CTX_set_cipher_list() but I see no change in performance or memory usage so I have no idea if that function call is even changing anything.

How can I identify which suite from the list is being used in the connect?

Thanks.

Joe

Share

2 (edited by JHinkle 2017-03-27 11:10:13)

Re: Which cipher is actually being used in connect process.

Here is another tag-along question ...

I have the suite narrowed down to:

DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256

I am using method wolfTLSv1_2_client_method();

Both of those cipher suites are supported on the server using TLS 1.2 but NOT Lower.

When I attempt to connect, the server returns an ALERT on the first handshake and the connection is aborted.

I may be analyzing this all wrong, but I'm thinking WolfSSL sees these OLD ciphers and attempts the connect at a TLS version less than 1.2 which would then fail at the server.

Is there a way to see what version of TLS the initial handshake is?

Thanks.

p.s. -- if I enable ECC -- server connects no problem.

Share

Re: Which cipher is actually being used in connect process.

Hi JHinkle,

" if I enable ECC -- server connects no problem."

It almost sounds like the client is sending ECC certificates ONLY so the server can only select an ECC cipher suite. What certificates are being loaded in the client when you attempt to force an RSA cipher suite?

Is there a way to see what version of TLS the initial handshake is?

Yes, Wireshark!

OR

wolfSSL provides a function "showPeer" which takes an "ssl" object pointer (WOLFSSL*) as input. This function is in the header <wolfssl/test.h> that will print out the Protocol version, cipher suite, and other helpful information.


Best Regards,

Kaleb

Re: Which cipher is actually being used in connect process.

Hi JHinkle,

I see you are trying to compare the various cipher suite stack/heap use in a handshake based on cipher suite selected.

Here is how I would do just that.

Step 1:

Configure wolfSSL as so:

./configure CFLAGS=-DHAVE_STACK_SIZE

Step 2:

Execute the example client and server with the -t option from two separate terminals:

./examples/client/client -t
./examples/server/server -t

Step 3:

observe output:

SERVER SIDE:

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Client message: hello wolfssl!
total   Allocs =        78
total   Deallocs =        78
total   Bytes  =    102064
peak    Bytes  =     44386  <--- PEAK
current Bytes  =         0
stack used = 34016   <--- STACK

CLIENT SIDE:

SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Server response: I hear you fa shizzle!
total   Allocs =        83
total   Deallocs =        83
total   Bytes  =     92666
peak    Bytes  =     44807   <--- PEAK
current Bytes  =         0
stack used = 39136   <--- STACK

Then I would start optimizing things (See configure help output).

./configure -h

To try out specific cipher suites see how we do this by referencing the file: <wolfssl-root>/tests/test.conf

EXAMPLE:

To test the Server and client w/ TLSv1.2 and DHE-RSA-CHACHA20-POLY1305 you would use these commands:

./examples/server/server -l DHE-RSA-CHACHA20-POLY1305
./examples/client/client -l DHE-RSA-CHACHA20-POLY1305

To do ECC suites you'll need to load ECC certificates like so:

./examples/server/server -l ECDHE-ECDSA-CHACHA20-POLY1305 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem
./examples/client/client -l ECDHE-ECDSA-CHACHA20-POLY1305 -A ./certs/server-ecc.pem

Hope this all helps!

(Suggestion, try running an ECC cipher suite then modify your configuration to

./configure CFLAGS="-DHAVE_STACK_SIZE -DALT_ECC_SIZE"

what is the difference? Now try adding "-DECC_USER_CURVES" as well, how much difference now? This will give you an idea of just how configurable wolfSSL can be and that is not even the smallest yet. For more in-depth configurations please see our manual here: https://wolfssl.com/wolfSSL/Docs-wolfss … -toc.html)


Warm Regards,

Kaleb