1 (edited by caseyf 2018-02-01 15:46:33)

Topic: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

Hello!

I can't figure out what is causing this:

 ./examples/client/client  -h dreamwidth.org -p 443 -d -g
wolfSSL_connect error -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed

This server is running on AWS cloudfront so it's nothing exotic?
https://www.ssllabs.com/ssltest/analyze … amp;latest

I compiled on amd64 with:

./configure C_EXTRA_FLAGS="-DWOLFSSL_STATIC_RSA" --prefix=/opt/wolfssl-3.13.0 --enable-ecc --enable-ecccustcurves --enable-aesgcm --enable-sni --enable-tls13

Share

Re: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

Here is the debug log:

wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
wolfSSL_connect error -313, revcd alert fatal error
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL error: wolfSSL_connect failed

Share

Re: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

Hi caseyf,

Thanks for using the wolfSSL forums. I'm looking into this now but must admit I'm a bit stumped. I have tried multiple tests against that server, I can tell it supports the following cipher suites:

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

I can connect to it with multiple browser clients.

I can see a successful connection in Google Chrome

Secure connection
The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher)

But when I try to use the same cipher with wolfssl example client I get an immediate rejection from the server:

kalebhimes$ ./examples/client/client -h dreamwidth.org -p 443 -d -g -l ECDHE-RSA-AES128-GCM-SHA256
wolfSSL_connect error -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed

I'll keep digging and let you know if I find the reason.


Warm Regards,

Kaleb

Re: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

caseyf,

I suspect I may have found what is going on. If I ping that domain repeatedly

ping dreamwidth.org

I keep getting different IP addresses. This made me wonder if it required server name indication perhaps so I tried:

kalebhimes$ ./examples/client/client -h dreamwidth.org -p 443 -d -g -S "dreamwidth.org"
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET...
HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Fri, 02 Feb 2018 23:52:37 G
MT
Content-Type: text/html
Content-Length: 551
Connection: close
X-Cache: E

The -S option tells our example client to send the Server Name extension. Could you try that and let me know your results?

I'm also attaching a wireshark trace of the successful connection when the server name indication extension is sent.

Warm Regards,

Kaleb

Post's attachments

dreamwidth_org_capture_KH.pcapng 9.22 kb, 1 downloads since 2018-02-02 

You don't have the permssions to download the attachments of this post.

5 (edited by caseyf 2018-02-05 08:07:39)

Re: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

oh! Thanks so much for chasing this down. I thought to try building with `--enable-sni` but I wasn't testing it correctly.

Yes, that works perfectly.

Share

Re: [SOLVED] Can't get WolfSSL to connect to this host: error -313,

caseyf,

Great! Glad to hear that worked!

If you ever have any other questions feel free to send a note to support@wolfssl.com for quicker response times than the forums.

Thank you for using the wolfSSL forums and glad we were able to assist on this.

Warmest Regards,

Kaleb