Topic: Trying to use wolfssl-3.14.0 with PSKs

I configured wolfssl with the following:

./configure --enable-opensslextra --enable-tls13-draft22 --enable-psk CFLAGS="-DWOLFSSL_STATIC_PSK" --enable-oldtls=no

I then used the example code to build: server-psk.c and client-psk-resume.c

The only modification I made to the client was: wolfSSL_CTX_new(wolfTLSv1_2_client_method() -> wolfSSL_CTX_new(wolfTLSv1_3_client_method()

I did this to try to force the client to send a TLS 1.3 Client Hello.

However, wireshark still shows TLS 1.2 (0x0303) for both Record Layer and Handshake Protocol. Furthermore, the psk callback method is never invoked on the server AND the server never sends back a Server Hello.

As this is example code, (with little modification noted above AND it didn't work in it's unmodified version either), I'm assuming that either the code examples are wrong OR wolfssl-3.14.0 is.

Full client code:

/* client-psk-resume.c
*
* Copyright (C) 2006-2015 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
**/

#include <wolfssl/options.h> /* included for options sync */
#include <wolfssl/ssl.h>     /* must include this to use wolfSSL security */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <arpa/inet.h>
#include <signal.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>

#define     MAXLINE 256      /* max text line length */
#define     SERV_PORT 11111  /* default port*/

/*
*psk client set up.
*/
static inline unsigned int My_Psk_Client_Cb(WOLFSSL* ssl, const char* hint,
        char* identity, unsigned int id_max_len, unsigned char* key,
        unsigned int key_max_len)
{
    (void)ssl;
    (void)hint;
    (void)key_max_len;

    /* identity is OpenSSL testing default for openssl s_client, keep same*/
    strncpy(identity, "Client_identity", id_max_len);

    /* test key n hex is 0x1a2b3c4d , in decimal 439,041,101, we're using
     * unsigned binary */
    key[0] = 26;
    key[1] = 43;
    key[2] = 60;
    key[3] = 77;

    return 4;
}

int main(int argc, char **argv){

    int sockfd, sock, ret;
    char sendline[MAXLINE]="Hello Server"; /* string to send to the server */
    char recvline[MAXLINE]; /* string received from the server */
    WOLFSSL* ssl;
    WOLFSSL*         sslResume = 0;
    WOLFSSL_SESSION* session   = 0;
    WOLFSSL_CTX* ctx;
    struct sockaddr_in servaddr;;

    /* must include an ip address of this will flag */
    if (argc != 2) {
        printf("Usage: tcpClient <IPaddress>\n");
        return 1;
    }

    wolfSSL_Init();  /* initialize wolfSSL */

    /* create and initialize WOLFSSL_CTX structure */
    if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL) {
        fprintf(stderr, "SSL_CTX_new error.\n");
        return 1;
    }

    /* create a stream socket using tcp,internet protocal IPv4,
     * full-duplex stream */
    sockfd = socket(AF_INET, SOCK_STREAM, 0);

    /* places n zero-valued bytes in the address servaddr */
    memset(&servaddr, 0, sizeof(servaddr));

    servaddr.sin_family = AF_INET;
    servaddr.sin_port   = htons(SERV_PORT);

    /* converts IPv4 addresses from text to binary form */
    ret = inet_pton(AF_INET, argv[1], &servaddr.sin_addr);

    if (ret != 1){
        return 1;
    }

    /* set up pre shared keys */
    wolfSSL_CTX_set_psk_client_callback(ctx, My_Psk_Client_Cb);

    /* attempts to make a connection on a socket */
    ret = connect(sockfd, (struct sockaddr *) &servaddr, sizeof(servaddr));
    if (ret != 0 ){
        return 1;
    }

    /* create wolfSSL object after each tcp connect */
    if ( (ssl = wolfSSL_new(ctx)) == NULL) {
        fprintf(stderr, "wolfSSL_new error.\n");
        return 1;
    }

