Welcome to the wolfSSL Forums!

olle · 2018-01-23 09:02:15

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Topic: How to turn on TLS Extensions (from JNI)

Hi,

I am new to WolfSSL and trying to write a DTLS 1.0 client (using Java JNI) that communicates with an OpenSSL server (that I cannot change). And I cannot get it to work.

When I look at working communication with the server (using tcpdump) I see that they use the SessionTicket TLS and Heartbeat TLS Extensions, while the example WolfSSL JNI Client that I modified use the ExtendedMasterSecret Extension. I don't know if this difference is actually causing the problem, but wonder if I should turn on these Extensions (SessionTicket and Heartbeat) in the client session or something (and if so how do I do it)?

The support team from the server side said it fails due to that I send a second CLIENT_HELLO (with cookie?) after the first negotiation. When I try to read about DTLS it seems that there are multiple ways to do the handshaking and my client and the server does not agree on how to do it.

Debug logging gives this:

./client.sh -u -s -v 2 -p 41230 -h fd00:aaaa::3 -l PSK-AES256-CBC-SHA
wolfSSL Entering DTLSv1_client_method
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_set_jobject
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
Registered I/O callbacks
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
Requires PSK
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
No Cert required
No KeyExchange required
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering wolfSSL_get_jobject
PSK Client Callback:64
 | PSK hint : ''
Arrays.toString(key) = [18, 52, 86, 120, -112, 18, 52, 86, 120, -112, 18, 52, 86, 120, -112, -86, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40 line:11575 file:src/internal.c
wolfSSL error occurred, error = 313 line:9003 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
wolfSSL_connect failed. err = -313, revcd alert fatal error

I think the alert at the end is due to the server not accepting a second CLIENT_HELLO.

I could attach a tcpdump if that helps.

Any help appreciated
Thanks in advance
/Olle Sundblad
PS Full WolfSSL config here: ./configure --enable-jni --enable-dtls --enable-oldtls --enable-psk --enable-aesgcm --enable-opensslextra --enable-ecc --enable-supportedcurves --enable-sctp --enable-debug --enable-sniffer CFLAGS="-DWOLFSSL_STATIC_PSK" C_EXTRA_FLAGS="-g1 -feliminate-unused-debug-symbols -fdebug-types-section -DWOLFSSL_STATIC_RSA"

dgarske · 2018-01-25 13:55:47

dgarske
Moderator
Offline

Registered: 2015-10-07
Posts: 430

Re: How to turn on TLS Extensions (from JNI)

Hi olle,

The alert 40 is `handshake_failure`. That might indicate a PSK key error. What are you using for the server side? We'd like to setup a local test against the same DTLS server.

Have you seen our example PSK callback functions here?
https://github.com/wolfSSL/wolfssl/blob … st.h#L1082

Thanks,
David Garske, wolfSSL

olle · 2018-02-06 02:46:45

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Hi again,

Sorry for the late reply (was on vacation).

I use the JNI example and modified the MyPskClientCallback class (full code below) to use the following psk: 123456789012345678901234567890AA (yes the code it a bit weird but it generates the same byte array as the server uses).

I also have a wireshark dump of the communication if that helps?

I am a noob at DTLS but from reading about more about the Heartbeat extension I understood it shouldn't affect the handshake so I guess it is not relevant to our problem?

Thanks for the response
/Olle Sundblad

package com.wolfssl.example;

import com.wolfssl.WolfSSLPskClientCallback;
import com.wolfssl.WolfSSLSession;

import java.util.Arrays;

class MyPskClientCallback implements WolfSSLPskClientCallback {

    public long pskClientCallback(final WolfSSLSession ssl, final String hint,
                                  final StringBuffer identity, final long idMaxLen, final byte[] key,
                                  final long keyMaxLen) {

        System.out.println("PSK Client Callback:" + key.length);

        // we don't use hint here, just print out
        System.out.println(" | PSK hint : " + hint);

