Topic: wolfSSL_connect error -326, record layer version error

Hello. I'm trying to use the client with: client -h example.com -p 443 -d -g.
The problem is I get this error: wolfSSL_connect error -326, record layer version error when I use a Cloudflare host (with Universal SSL), but if I don't everything works fine.

Share

Re: wolfSSL_connect error -326, record layer version error

Are you using TLSv1.3 on your client?

Re: wolfSSL_connect error -326, record layer version error

What are your configure options?

Sometimes when using TLSv1.3 a server might still be using an older draft of TLSv1.3, and we'll get a version mismatch error.

4 (edited by bogdankrz 2018-10-12 01:51:25)

Re: wolfSSL_connect error -326, record layer version error

I also tried with 1.1 and 1.2 and still got the same error.

Share

Re: wolfSSL_connect error -326, record layer version error

What are your configure options?

I used the default configuration for wolfSSL and I get the following when I connect to a CloudFlare hosted site.

$ ./examples/client/client -h REDACTED.com -p 443 -d -g
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is SECP256R1
SSL connect ok, sending GET...
HTTP/1.1 403 Forbidden
Server: cloudflare
Date: Fri, 12 Oct 2018 17:46:43 GMT

Are you enabling the TLS server name indication in the wolfSSL build? Usually when connecting to a CDN, you need to specify the SNI.

$ ./examples/client/client -h REDACTED.com -p 443 -d -g -S REDACTED.com

Re: wolfSSL_connect error -326, record layer version error

I get the same error when using

client -h REDACTED.com -p 443 -d -g

or

client -h REDACTED.com -p 443 -d -g -S REDACTED.com

.
wolfSSL is compiled under Windows with Visual Studio 2017.

I've redownloaded & rebuilt the project. This is my user_settings.h (default):

#ifndef _WIN_USER_SETTINGS_H_
#define _WIN_USER_SETTINGS_H_

/* Verify this is Windows */
#ifndef _WIN32
#error This user_settings.h header is only designed for Windows
#endif

/* Configurations */
#if defined(HAVE_FIPS)
    /* FIPS */
    #define OPENSSL_EXTRA
    #define HAVE_THREAD_LS
    #define WOLFSSL_KEY_GEN
    #define HAVE_AESGCM
    #define HAVE_HASHDRBG
    #define WOLFSSL_SHA384
    #define WOLFSSL_SHA512
    #define NO_PSK
    #define NO_HC128
    #define NO_RC4
    #define NO_RABBIT
    #define NO_DSA
    #define NO_MD4
#else
    /* Enables blinding mode, to prevent timing attacks */
    #define WC_RSA_BLINDING

    #if defined(WOLFSSL_LIB)
        /* The lib */
        #define OPENSSL_EXTRA
        #define WOLFSSL_RIPEMD
        #define WOLFSSL_SHA512
        #define NO_PSK
        #define HAVE_EXTENDED_MASTER
        #define WOLFSSL_SNIFFER
        #define HAVE_TLS_EXTENSIONS
        #define HAVE_SECURE_RENEGOTIATION

        #define HAVE_AESGCM
        #define WOLFSSL_SHA384
        #define WOLFSSL_SHA512

        #define HAVE_SUPPORTED_CURVES
        #define HAVE_TLS_EXTENSIONS

        #define HAVE_ECC
        #define ECC_SHAMIR
        #define ECC_TIMING_RESISTANT
    #else
        /* The servers and clients */
        #define OPENSSL_EXTRA
        #define NO_PSK
    #endif
#endif /* HAVE_FIPS */

#endif /* _WIN_USER_SETTINGS_H_ */

Share