    /* associate the file descriptor with the session */
    wolfSSL_set_fd(ssl, sockfd);

     /* takes inputting string and outputs it to the server */
    if (wolfSSL_write(ssl, sendline, sizeof(sendline)) != sizeof(sendline)) {
        printf("Write Error to Server\n");
        return 1;
    }

    /* flags if the Server stopped before the client could end */
    if (wolfSSL_read(ssl, recvline, MAXLINE) < 0 ) {
        printf("Client: Server Terminated Prematurely!\n");
        return 1;
    }

    /* show message from the server */
    printf("Server Message: %s\n", recvline);

    /* Save the session ID to reuse */
    session   = wolfSSL_get_session(ssl);
    sslResume = wolfSSL_new(ctx);

    /* shut down wolfSSL */
    wolfSSL_shutdown(ssl);

    /* close connection */
    close(sockfd);

    /* cleanup without wolfSSL_Cleanup() and wolfSSL_CTX_free() for now */
    wolfSSL_free(ssl);

    /*
     * resume session, start new connection and socket
     */

    /* start a new socket connection */
    sock = socket(AF_INET, SOCK_STREAM, 0);

    /* connect to the socket */
    ret = connect(sock, (struct sockaddr *) &servaddr, sizeof(servaddr));

    if (ret != 0){
        return 1;
    }

    /* set the session ID to connect to the server */
    wolfSSL_set_fd(sslResume, sock);
    wolfSSL_set_session(sslResume, session);

    /* check has connect successfully */
    if (wolfSSL_connect(sslResume) != SSL_SUCCESS) {
        printf("SSL resume failed\n");
        return 1;
    }

    if (wolfSSL_write(sslResume, sendline, sizeof(sendline)) != sizeof(sendline)) {
        printf("Write Error to Server\n");
        return 1;
    }

    /* flags if the Server stopped before the client could end */
    if (wolfSSL_read(sslResume, recvline, MAXLINE) < 0 ) {
        printf("Client: Server Terminated Prematurely!\n");
        return 1;
    }

    /* show message from the server */
    printf("Server Message: %s\n", recvline);
    /* check to see if the session id is being reused */
    if (wolfSSL_session_reused(sslResume)) {
        printf("reused session id\n");
    }
    else{
        printf("didn't reuse session id!!!\n");
    }
    /* shut down wolfSSL */
    wolfSSL_shutdown(sslResume);
    /* shut down socket */
    close(sock);
    /* clean up now with wolfSSL_Cleanup() */
    wolfSSL_free(sslResume);
    wolfSSL_CTX_free(ctx);
    wolfSSL_Cleanup();

    return ret;
}

Share

Re: Trying to use wolfssl-3.14.0 with PSKs

Hi khenderson,

I'll be going over the PSK examples today and checking things, a lot has changed with the addition of TLS 1.3 and PFS cipher suites, those example could use a re-visiting and potential update anyway. Thanks for your report, I'll send a link to the PR once my changes are in. Cheers.

Kaleb

Re: Trying to use wolfssl-3.14.0 with PSKs

Hi khenderson,

I've opened a PR to address the note you sent:

As this is example code, (with little modification noted above AND it didn't work in it's unmodified version either), I'm assuming that either the code examples are wrong OR wolfssl-3.14.0 is.

Changes can be found here: https://github.com/wolfSSL/wolfssl-exam … l/93/files

You can test out these changes by doing the following:

git clone https://github.com/wolfssl/wolfssl-examples.git
cd wolfssl-examples
git checkout -b kaleb-himes-PSK-UPDATES master
git pull https://github.com/kaleb-himes/wolfssl-examples.git PSK-UPDATES

You can now switch the clients to use wolfTLSv1_3_client_method and they will be able to talk to the servers. Thank you so much for bringing this to our attention and for your interest in the PSK examples.

Could you tell us a little about what it is you're working on, end goals and use of PSK? We always love to hear feedback from users and it helps us to better prioritize our efforts when we understand the use-case and motivation behind a report of this nature!