        // set the client identity
        if (identity.length() != 0) {
            System.out.println("identity StringBuffer is not empty!");
            return 0;
        }
        identity.append("Client_identity");

        // create key "123456789012345678901234567890AA"
        for (int i = 0; i < 32; i += 2) {
            final int hb = (i + 1) % 10;
            final int lb = (i + 2) % 10;
            key[i/2] = i < 30 ? (byte) ((hb << 4) + lb) : (byte) ((0xa << 4) + 0xa);
        }
        System.out.println("Arrays.toString(key) = " + Arrays.toString(key));

        // return size of key
        return 16;
    }
}

Post's attachments

dump.pcap 1.19 kb, 6 downloads since 2018-02-06

You don't have the permssions to download the attachments of this post.

olle · 2018-02-06 02:51:46

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

I couldn't find a way to add a second attachment so here is dump of working communication (frame 20-25) using their client.

A question: Can the communication at frame 20 somehow depend on the previous communication with fd00:aaaa::3 ?

/Olle

Post's attachments

dump_working_full.pcap 7.07 kb, 6 downloads since 2018-02-06

You don't have the permssions to download the attachments of this post.

Kaleb J. Himes · 2018-02-06 17:01:05

Kaleb J. Himes
Moderator
Offline

From: Bozeman
Registered: 2014-05-09
Posts: 777

Re: How to turn on TLS Extensions (from JNI)

Hi olle,

Could you tell us about the project you're working on and interest in working with our JNI solution?

Is there a public server we can test against to reproduce this behavior on our end for testing?

Regards,

Kaleb

olle · 2018-02-07 02:41:02

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Hi,

Could you tell us about the project you're working on and interest in working with our JNI solution?

Of course. We are making a Smart Home system, i.e. controlling dimmers, smart plugs, measuring energy and water consumption among other things. (here is an add for the system https://www3.fortum.com/products-and-se … ter-living)

We support several communication standards, among them Z-Wave and their new Z/IP protocol. And here is where we ran into problems: Z/IP uses only PSK DTLS1 based on OpenSSL and that combined with that our "smart" part of the solution is written in Java I/we thought it wouldn't be such a problem, just use BC (Bouncy Castle) and be done with it. But BC had a known issue that they don't fully support the Hello protocol so we lost the first message in every DTLS session. So we had to find another solution, I couldn't find any other pure Java options I went for the second best a JNI solution again couldn't find any based on OpenSSL bud did find WolfSSL which seems actually better than OpenSSL in a lot of ways. And with WolfSSL we got PSK DTLS1 working but sadly not with the Z/IP server.

The problems:
- I cannot send you a working Z/IP server since we have a disclosure agreement with Sigma Designs, anyway the server does not work without the special Z/IP hardware chips from Sigma Designs.
- Sigma Design does not seem super interested in helping us since their Z/IP server works with their own C client (https://github.com/Z-WavePublic/libzwaveip).

Some motivation for you is that if we can get WolfSSL working with the Z/IP client (and decide to use it) we will buy the commercial license for it.

/Olle
PS We are working on other ways to communicate with the server one is writing our own JNI code to the working C code provided by Sigma Designs.

dgarske · 2018-02-08 11:41:48

dgarske
Moderator
Offline

Registered: 2015-10-07
Posts: 430

Re: How to turn on TLS Extensions (from JNI)

Hi olle,

We are looking into the DTLS 1.0 report. We see the CLIENT_HELLO retried even though the SERVER_HELLO is received. We believe this causes the DTLS sever to drop the connection since the second CLIENT_HELLO does not include the same packet information as the first request (its missing TLS extensions). We believe this may be a bug with our DTLS 1.0 code and we hope to have a fix available shortly. Thanks for your details report and we will provide you a followup soon.

Thanks,
David Garske, wolfSSL

john · 2018-02-08 16:18:21

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

Olle:

Which version of wolfSSL are you using? Is it v3.13.0?

