Topic: Connect Error / TLS 1.2

I'm having trouble getting TLS 1.2 to connect on the wolfSSL_connect function on some sites.  Sites like [digicert.com] and [godaddy.com] are fine.  Sites like [rapidssl.com] and [comodo.com] typically return a last error of -313 or -308. 

Has anyone seen this and have a recommendation on what to build the sdk ciphers with?  I have duplicated it on many platforms but focusing on windows x64 (windows server 2016 and windows 10) for debugging purpose.  I put some sample code below...  Thanks.

   WOLFSSL_CTX* pCTX;
   WOLFSSL* pSSL;
   WOLFSSL_METHOD* pMethod;
   int nEC;
   int nRC;

   pMethod = wolfTLSv1_2_client_method();
   pCTX = wolfSSL_CTX_new(pMethod);
   wolfSSL_CTX_set_verify(pCTX, WOLFSSL_VERIFY_NONE, 0);

   pSSL = wolfSSL_new(pCTX);
   nRC = wolfSSL_set_fd(pSSL, hSocket);

   nRC = wolfSSL_connect(pSSL);
   nEC = wolfSSL_get_error(pSSL, nRC);

   // errors typically from target of [rapidssl.com] and [rapidssl.com] are -313 and -308

   // site like www.digicert.com amd [digicert.com] and [godaddy.com] work fine

Share

Re: Connect Error / TLS 1.2

Hi cxnb,

Thank you for contacting wolfSSL via the forums and for your interest. To do a quick test I opened a terminal on my Mac and ran these commands:


cd ~/wolfssl-3.13.0
./configure && make

./examples/client/client -h rapidssl.com -p 443 -d -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP521R1
SSL connect ok, sending GET...
HTTP/1.1 301 Moved Permanently
Date: Wed, 07 Mar 2018 00:01:06 GMT
Server: Ap
ache
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN


./examples/client/client -h comodo.com -p 443 -d -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET...
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 07 Mar 2018 00:01:27 
GMT
Content-Type: text/html
Connection: close
Location: [url]http://www.comodo.co[/url]

the -d option just disables peer checking temporarily so I didn't have to track down the CA certificates for those sites to connect to them.

It looks like both connections worked just fine. I tested also against the IP 69.58.181.103 for rapidssl.com and www-rapidssl-ilg.verisign.net

All tests were successful. Could you tell me how you have wolfSSL configured? Which cipher suites are currently enabled? Perhaps  those server only support specific cipher suites that need to be enabled when you build our library before you can connect.

Warm Regards,

Kaleb

Re: Connect Error / TLS 1.2

Thanks for the update... On my Windows x64 test build, I am setting the following in options in wolfcrypt/settings.h.  This is for build 3.13.0.  Let me know if this helps.  Thanks.

#define IGNORE_KEY_EXTENSIONS
#define NO_CYASSL_SERVER
#define NO_SESSION_CACHE
#define NO_FILESYSTEM
#define NO_CERT
#define NO_MD4
#define NO_DH

#define WOLFSSL_ALLOW_NO_SUITES
#define WC_NO_HARDEN
#define WC_RSA_BLINDING

#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA

#define WOLFSSL_ALLOW_TLSV10

#define USE_WOLFSSL_MEMORY
#define XSTREAM_ALIGN
#define WOLFSSL_GENERAL_ALIGNMENT 4
#define XGEN_ALIGN __declspec(align(WOLFSSL_GENERAL_ALIGNMENT))
#define HAVE_ALL_CURVES
#define AES_MAX_KEY_SIZE 256
#define HAVE_AES_DECRYPT
#define HAVE_AES_CBC
#define WOLFSSL_MIN_AUTH_TAG_SZ 12
#define RSA_DECODE_EXTRA
#define ECC_DECODE_EXTRA
#define WC_ASYNC_DEV_SIZE 0
#define WOLFSSL_ALERT_COUNT_MAX 5

Share

Re: Connect Error / TLS 1.2

Hi cxnb,

You should never manually define a cipher suite like:

#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA

Instead you would control enabling that through the defines that CONTROL that (See <wolfssl-root>/wolfssl/internal.h for reference below:

 277     #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS)
 278         #if !defined(NO_SHA)
 279             #if defined(WOLFSSL_STATIC_RSA)
 280                 #ifdef WOLFSSL_AES_128
 281                     #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
 282                 #endif
 283                 #ifdef WOLFSSL_AES_256
 284                     #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
 285                 #endif
 286             #endif
 287             #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA)
 288                 #ifdef WOLFSSL_AES_128
 289                     #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
 290                 #endif
 291                 #ifdef WOLFSSL_AES_256
 292                     #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
 293                 #endif
 294             #endif
 295         #endif