Thanks and Best,

Kaleb

Re: Trying to use wolfssl-3.14.0 with PSKs

Hi Kaleb, Thanks for the updates and links - It is working now.

To answer your question about use case, I'm running an experiment, implementing a Needham-Schroeder like protocol with a key server where the client has a PSK relationship with a key server and the key server maintains a cache of short lived RFC5077 tickets it maintains with a server. When a client wants to talk to the server, it requests a ticket from the key server. The key server gives the client a ticket to use with the key server but wraps a key that'll be used for the client-server session. So, I think I'll need to introduce some logic on the server side's wolfSSL_CTX_set_TicketEncCtx() call back in order to unwrap using the key fetched by key_name and then synthesize a CTX using the underlying (now unwrapped) key. If you have any implementation ideas, it's greatly appreciated.

Thanks,
Karl

Share

Re: Trying to use wolfssl-3.14.0 with PSKs

One thing that still is a bit puzzling to me is that I have the following configuration:

Configuration summary for wolfssl version 3.14.0

   * Installation prefix:        /usr/local
   * System type:                unknown-linux-gnu
   * Host CPU:                   x86_64
   * C Compiler:                 gcc
   * C Flags:                    -DWOLFSSL_STATIC_PSK -DHAVE_EXT_CACHE  -g -ggdb -O0 -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv -g1
   * C++ Compiler:               g++
   * C++ Flags:                  
   * CPP Flags:                   -fvisibility=hidden
   * CCAS Flags:                 -DWOLFSSL_STATIC_PSK -DHAVE_EXT_CACHE
   * LIB Flags:                   -pie -z relro -z now 
   * Debug enabled:              yes
   * Coverage enabled:           
   * Warnings as failure:        no
   * make -j:                    5
   * VCS checkout:               no

   Features 
   * Single threaded:            no
   * Filesystem:                 yes
   * OpenSSH Build:              no
   * OpenSSL Extra API:          yes
   * OpenSSL Coexist:            no
   * Old Names:                  yes
   * Max Strength Build:         no
   * Distro Build:               no
   * fastmath:                   yes
   * Assembly Allowed:           yes
   * sniffer:                    no
   * snifftest:                  no
   * ARC4:                       no
   * AES:                        yes
   * AES-NI:                     no
   * AES-GCM:                    yes
   * AES-CCM:                    no
   * AES-CTR:                    no
   * DES3:                       no
   * IDEA:                       no
   * Camellia:                   no
   * NULL Cipher:                no
   * MD5:                        yes
   * RIPEMD:                     no
   * SHA:                        yes
   * SHA-224:                    yes
   * SHA-512:                    yes
   * SHA3:                       yes
   * BLAKE2:                     no
   * CMAC:                       no
   * keygen:                     no
   * certgen:                    no
   * certreq:                    no
   * certext:                    no
   * HC-128:                     no
   * RABBIT:                     no
   * CHACHA:                     yes
   * Hash DRBG:                  yes
   * PWDBASED:                   yes
   * scrypt:                     no
   * wolfCrypt Only:             no
   * HKDF:                       yes
   * X9.63 KDF:                  no
   * MD4:                        no
   * PSK:                        yes
   * Poly1305:                   yes
   * LEANPSK:                    no
   * LEANTLS:                    no
   * RSA:                        yes
   * RSA-PSS:                    yes
   * DSA:                        no
   * DH:                         yes
   * ECC:                        yes
   * CURVE25519:                 no
   * ED25519:                    no
   * FPECC:                      no
   * ECC_ENCRYPT:                no
   * ASN:                        yes
   * Anonymous cipher:           no
   * CODING:                     yes
   * MEMORY:                     yes
   * I/O POOL:                   no
   * LIGHTY:                     no
   * HAPROXY:                    no
   * STUNNEL:                    no
   * NGINX:                      no
   * SIGNAL:                     no
   * ERROR_STRINGS:              yes
   * DTLS:                       no
   * SCTP:                       no
   * Indefinite Length:          no
   * Multicast:                  no
   * Old TLS Versions:           no
   * SSL version 3.0:            no
   * TLS v1.0:                   no
   * TLS v1.3:                   yes
   * TLS v1.3 Draft 18:          no
   * Post-handshake Auth:        no
   * Early Data:                 no
   * Send State in HRR Cookie:   no
   * OCSP:                       no
   * OCSP Stapling:              no
   * OCSP Stapling v2:           no
   * CRL:                        no
   * CRL-MONITOR:                no
   * Persistent session cache:   no
   * Persistent cert    cache:   no
   * Atomic User Record Layer:   no
   * Public Key Callbacks:       no
   * NTRU:                       no
   * QSH:                        no
   * Whitewood netRandom:        no
   * Server Name Indication:     no
   * ALPN:                       no
   * Maximum Fragment Length:    no
   * Truncated HMAC:             no
   * Supported Elliptic Curves:  yes
   * Session Ticket:             yes
   * Extended Master Secret:     yes
   * Renegotiation Indication:   no
   * Secure Renegotiation:       no
   * All TLS Extensions:         no
   * PKCS#7                      no
   * wolfSSH                     no
   * wolfSCEP                    no
   * Secure Remote Password      no
   * Small Stack:                no
   * valgrind unit tests:        no
   * LIBZ:                       no
   * Examples:                   yes
   * User Crypto:                no
   * Fast RSA:                   no
   * Single Precision:           no
   * Async Crypto:               no
   * Cavium:                     no
   * ARM ASM:                    no
   * AES Key Wrap:               no
   * Write duplicate:            no
   * Intel Quick Assist:         no
   * Xilinx Hardware Acc.:       no
   * Inline Code:                yes