Digging into your capture files a couple things catch my interest. In dump.pcap, you have two client hello messages. The second one isn't a retransmission. It is the second client hello. It should only come in response to a hello verify request from the server, which your server doesn't send, and should be longer than the initial hello. I'd like to know why the client is doing that. I'm going to look at that some more. But, I'm not quite seeing that behavior here. My second client hello comes through as expected.

In your case, the client should NOT send a second hello message as your server isn't sending the hello verify request message. The server alert is due to it receiving two separate client hello messages with separate handshake message sequence numbers, and not expecting the second one because it didn't send the hello verify request.

Do you know why the server isn't sending the hello verify request? Is that an option you disabled? I'm going to try to hack my server so it doesn't send the hello verify request message. The client should be able to handle not getting it. (The client is required to respond to the message, but the server is not required to send it.)

--John

olle · 2018-02-09 09:34:47

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Now I am a bit ashamed. When you asked what version I am using I realized that the dumps are probably not on an official release.

I started with 3.12.2 but we had some issues so I cloned the GitHub repo, and when I realized that the issues were our config parameters I forgot to switch back to 3.12.2 so the dumps are from a GitHub clone.

I am now trying to build the official 3.13.0 release but it is failing in the tests, and I want those to work (as they did before) before I try the JNI part again.

The current output is (and test-suite.log is attached) if you have any quick tip otherwise I will continue with it on monday (as it is Friday late afternoon here).

Do you know why the server isn't sending the hello verify request? Is that an option you disabled? I'm going to try to hack my server so it doesn't send the hello verify request message. The client should be able to handle not getting it. (The client is required to respond to the message, but the server is not required to send it.)

No I looked through their CMakeList.txt and can't find any parameters/config to OpenSSL. I will try to find out if they do anything in the C code Monday.

Thanks for the help
/Olle

tingco@thomedev08tomas:~/dev/olle/wolfssl-3.13.0$ make test
make -j3  check-am
make[1]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make -j3   testsuite/testsuite.test tests/unit.test  scripts/sniffer-testsuite.test scripts/resume.test scripts/tls-cert-fail.test scripts/crl-revoked.test scripts/ocsp.test   scripts/psk.test    
make[2]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: warning: -jN forced in submake: disabling jobserver mode.
make[2]: Nothing to be done for `scripts/sniffer-testsuite.test'.
make[2]: Nothing to be done for `scripts/resume.test'.
make[2]: Nothing to be done for `scripts/tls-cert-fail.test'.
make[2]: Nothing to be done for `scripts/crl-revoked.test'.
make[2]: Nothing to be done for `scripts/ocsp.test'.
make[2]: Nothing to be done for `scripts/psk.test'.
make[2]: `tests/unit.test' is up to date.
make[2]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make -j3  check-TESTS
make[2]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: warning: -jN forced in submake: disabling jobserver mode.
make[3]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[3]: warning: -jN forced in submake: disabling jobserver mode.
PASS: scripts/tls-cert-fail.test
PASS: scripts/sniffer-testsuite.test
PASS: scripts/psk.test
PASS: scripts/ocsp.test
PASS: scripts/resume.test
PASS: scripts/crl-revoked.test
PASS: testsuite/testsuite.test
./build-aux/test-driver: line 107: 23910 Aborted                 (core dumped) "$@" > $log_file 2>&1
FAIL: tests/unit.test
============================================================================
Testsuite summary for wolfssl 3.13.0
============================================================================
# TOTAL: 8
# PASS:  7
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/wolfssl/wolfssl/issues
============================================================================
make[3]: *** [test-suite.log] Error 1
make[3]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: *** [check-TESTS] Error 2
make[2]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make: *** [check] Error 2

Post's attachments

test-suite.log 610.6 kb, 1 downloads since 2018-02-09

You don't have the permssions to download the attachments of this post.

olle · 2018-02-12 06:30:26

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Another question (should it be a new topic?) when I run the tests for WolfSSL on out Arm box I get different results on:

./testsuite/testsuite.test

gives: All tests passed! while

make test

fails: Total 8, Pass 7, Fail 1 (see post above). On my MacBook all 8 Pass with both calls.

