Topic: How to turn on TLS Extensions (from JNI)
Hi,
I am new to WolfSSL and trying to write a DTLS 1.0 client (using Java JNI) that communicates with an OpenSSL server (that I cannot change). And I cannot get it to work.
When I look at working communication with the server (using tcpdump) I see that they use the SessionTicket TLS and Heartbeat TLS Extensions, while the example WolfSSL JNI Client that I modified use the ExtendedMasterSecret Extension. I don't know if this difference is actually causing the problem, but wonder if I should turn on these Extensions (SessionTicket and Heartbeat) in the client session or something (and if so how do I do it)?
The support team from the server side said it fails due to that I send a second CLIENT_HELLO (with cookie?) after the first negotiation. When I try to read about DTLS it seems that there are multiple ways to do the handshaking and my client and the server does not agree on how to do it.
Debug logging gives this:
./client.sh -u -s -v 2 -p 41230 -h fd00:aaaa::3 -l PSK-AES256-CBC-SHA
wolfSSL Entering DTLSv1_client_method
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_set_jobject
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
Registered I/O callbacks
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer
connect state: CLIENT_HELLO_SENT
growing input buffer
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
Requires PSK
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
No Cert required
No KeyExchange required
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering wolfSSL_get_jobject
PSK Client Callback:64
| PSK hint : ''
Arrays.toString(key) = [18, 52, 86, 120, -112, 18, 52, 86, 120, -112, 18, 52, 86, 120, -112, -86, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
growing output buffer
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer
wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer
sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer
wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer
sent: finished
connect state: FINISHED_DONE
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40 line:11575 file:src/internal.c
wolfSSL error occurred, error = 313 line:9003 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
wolfSSL_connect failed. err = -313, revcd alert fatal error
I think the alert at the end is due to the server not accepting a second CLIENT_HELLO.
I could attach a tcpdump if that helps.
Any help appreciated
Thanks in advance
/Olle Sundblad
PS Full WolfSSL config here: ./configure --enable-jni --enable-dtls --enable-oldtls --enable-psk --enable-aesgcm --enable-opensslextra --enable-ecc --enable-supportedcurves --enable-sctp --enable-debug --enable-sniffer CFLAGS="-DWOLFSSL_STATIC_PSK" C_EXTRA_FLAGS="-g1 -feliminate-unused-debug-symbols -fdebug-types-section -DWOLFSSL_STATIC_RSA"