Topic: [SOLVED] Unable to force a specific cipher suite to a server CTX

I'm working with the demo wolfssl_tcp_server on MPLAB Harmony on the PIC32MZ crypto board. I'm trying to force the "ADH-AES128-SHA" cipher suite to the wolfSSL_CTX by:

net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfSSLv23_server_method());
int ret = wolfSSL_CTX_set_cipher_list(net_pres_wolfSSLInfoStreamServer0.context, "ADH-AES128-SHA");

and while I try to connect to the server using the same cipher, I receive an error code 501 (Match_Suite_Error).

I have the trace file attached.

Can someone if I'm missing something here?

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Hi thivya_ashok,

What is the value of "ret"

int ret = wolfSSL_CTX_set_cipher_list(net_pres_wolfSSLInfoStreamServer0.context, "ADH-AES128-SHA");

Does ret == SSL_SUCCESS?

Also, the tracefile did not come through, could you re-send please?

- Kaleb

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Hi Kaleb,
The ret had a value of 1 which is SSL_SUCCESS.

By working further on this issue, I found that wolfSSL v3.12.2 works with the specified cipher. I'm running MPLAB Harmony 4.0 which has wolfSSL v3.12.0 and it does not work with the above anonymous cipher.

I tried building the wolfSSL.X project under the mplabx folder in wolfssl 3.12.2 but I couldn't. It breaks throwing a whole bunch of errors.

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Hi thivya,

One of our developers did some quick testing on the latest wolfSSL.X project and there was an error thrown about our file name change from:

<wolf-root>/src/io.c ---> <wolf-root>/src/wolfio.c
<wolf-root>/wolfssl/io.h ---> <wolf-root>/wolfssl/wolfio.h

Fixing those resolved the issues. You said a "whole bunch of errors", could you send us a copy of those errors that we might determine what is happening there?

I'm running MPLAB Harmony 4.0 which has wolfSSL v3.12.0 and it does not work with the above anonymous cipher.

It could be that the default configuration for MPLAB harmony just doesn't have the cipher suite configured.
Could you check if the configuration being used includes the define HAVE_ANON and does NOT have the define NO_DH?

Regards,

Kaleb

5 (edited by thivya_ashok 2018-01-09 10:03:39)

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Hi Kaleb,

Kaleb J. Himes wrote:

It could be that the default configuration for MPLAB harmony just doesn't have the cipher suite configured.
Could you check if the configuration being used includes the define HAVE_ANON and does NOT have the define NO_DH?

I was able to resolve the build issue by including the header files that weren't referenced in the MPLAB IDE.
However, I still cannot get the anonymous cipher working. I tried forcing a different RSA cipher suite and it worked. So, I'm pretty sure it has something to do with the configuration. I have HAVE_ANON defined and NO_DH is NOT defined but still I couldn't get it working. When I tried building the wolfssl project on Linux with --enable-anon, the cipher suite works. I've attached the config file I use. Is there anything else I'm missing?

Post's attachments

config.h 2.7 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

I'm attaching the log file showing the error, as well.

Post's attachments

MatchSuiteError-Anon cipher suite.txt 2.28 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Hi thivya_ashok,

If not already doing so could you try calling this API before wolfSSL_CTX_set_cipher_list:

wolfSSL_CTX_allow_anon_cipher(ctx);

See an example here:
https://github.com/wolfSSL/wolfssl/blob … nt.c#L1542

Let me know your results.

Warm Regards,


Kaleb

8 (edited by thivya_ashok 2018-01-17 10:58:40)

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Kaleb J. Himes wrote:

Hi thivya_ashok,

If not already doing so could you try calling this API before wolfSSL_CTX_set_cipher_list:

wolfSSL_CTX_allow_anon_cipher(ctx);

See an example here:
https://github.com/wolfSSL/wolfssl/blob … nt.c#L1542

Let me know your results.