/Olle

olle · 2018-02-12 06:39:56

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

After getting the wolfssl and jni-3.13.0 release running (minus the failing test, see above) I get the same error as before:

> tshark -r tcpdump.pcap
  1   0.000000      0.0.0.0 -> 255.255.255.255 DHCP 301 DHCP Discover - Transaction ID 0xb1c2b360
  2   3.038098 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 135 Client Hello
  3   3.038662 fd00:bbbb::d -> fd00:aaaa::8f94:6639:35b5:a7 DTLSv1.0 182 Server Hello, Server Hello Done
  4   3.041331 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 129 Client Hello
  5   3.041764 fd00:bbbb::d -> fd00:aaaa::8f94:6639:35b5:a7 DTLSv1.0 77 Alert (Level: Fatal, Description: Handshake Failure)
  6   3.046269 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 104 Client Key Exchange
  7   3.049022 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 153 Change Cipher Spec, Encrypted Handshake Message
  8   4.000737      0.0.0.0 -> 255.255.255.255 DHCP 301 DHCP Discover - Transaction ID 0xb1c2b360

john · 2018-02-12 17:01:59

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

The testsuite.test works on your Mac (along with the other test utilities). That's good to hear. I'm using a Mac as well.

You say the testsuite.test fails on your Arm board. I looked at the log you attached and there is an failure where we generate a date, covert it to a string, and compare it to an expected value. In file tests/api.c line 10685, could you output the value of the string "date_str"?

In your first post you listed your wolfSSL configure command. Is that what you are using on the ARM board or on your Mac? Is the ARM you are using 32-bit or 64-bit?

john · 2018-02-13 16:27:13

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

There is an issue with time on platforms without 64-bit values. We added the guard TIME_T_NOT_LONG to work around that. On the configure command line add CPPFLAGS=-DTIME_T_NOT_LONG or #define it in your settings file.

olle · 2018-02-14 03:12:07

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

We have a 32-bit (armv7l) board.

We are currently trying things out with the CPPFLAGS=-DTIME_T_NOT_LONG and then all tests pass (using make test), we get:

======================================
   wolfssl 3.13.0: ./test-suite.log
======================================

# TOTAL: 11
# PASS:  11
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

Also added a printf (tests/api.c line 10685) but it never passed that line (seems like the "#if !defined(TIME_T_NOT_LONG) && !defined(NO_64BIT)" is not true). The double negation makes it kind of hard to know if we should run the code in 32-bit mode or not.

To be sure we added printf:s for dateStr at 10700 and 10706 and those are fine (as asserted in the code).

So I guess the test work fine now, thanks for the flag tip!

But it seems that we are now back to the "not accepted extra CLIENT_HELLO" in the JNI-client.

john · 2018-02-14 10:50:18

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

Can you connect to the server using the wolfSSL example client? What I usually do for interop testing is:

Shell 1:

~/Code/wolfssl$ openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -dtls1

Shell 2:

~/Code/wolfssl$ ./examples/client/client -u -A ./certs/ca-ecc-cert.pem -v2

The server will show "hello wolfssl!" in shell 1. If you type something and press enter that text will show up on the client in shell 2.