So the defines to control that cipher suite are:

// do NOT define this: #define NO_RSA
// do NOT define this: #define NO_AES
// do NOT define this: #define NO_TLS
// do NOT define this: #define NO_SHA
#define WOLFSSL_STATIC_RSA // do define this

// automatically enabled if not defined NO_AES, no need to manually define: WOLFSSL_AES_256

So basically you just need to define WOLFSSL_STATIC_RSA to turn on both of those cipher suites, but never define it manually like you did as that could cause undefined behavior or send a "false" list of supported cipher suites to the server.

My successful tests used ECDHE, we do not recommend using WOLFSSL_STATIC_RSA as those do not provide perfect forward secrecy. Could you try adding the define HAVE_ECC and let me know your results?


Warm Regards,

Kaleb

Re: Connect Error / TLS 1.2

hi all,
I am also facing the issue while making communication between client and server.i developed my own client and server files for sending the secure data between them.while doing that i am unable to make the ssl Connection. i am getting the error= -308, (error state on socket) .
I am working on ubuntu virtual machine. i put some part of client and server codes below.

/*Server.c*/
WOLFSSL_CTX *ctx;
WOLFSSL* ssl;
WOLFSSL_METHOD *method;

wolfSSL_Init();

ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method);

wolfSSL_CTX_use_certificate_file(ctx, serverCertFile, SSL_FILETYPE_PEM);
wolfSSL_CTX_use_PrivateKey_file(ctx, serverKeyFile, SSL_FILETYPE_PEM);

creating and binding a socket for server.
accept the connection

ssl = wolfSSL_new(ctx);
wolfSSL_set_fd(ssl, client);

if ( wolfSSL_accept(ssl) == -1 )     /* do SSL-protocol accept */
{
    printf("Wolfssl Accept failed!! \n");
}
at server side i am getting Wolfssl Accept failed!!

/*Client.c*/
WOLFSSL_CTX *ctx;
WOLFSSL* ssl;
WOLFSSL_METHOD *method;

wolfSSL_Init();
wolfSSL_Debugging_ON();

ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
wolfSSL_CTX_load_verify_locations(ctx,"Cacertificate.pem",NULL)

opening and establishing a socket connection to the server.

ssl = wolfSSL_new(ctx);
wolfSSL_set_fd(ssl, sockettoserver);

if(wolfSSL_connect(ssl) != SSL_SUCCESS)
{
  /* ithe code is entering into this loop and i am getting error = -308 */
}

wolfSSL_free(ssl);

at client side i am getting error = -308,

Thanks in advance.

Share

Re: Connect Error / TLS 1.2

Hi v.swathi,

You did say that you were only sending part of the client and server code but just to make sure are you actually opening a TCP socket before calling wolfSSL_connect or wolfSSL_accept? The errors you noted would actually occur if no socket were opened (there are other cases to) but the first thing to check is if the sockets are actually opened.

Example from the server side pulled from: https://github.com/wolfSSL/wolfssl-exam … rver-tls.c

#define DEFAULT_PORT 11111

...

    /* Create a socket that uses an internet IPv4 address,
     * Sets the socket to be stream based (TCP),
     * 0 means choose the default protocol. */
    if ((client = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
        fprintf(stderr, "ERROR: failed to create the socket\n");
        return -1;
    }

    /* Initialize the server address struct with zeros */
    memset(&servAddr, 0, sizeof(servAddr));

    /* Fill in the server address */
    servAddr.sin_family      = AF_INET;             /* using IPv4      */
    servAddr.sin_port        = htons(DEFAULT_PORT); /* on DEFAULT_PORT */
    servAddr.sin_addr.s_addr = INADDR_ANY;          /* from anywhere   */



    /* Bind the server socket to our port */
    if (bind(client, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
        fprintf(stderr, "ERROR: failed to bind\n");
        return -1;
    }

    /* Listen for a new connection, allow 5 pending connections */
    if (listen(client, 5) == -1) {
        fprintf(stderr, "ERROR: failed to listen\n");
        return -1;
    }

See how this would also be done on the client side: https://github.com/wolfSSL/wolfssl-exam … ient-tls.c

Regards,

Kaleb