Topic: [SOLVED] TLS Connect Error: verify problem based on signature

Hello. I'm new to WolfSSL and starting out by trying to run the wolfssl_client / wolfssl_server example sketches from IDE/ARDUINO.

I can get them to compile and run ok, when the client tries to connect to the server the server does output 'Client connected' but the client shows:

TLS Connect Error: verify problem based on signature
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS Write Error: verify problem based on signature
Connection complete.

What could I have missed to be causing that Connect Error?

Share

Re: [SOLVED] TLS Connect Error: verify problem based on signature

Hi @torntrousers,

This can be caused by a memory / resource limitation, can you tell us how much heap/stack your device has available and which configuration settings you are using?

Since the cipher suite negotiated is ECDHE_ECDSA if you are not already using the setting

#define ALT_ECC_SIZE

could you set that and try again and let us know if that resolves the issue?

Warm Regards,

K

3 (edited by torntrousers 2019-07-30 23:39:30)

Re: [SOLVED] TLS Connect Error: verify problem based on signature

Thank you so much for the reply.

I've tried adding ALT_ECC_SIZE in the user_settings.h and after that the the code appears to hang inside the wolfSSL_connect(ssl) call.

I'd been trying with an ESP8266 so with your hint about it might be a memory / resource issue I tried the same code on an ESP32 which has more memory and it works ok.

Yay!

I would quite like to be able to use an ESP8266 though.

A call to ESP.getFreeHeap() just before the wolfSSL_connect call shows 21672 which I suppose isn't lots.

If you've any other tips on what I could do to try to get an ESP8266 working that would be great?

Also while you're here -  I really want to use TLS 1.3 but I can't find how to get that configured in the Arduino environment. I've raised an issue on Git about it - https://github.com/wolfSSL/wolfssl/issues/2380. Would you have any tips on that?

Best,

   ...ant

Share

Re: [SOLVED] TLS Connect Error: verify problem based on signature

@torntrousers,

On TLS 1.3, we recently posted a blog with the required settings to use for TLS 1.3 when not using ./configure to build, this was a blog for building on windows https://www.wolfssl.com/building-wolfss … 3-windows/

You can apply those same settings to user_settings.h in the arduino build!

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_ECC
#define HAVE_HKDF
#define HAVE_FFDHE_8192
#define WC_RSA_PSS

You noted the available heap was roughly 21k, how much stack was available? For an ECDHE_ECDSA you can usually get it down to about 12k stack, 16k heap for a handshake (varies slightly depending on number of certs in chain from the peer). Chapter 2 of the wolfSSL manual has a section for reducing resource usage https://www.wolfssl.com/documentation/w … Manual.pdf

Checkout Chapter 2 section 2.4.7 Reducing Memory Usage.

Let us know if you are able to get it working on the ESP8266 using some of the finer resource usage reduction settings!
If not those aren't enough try these also:

#define NO_RSA // Disable RSA entirely
// Assuming the setting USE_FAST_MATH is used for these next ones:
#define ECC_USER_CURVES // disable all curves except SECP256r1
#define FP_MAX_BITS 512 // Set to just large enough for 256-bit curves since no RSA is enabled.

Warm Regards,

KH

Re: [SOLVED] TLS Connect Error: verify problem based on signature

Thanks again for the replies. I'll try those suggestions for fixing the ESP8266 memory use in a bit but for now TLS 1.3 - Ok I've just tried setting those TLS 1.3 #define's in user_settings.h and that gives some compile errors:

:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls13.c: In function 'EncryptTls13':

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls13.c:1677:63: error: 'Keys' has no member named 'aead_enc_imp_IV'

             BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,

                                                               ^

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls13.c: In function 'DecryptTls13':

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls13.c:1924:63: error: 'Keys' has no member named 'aead_dec_imp_IV'

             BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,

                                                               ^

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls.c: In function 'TLSX_PopulateSupportedGroups':

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls.c:9411:39: error: 'Options' has no member named 'minDhKeySz'

             if (8192/8 >= ssl->options.minDhKeySz &&

                                       ^

C:\Arduino\ESP8266\190705\arduino-1.8.9\libraries\wolfSSL\tls.c:9412:67: error: 'Options' has no member named 'maxDhKeySz'

                                             8192/8 <= ssl->options.maxDhKeySz) {

                                                                   ^

exit status 1
Error compiling for board NodeMCU 1.0 (ESP-12E Module).

Any ideas?

Share

Re: [SOLVED] TLS Connect Error: verify problem based on signature

Just as FYI the solution to this is over on Github https://github.com/wolfSSL/wolfssl/issu … -519268912

Also, I tried your above suggestions on setting - NO_RSA, ECC_USER_CURVES  and FP_MAX_BITS - to try to help the resource use on the ESP8266 and that also works. Great, I have an ESP8266 talking TLS 1.3 to a Golang server!

Thanks so much for your help.

   ...ant

Share