Tomas · 2018-02-14 14:26:32

Tomas
Member
Offline

Registered: 2018-02-14
Posts: 2

Re: How to turn on TLS Extensions (from JNI)

Hi John,
Olle an I is doing this together. Here is the result:

Shell1:

wolfssl-3.13.0$ openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -dtls1
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
1996461264:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1389:
shutting down SSL
CONNECTION CLOSED
ACCEPT

Shell 2:

wolfssl-3.13.0$ ./examples/client/client -u -A ./certs/ca-ecc-cert.pem -v2
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
wolfSSL Entering AddCRL
wolfSSL Entering InitCRL_Entry
FreeDecodedCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return -155
CRL Confirm signature failed
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
CA cannot sign CRLs
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
not .pem file, skipping
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Session Ticket extension to write
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing hello verify request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Session Ticket extension to write
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40 line:11559 file:src/internal.c
wolfSSL error occurred, error = 313 line:8907 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
wolfSSL_connect error -313, revcd alert fatal error
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
Shrinking input buffer

wolfSSL Entering wolfSSL_BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Entering FreeCRL
wolfSSL Entering FreeCRL_Entry
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL error: wolfSSL_connect failed

-Tomas

john · 2018-02-14 15:33:50

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

Remove "--enable-sniffer" from your configure and this command line test should work. (Also remove "--enable-sctp", it is only needed if you are using DTLS over SCTP.) The sniffer allows you to build an application that provides packet decoding in a fashion similar to Wireshark. It only works if you are using RSA key exchange.

Tomas · 2018-02-14 21:52:07

Tomas
Member
Offline

Registered: 2018-02-14
Posts: 2

Re: How to turn on TLS Extensions (from JNI)

This looks better.
Logging the output

Shell 1:

wolfssl-3.13.0$ openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -dtls1
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFYCAQECAwD+/wQCwAoEAAQwS0DYMK5/ueEgWnmDQgtFW+/hr7uavPc5RqXjeOkO
RC8iBRRejRNZTs5t/q789LTDoQYCBFqFEF6iBAICHCCkBgQEAQAAAA==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
CIPHER is ECDHE-ECDSA-AES256-SHA
Secure Renegotiation IS NOT supported
hello wolfssl!Echo

Shell 2:

wolfssl-3.13.0$ ./examples/client/client -u -A ./certs/ca-ecc-cert.pem -v2
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
wolfSSL Entering AddCRL
wolfSSL Entering InitCRL_Entry
FreeDecodedCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return -155
CRL Confirm signature failed
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Found CRL issuer CA
CA cannot sign CRLs
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
not .pem file, skipping
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Session Ticket extension to write
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing hello verify request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Session Ticket extension to write
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
Session Ticket extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
wolfSSL Leaving ConfirmSignature, return 0
Verified Peer's cert
Doing Leaf CRL check
wolfSSL Entering CheckCertCRL
Found CRL Entry on list
Checking next date validity
wolfSSL Leaving ProcessPeerCerts, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server key exchange
wolfSSL Entering DoServerKeyExchange
wolfSSL Entering EccVerify
wolfSSL Leaving EccVerify, return 0
wolfSSL Leaving DoServerKeyExchange, return 0
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
wolfSSL Entering EccSharedSecret
wolfSSL Leaving EccSharedSecret, return 0
growing output buffer

wolfSSL Entering EmbedSendTo()
Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing session ticket
Session Ticket CB: ticketSz = 160, ctx = initial session
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
got CHANGE CIPHER SPEC
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing finished
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: SECOND_REPLY_DONE
wolfSSL Leaving SSL_connect(), return 1
wolfSSL Entering SSL_get_peer_certificate
wolfSSL Entering X509_get_issuer_name
wolfSSL Entering wolfSSL_X509_NAME_oneline
wolfSSL Entering wolfSSL_X509_get_subject_name
wolfSSL Entering wolfSSL_X509_NAME_oneline
peer's cert info:
 issuer : /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
 subject: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
wolfSSL Entering wolfSSL_X509_get_next_altname
wolfSSL Entering wolfSSL_X509_get_serial_number
 serial number:10:00
wolfSSL Entering wolfSSL_FreeX509
wolfSSL Entering ExternalFreeX509
free called on non dynamic object, not freeing
wolfSSL Entering SSL_get_version
SSL version is DTLS
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL curve name is SECP256R1
Client Random : 2C6E0C8E2DF2ADA3690A985D41A37AE458E0AC35B037597D22FF3170259898FF
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering EmbedSendTo()
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
got app DATA
Shrinking input buffer