And the following method call in my client:

ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())

However, wireshark is still showing the ClientHello being sent with TLS 1.2 (0x0303)

Any ideas?

Share

Re: Trying to use wolfssl-3.14.0 with PSKs

I'm even trying with the default client:

examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -p 443 -s -h 10.239.34.64

And it still shows a 1.2 record. I'm not sure what I'm missing - also, I'd like to be able to send a 0 length NewSessionTicket in the ClientHello - I'm guessing with wolfSSL_set_SessionTicket(ssl, NULL, 0).

The output of the client is below:

wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
wolfSSL Entering PemToDer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeExtKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL error: tcp connect failed
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -p 443 -s
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL error: tcp connect failed
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ 
[deploy@rootns-0 wolfssl-3.14.0]$ examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -p 443 -s -h 10.239.34.64
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering VerifyClientSuite
growing output buffer

PSK Key Exchange Modes extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Key Share extension to write
Session Ticket extension to write
Pre-Shared Key extension to write
wolfSSL Entering VerifyClientSuite
Derive Early Secret
Derive Binder Key
Derive Finished Secret
Shrinking output buffer

wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Pre-Shared Key extension received
Key Share extension received
Supported Versions extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Entering VerifyClientSuite
Derive Early Secret
wolfSSL Leaving DoTls13ServerHello, return 0
Derive Early Secret
Derive Handshake Secret
Derive Client Handshake Secret
Derive Server Handshake Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing encrypted extensions
wolfSSL Entering DoTls13EncryptedExtensions
wolfSSL Leaving DoTls13EncryptedExtensions, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing finished
wolfSSL Entering DoTls13Finished
Derive Finished Secret
Derive Finished Secret
wolfSSL Leaving DoTls13Finished, return 0
Derive Master Secret
Derive Client Traffic Secret
Derive Server Traffic Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
connect state: HELLO_AGAIN
wolfSSL Entering wolfSSL_connect_TLSv13()
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
wolfSSL Entering SendTls13Finished
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