Warm Regards,


Kaleb

Kaleb,
I had already included the API you had suggested but no luck. Here is the code snippet from net_pres_enc_glue.c, where the wolfssl CTX is created:

if (_net_pres_wolfsslUsers == 0)
    {
        wolfSSL_Init();
        wolfSSL_SetLoggingCb(NET_PRES_EncProviderStreamServerLog0);
        wolfSSL_Debugging_ON();
        _net_pres_wolfsslUsers++;
    }
    net_pres_wolfSSLInfoStreamServer0.transObject = transObject;
    net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfSSLv23_server_method());
    if (net_pres_wolfSSLInfoStreamServer0.context == 0)
    {
        return false;
    }
    wolfSSL_CTX_allow_anon_cipher(net_pres_wolfSSLInfoStreamServer0.context);
    wolfSSL_CTX_set_cipher_list(net_pres_wolfSSLInfoStreamServer0.context, "ADH-AES128-SHA");
    wolfSSL_SetIORecv(net_pres_wolfSSLInfoStreamServer0.context, (CallbackIORecv)&NET_PRES_EncGlue_StreamServerReceiveCb0);
    wolfSSL_SetIOSend(net_pres_wolfSSLInfoStreamServer0.context, (CallbackIOSend)&NET_PRES_EncGlue_StreamServerSendCb0);
    if (wolfSSL_CTX_use_certificate_buffer(net_pres_wolfSSLInfoStreamServer0.context, serverCertPtr, serverCertLen, SSL_FILETYPE_ASN1) != SSL_SUCCESS)
    {
        wolfSSL_CTX_free(net_pres_wolfSSLInfoStreamServer0.context);
        return false;
    }

It's really weird that I'm able to use the cipher suite when I run the standalone wolfSSL on Linux but not the one integrated with MPLAB.

Is the cipher suite accessible in the MPLAB.X project at your end?

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Kaleb,
I figured out that the haveDH byte was never set in the configuration despite not defining NO_DH. So, when I explicitly set the value of haveDH to 1 in the SSL context, I was able to get past a few more steps in the handshake process. At this point, by looking into the traces I figured out that I had to set the DH parameters through a PEM file. When I tried enabling the filesystem(by removing the NO_FILESYSTEM macro), I'm facing a different issue now. Initially the compilation failed saying couldn't find the file <dirent.h>. Is this because I'm compiling it on a Windows 10 machine? Then I tried defining the USE_WINDOWS_API macro to fix this error and now it couldn't find <winsock2.h> .

Can you help me with this?

Share

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

OH! thivya,

Were you not setting the DH parameters?

Oh my goodness, I am so sorry I overlooked that!

In addition to your other setup could you please use the dh_buffer api (like the certificate_buffer alternate to using the file system):

wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_buffer, dh_buffer_size, [SSL_FILETYPE_PEM / SSL_FILETYPE_ASN1]);

Regards,

Kaleb

11 (edited by thivya_ashok 2018-01-23 17:55:59)

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

Kaleb,
I used the wolfSSL_CTX_SetTmpDH() directly and passed the values directly and got it to work. Thanks!

It works well with IPv4. I tried enabling IPv6 and I wasn't able to make a connection to the IPv6 server from an openssl s_client. I used the command openssl s_client -cipher ADH-AES128-SHA -connect [link local IPv6 address]:443. I received an error 19.

However, I'm able to access the server from a web browser(without forcing a specific cipher suite) when I try accessing https://[link local IPv6 address].

Why do you think I'm unable to access the server from openssl command line through the IPv6 address?

I'm running openssl 1.1.0f on Linux Mint 18.2.

Share

12 (edited by JasinSwift 2018-01-24 02:08:58)

Re: [SOLVED] Unable to force a specific cipher suite to a server CTX

thivya_ashok wrote:

Kaleb,
I used the wolfSSL_CTX_SetTmpDH() directly and passed the values directly and got it to work. Thanks!

It works well with IPv4. I tried enabling IPv6 and I wasn't able to make a connection to the IPv6 server from an openssl s_client. I used the command openssl s_client -cipher ADH-AES128-SHA -connect [link local IPv6 address]:443. I received an error 19.

However, I'm able to access the server from a web browser(without forcing a specific cipher suite) when I try accessing https://[link local IPv6 address].

Why do you think I'm unable to access the server from openssl command line through the IPv6 address?

I'm running openssl 1.1.0f on Linux Mint 18.2.

Hey.
After last update,i try out IPv6,and its star works.Definitely on My website.
Of course in IPv4 work fine.But check it,and try it.
regards
-Jasin