wolfSSL Leaving ReceiveData(), return 5
wolfSSL Leaving wolfSSL_read_internal(), return 5
Echo

wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Entering FreeCRL
wolfSSL Entering FreeCRL_Entry
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup

olle · 2018-02-15 07:40:00

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Hi, again

We have trying different combinations of servers clients

The following client/server combination works (DTLS1 and PSK):

s> openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -psk 1A2B3C4D -dtls1
c> ./examples/client/client -u -l PSK-AES256-CBC-SHA -s -v 2

but when we use our (wolfssl) jni client we get:

wolfSSL Entering DTLSv1_client_method
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_set_jobject
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Filename [../certs/crl/cliCrl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/caEccCrl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/caEcc384Crl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/eccCliCRL.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/eccSrvCRL.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
not .pem file, skipping
Filename [../certs/crl/crl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/crl2.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
Registered I/O callbacks
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing hello verify request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
Requires PSK
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
No Cert required
No KeyExchange required
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering wolfSSL_get_jobject
PSK Client Callback:64
 | PSK hint : ''
Arrays.toString(key) = [18, 52, 86, 120, -112, 18, 52, 86, 120, -112, 18, 52, 86, 120, -112, -86, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
got CHANGE CIPHER SPEC
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing finished
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: SECOND_REPLY_DONE
wolfSSL Leaving SSL_connect(), return 1
wolfSSL Entering SSL_get_peer_certificate
wolfSSL Entering SSL_get_version
SSL version is DTLS
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_PSK_WITH_AES_256_CBC_SHA
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
wolfSSL Entering wolfSSL_get_jobject
wolfSSL error occurred, error = 308 line:14009 file:src/internal.c
wolfSSL Leaving wolfSSL_read_internal(), return -308
read failed
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0

which to to me looks like a successful connection (that we mess up when receiving data from the server, probably need to wait for the response in a loop or something).

I then wanted to test the wolfssl c-client on "our" server to see what differs in the communication. But we can't get the example client to accept an ipv6 address:

tingco@thomedev08tomas:~/dev/olle/wolfssl-3.13.0$ ./examples/client/client -u -p 41230 -h fd00:aaaa::3 -l PSK-AES256-CBC-SHA -s -v 2
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
Not defined [TEST_IPV6]
peer [fd00:aaaa::3]
wolfSSL error: no entry for host

Looking in the code we see that this can only happen if the TEST_IPV6 is not set. Tried various configure parameters --enable-ipv6 and CFLAGS="-DTEST_IPV6" but we cannot get the TEST_IPV6 flag set. Any tips?

PS I am still hoping for David Garskes:

We believe this may be a bug with our DTLS 1.0 code and we hope to have a fix available shortly. Thanks for your details report and we will provide you a followup soon.

since we see the second CLIENT_HELLO after SERVER_HELLO, SERVER_HELLO_DONE.

olle · 2018-02-19 06:53:59

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

I found out how to make the example client accept ipv6 addresses. I Just added the TEST_IPV6 flag to C_EXTRA_FLAGS, instead of CFLAGS.

C_EXTRA_FLAGS="-DTEST_IPV6"

Hope it helps someone else.

john · 2018-02-19 12:04:59

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

olle wrote:

I found out how to make the example client accept ipv6 addresses. I Just added the TEST_IPV6 flag to C_EXTRA_FLAGS, instead of CFLAGS.
C_EXTRA_FLAGS="-DTEST_IPV6"
Hope it helps someone else.

Adding --enable-ipv6 to the configure command line should have enabled the IPv6 support in the example client and server. Where did you add the line that prints out "Not defined [TEST_IPV6]"? When you use the configure option, it adds -DTEST_IPV6 to the CFLAGS option passed to GCC on compile. When you put it in C_EXTRA_FLAGS, it is added as a #define in options.h.