Derive Resumption Secret
wolfSSL Leaving SendTls13Finished, return 0
sent: finished
connect state: FINISHED_DONE
wolfSSL Leaving wolfSSL_connect_TLSv13(), return 1
wolfSSL Entering SSL_get_peer_certificate
peer has no cert!
wolfSSL Entering wolfSSL_FreeX509
wolfSSL Entering ExternalFreeX509
wolfSSL Entering SSL_get_version
SSL version is TLSv1.3
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client Random : 2206280F4CB31D50E943405174A922E7BA418579651190B02AC2EC9DE4AC50AC
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
growing input buffer

wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing new session ticket
wolfSSL Entering DoTls13NewSessionTicket
Session Ticket CB: ticketSz = 138, ctx = initial session
wolfSSL Leaving DoTls13NewSessionTicket, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
got app DATA
Shrinking input buffer

wolfSSL Leaving ReceiveData(), return 21
wolfSSL Leaving wolfSSL_read_internal(), return 21
I hear ya for shizzle
wolfSSL Entering SSL_shutdown()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_shutdown(), return 2
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
[deploy@rootns-0 wolfssl-3.14.0]$ examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -p 443 -s -h 10.239.34.64
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering VerifyClientSuite
growing output buffer

PSK Key Exchange Modes extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Key Share extension to write
Session Ticket extension to write
Pre-Shared Key extension to write
wolfSSL Entering VerifyClientSuite
Derive Early Secret
Derive Binder Key
Derive Finished Secret
Shrinking output buffer

wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Pre-Shared Key extension received
Key Share extension received
Supported Versions extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Entering VerifyClientSuite
Derive Early Secret
wolfSSL Leaving DoTls13ServerHello, return 0
Derive Early Secret
Derive Handshake Secret
Derive Client Handshake Secret
Derive Server Handshake Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing encrypted extensions
wolfSSL Entering DoTls13EncryptedExtensions
wolfSSL Leaving DoTls13EncryptedExtensions, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing finished
wolfSSL Entering DoTls13Finished
Derive Finished Secret
Derive Finished Secret
wolfSSL Leaving DoTls13Finished, return 0
Derive Master Secret
Derive Client Traffic Secret
Derive Server Traffic Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
connect state: HELLO_AGAIN
wolfSSL Entering wolfSSL_connect_TLSv13()
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
wolfSSL Entering SendTls13Finished
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

Derive Resumption Secret
wolfSSL Leaving SendTls13Finished, return 0
sent: finished
connect state: FINISHED_DONE
wolfSSL Leaving wolfSSL_connect_TLSv13(), return 1
wolfSSL Entering SSL_get_peer_certificate
peer has no cert!
wolfSSL Entering wolfSSL_FreeX509
wolfSSL Entering ExternalFreeX509
wolfSSL Entering SSL_get_version
SSL version is TLSv1.3
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client Random : EF4FC79DF23B323D062101A100ED06A94BE04AEF949C15ABD0BD257C5ED1469A
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
growing input buffer

wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing new session ticket
wolfSSL Entering DoTls13NewSessionTicket
Session Ticket CB: ticketSz = 138, ctx = initial session
wolfSSL Leaving DoTls13NewSessionTicket, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
got app DATA
Shrinking input buffer

wolfSSL Leaving ReceiveData(), return 21
wolfSSL Leaving wolfSSL_read_internal(), return 21
I hear ya for shizzle
wolfSSL Entering SSL_shutdown()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_shutdown(), return 2
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup
[deploy@rootns-0 wolfssl-3.14.0]$ examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -p 443 -s -h 10.239.34.64
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Entering SSL_set_read_fd
wolfSSL Leaving SSL_set_read_fd, return 1
wolfSSL Entering SSL_set_write_fd
wolfSSL Leaving SSL_set_write_fd, return 1
wolfSSL Entering SSL_connect()
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering VerifyClientSuite
growing output buffer