Are you using non-blocking sockets on your JNI client?

john · 2018-02-19 12:19:16

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

And to expand on non-blocking sockets, our example client and server know how to deal with them. For DTLS, we use blocking sockets with timeouts, or optionally non-blocking sockets with some additional work. For the handshake in DTLS, you have to do timing for waiting for the peer to reply and to trigger retries. With blocking sockets the library takes care of that automatically. With non-blocking sockets, it is fairly application specific. So, if the functions wolfSSL_negotiate(), wolfSSL_accept(), wolfSSL_connect(), wolfSSL_read(), or wolfSSL_write() return and error, you need to check it with wolfSSL_get_error(). If it is WANT_READ or WANT_WRITE, you need to call the function again, and again, until it is successful or you get a different error. Those two are special error codes meaning the socket would block normally. You also need to tell the DTLS session it is non-blocking because the usual network stacks treat a WANT_READ the same way as a timeout; wolfSSL needs a hint as to what the socket error code meant.

What I think your JNI application is doing is sending client hello, and then waits on the socket, which is non-blocking, and you get a WANT_READ immediately. Since you didn't tell the wolfSSL session it was non-blocking, it immediately retried the client hello, and the WANT_READ error code was returned.

(David isn't working on this issue, I am. Don't wait for him.)

olle · 2018-02-20 07:35:16

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

Ok, now I am a bit confused.

The last attempt was using the example client in WolfSSL and it gave the same communication/error as when I used the example client in WolfSSL-JNI. Is both of those using non-blocking communication but have not implemented the WANT_READ/WRITE retry?

Today I tried two things in the JNI example client:
1: adding retry on WANT_READ/WRITE

// call wolfSSL_connect
boolean again = true;
while (again) {
     ret = ssl.connect();
     if (ret == WolfSSL.SSL_SUCCESS) {
         again = false;
     } else {
         final int err = ssl.getError(ret);
         final String errString = WolfSSL.getErrorString(err);
         System.out.println("wolfSSL_connect failed. err = " + err + ", " + errString);
         if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) {
            System.exit(1);
         }
     }
}

But that does not work since I get err = -313 (fatal) from the connect.

2: Make the session blocking (a bit of a guess):

ssl = new WolfSSLSession(sslCtx);
ssl.setUsingNonblock(0); //added this line.

Same error as before.

So if the problems are due to this is there any way to solve it from the JNI side? It seems that if there was a WANT_READ/WRITE it is changed before it reaches the JNI layer.

/Olle
PS I got the example JNI client to communicate with a WolfSSL server (without these changes) but it won't communicate with the OpenSSL server (see previous posts in this topic), so I kind of still think it is a mismatch in how the actual DTLS communication is handled in OpenSSL and WoldSSL, but then I am no expert at DTLS.

john · 2018-02-28 17:51:32

john
Moderator
Offline

From: Seattle, WA
Registered: 2011-11-14
Posts: 148

Re: How to turn on TLS Extensions (from JNI)

Olle:

I'm sorry for the delay in replying.

I disagree that this is an interoperation issue between OpenSSL and wolfSSL. Our C based client is communicating with the OpenSSL server. I also tried the wolfSSL client with non-blocking sockets, and that worked. (It does print out a lot of WANT_READ errors, but it prints the server's response when I put one in.)

I am trying to run the JNI client now, and I'm having a different problem than you are reporting. I'm going to have to pull in my coworker who wrote the JNI code and see if we can figure this out.

And to commiserate with you, I am no expert at Java/JNI.