PSK Key Exchange Modes extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Elliptic Curves extension to write
Key Share extension to write
Session Ticket extension to write
Pre-Shared Key extension to write
wolfSSL Entering VerifyClientSuite
Derive Early Secret
Derive Binder Key
Derive Finished Secret
Shrinking output buffer

wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing server hello
wolfSSL Entering DoTls13ServerHello
Pre-Shared Key extension received
Key Share extension received
Supported Versions extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Entering VerifyClientSuite
Derive Early Secret
wolfSSL Leaving DoTls13ServerHello, return 0
Derive Early Secret
Derive Handshake Secret
Derive Client Handshake Secret
Derive Server Handshake Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing encrypted extensions
wolfSSL Entering DoTls13EncryptedExtensions
wolfSSL Leaving DoTls13EncryptedExtensions, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing finished
wolfSSL Entering DoTls13Finished
Derive Finished Secret
Derive Finished Secret
wolfSSL Leaving DoTls13Finished, return 0
Derive Master Secret
Derive Client Traffic Secret
Derive Server Traffic Secret
Derive Client Key
Derive Server Key
Derive Client IV
Derive Server IV
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
connect state: HELLO_AGAIN
wolfSSL Entering wolfSSL_connect_TLSv13()
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
wolfSSL Entering SendTls13Finished
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

Derive Resumption Secret
wolfSSL Leaving SendTls13Finished, return 0
sent: finished
connect state: FINISHED_DONE
wolfSSL Leaving wolfSSL_connect_TLSv13(), return 1
wolfSSL Entering SSL_get_peer_certificate
peer has no cert!
wolfSSL Entering wolfSSL_FreeX509
wolfSSL Entering ExternalFreeX509
wolfSSL Entering SSL_get_version
SSL version is TLSv1.3
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client Random : 82739D7E9E0C43E9878AAB9AB963C56A35851BFC5E2738D8724546D35108F805
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
growing input buffer

wolfSSL Entering DecryptTls13
received record layer msg
wolfSSL Entering DoTls13HandShakeMsg()
wolfSSL Entering DoTls13HandShakeMsgType
processing new session ticket
wolfSSL Entering DoTls13NewSessionTicket
Session Ticket CB: ticketSz = 138, ctx = initial session
wolfSSL Leaving DoTls13NewSessionTicket, return 0
wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
wolfSSL Leaving DoTls13HandShakeMsg(), return 0
wolfSSL Entering DecryptTls13
received record layer msg
got app DATA
Shrinking input buffer

wolfSSL Leaving ReceiveData(), return 21
wolfSSL Leaving wolfSSL_read_internal(), return 21
I hear ya for shizzle
wolfSSL Entering SSL_shutdown()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Entering BuildTls13Message
wolfSSL Entering EncryptTls13
wolfSSL Leaving BuildTls13Message, return 0
Shrinking output buffer

wolfSSL Leaving SSL_shutdown(), return 2
wolfSSL Entering SSL_free
CTX ref count not 0 yet, no free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Leaving SSL_free, return 0
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup

Share

Re: Trying to use wolfssl-3.14.0 with PSKs

Karl,

I am honestly not sure why wireshark is not recognizing the TLS 1.3 traffic correctly. Have you contacted wireshark about this discrepancy?

Warm Regards,

Kaleb

Re: Trying to use wolfssl-3.14.0 with PSKs

Hi Kaleb,

The wire format is showing version 0x0303 (v1.2) instead of 0x0304 (v1.3) so I don't think this is a wireshark issue.

Regards,
Karl

Share

Re: Trying to use wolfssl-3.14.0 with PSKs

I don't get to hung up on the record layer version info.

wShark seems to tag the traffic v1.2 or v1.3 after looking at the conversation. 
I regularly see v1.3 traffic with a v1.2 record layer.  The packet data say's it is v1.2 (0x0303).  As in, this record layer is at version v1.2, but the conversation is v1.3.  I don't believe the record layer version is there to identify the TLS version.

Share