--John

olle · 2018-03-01 14:26:49

olle
Member
Offline

Registered: 2018-01-23
Posts: 12

Re: How to turn on TLS Extensions (from JNI)

john wrote:

Olle:
I'm sorry for the delay in replying.
I disagree that this is an interoperation issue between OpenSSL and wolfSSL. Our C based client is communicating with the OpenSSL server. I also tried the wolfSSL client with non-blocking sockets, and that worked. (It does print out a lot of WANT_READ errors, but it prints the server's response when I put one in.)
I am trying to run the JNI client now, and I'm having a different problem than you are reporting. I'm going to have to pull in my coworker who wrote the JNI code and see if we can figure this out.
And to commiserate with you, I am no expert at Java/JNI.
--John

Sorry for being unclear I do think WolfSSL cannot communicate with a "normal" OpenSSL server. But I/we are having these problems with a specific configuration of an OpenSSL server (one that we cannot change but must use). And as I understood from previous posts in the thread it does not reply as expected after the initial handshake.

Welcome to the wolfSSL Forums!

How to turn on TLS Extensions (from JNI) (Page 1 of 2)

Posts: 1 to 25 of 26

1 Topic by olle 2018-01-23 09:02:15

Topic: How to turn on TLS Extensions (from JNI)

2 Reply by dgarske 2018-01-25 13:55:47

Re: How to turn on TLS Extensions (from JNI)

3 Reply by olle 2018-02-06 02:46:45

Re: How to turn on TLS Extensions (from JNI)

4 Reply by olle 2018-02-06 02:51:46

Re: How to turn on TLS Extensions (from JNI)

5 Reply by Kaleb J. Himes 2018-02-06 17:01:05

Re: How to turn on TLS Extensions (from JNI)

6 Reply by olle 2018-02-07 02:41:02 (edited by olle 2018-02-08 01:28:47)

Re: How to turn on TLS Extensions (from JNI)

7 Reply by dgarske 2018-02-08 11:41:48

Re: How to turn on TLS Extensions (from JNI)

8 Reply by john 2018-02-08 16:18:21

Re: How to turn on TLS Extensions (from JNI)

9 Reply by olle 2018-02-09 09:34:47 (edited by olle 2018-02-09 09:38:24)

Re: How to turn on TLS Extensions (from JNI)

10 Reply by olle 2018-02-12 06:30:26

Re: How to turn on TLS Extensions (from JNI)

11 Reply by olle 2018-02-12 06:39:56

Re: How to turn on TLS Extensions (from JNI)

12 Reply by john 2018-02-12 17:01:59

Re: How to turn on TLS Extensions (from JNI)

13 Reply by john 2018-02-13 16:27:13

Re: How to turn on TLS Extensions (from JNI)

14 Reply by olle 2018-02-14 03:12:07

Re: How to turn on TLS Extensions (from JNI)

15 Reply by john 2018-02-14 10:50:18

Re: How to turn on TLS Extensions (from JNI)

16 Reply by Tomas 2018-02-14 14:26:32

Re: How to turn on TLS Extensions (from JNI)

17 Reply by john 2018-02-14 15:33:50

Re: How to turn on TLS Extensions (from JNI)

18 Reply by Tomas 2018-02-14 21:52:07

Re: How to turn on TLS Extensions (from JNI)

19 Reply by olle 2018-02-15 07:40:00 (edited by olle 2018-02-15 07:40:55)

Re: How to turn on TLS Extensions (from JNI)

20 Reply by olle 2018-02-19 06:53:59 (edited by olle 2018-02-19 06:54:30)

Re: How to turn on TLS Extensions (from JNI)

21 Reply by john 2018-02-19 12:04:59

Re: How to turn on TLS Extensions (from JNI)

22 Reply by john 2018-02-19 12:19:16

Re: How to turn on TLS Extensions (from JNI)

23 Reply by olle 2018-02-20 07:35:16 (edited by olle 2018-02-20 07:38:36)

Re: How to turn on TLS Extensions (from JNI)

24 Reply by john 2018-02-28 17:51:32

Re: How to turn on TLS Extensions (from JNI)

25 Reply by olle 2018-03-01 14:26:49 (edited by olle 2018-03-01 14:27:22)

Re: How to turn on TLS Extensions (from JNI)

Posts: 1 to 25 of 26