Topic: SSL version error -326, TLS Connect Error: record layer version error

Using WolfSLL 5.3.1 since a few time on a STM32F411CE using the Arduino IDE and followed most of the instructions widely available. After spending some time i got success to setup a connection to gpsgadget.buienradar.nl, this works reliable.
Now I would like to report abuse port scanners to api.abuseipdb.com.
But the connection setup couldn't pass the setup the TLS connection.
I have checked by SSLlabs if api.abuseipdb.com supports the encryption on  TLSv1.2, SSL cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 which is also used by gpsgadget.buienradar.nl and it should do.

Anyone any idea? I've read another post here on the forum about error -326, that was due an invalid header of the server. But i couldn't image that a server from a professional service still is not patched.

But the log from api.abuseipdb.com shows:

Memory usage after loading ctx:

Heap end at:        0x20008C98
Stack Ptr end at:   0x2001E9E8
Estimated Free RAM: 99984 wolfSSL ctx get: success
10:54:50 wolfSSLlog: 2, wolfSSL Entering wolfSSL_CTX_set_verify-> connecting to api.abuseipdb.com... Took: 57ms
Connected, continue to setup TLS to: api.abuseipdb.com
10:54:50 wolfSSLlog: 2, wolfSSL Entering SSL_new
10:54:50 wolfSSLlog: 3, wolfSSL Leaving SSL_new, return 0
Memory usage after getting SSL object:

Heap end at:        0x20008C98
Stack Ptr end at:   0x2001E9E8
Estimated Free RAM: 97684

10:54:50 wolfSSLlog: 2, wolfSSL Entering SSL_connect()
10:54:50 wolfSSLlog: 2, wolfSSL Entering SendClientHello
10:54:50 wolfSSLlog: 1, Adding signature algorithms extension
10:54:50 wolfSSLlog: 1, growing output buffer
10:54:50 wolfSSLlog: 1, Signature Algorithms extension to write
10:54:50 wolfSSLlog: 1, Point Formats extension to write
10:54:50 wolfSSLlog: 1, Supported Groups extension to write
10:54:50 wolfSSLlog: 1, Data to send
10:54:50 wolfSSLlog: 1,     16 03 03 00 65 01 00 00 61 03 03 83 46 65 2f 5c |....e...a...Fe/\
10:54:50 wolfSSLlog: 1,     44 16 5f b3 89 26 de 0b 6b a2 06 7e a7 9a 55 22 |D._..&..k..~..U"
10:54:50 wolfSSLlog: 1,     01 b0 22 f4 7e a2 66 c4 08 6f ba 00 00 14 c0 2b |..".~.f..o.....+
10:54:50 wolfSSLlog: 1,     c0 2f c0 27 c0 23 c0 0a c0 09 c0 08 c0 14 c0 13 |./.'.#..........
10:54:50 wolfSSLlog: 1,     c0 12 01 00 00 24 00 0d 00 0c 00 0a 04 03 02 03 |.....$..........
10:54:50 wolfSSLlog: 1,     08 04 04 01 02 01 00 0b 00 02 01 00 00 0a 00 0a |................
10:54:50 wolfSSLlog: 1,     00 08 00 19 00 18 00 17 00 15                   |..........
10:54:50 wolfSSLlog: 1, SendBuffered() => 1 byte(s) message success
10:54:50 wolfSSLlog: 1, Shrinking output buffer
10:54:50 wolfSSLlog: 3, wolfSSL Leaving SendClientHello, return 0
10:54:50 wolfSSLlog: 1, ssl.c connect state: CLIENT_HELLO_SENT
10:54:50 wolfSSLlog: 1, Data received
10:54:50 wolfSSLlog: 1,     15 03 01 00 02                                  |.....
10:54:50 wolfSSLlog: 1, SSL version error
10:54:50 wolfSSLlog: 2, wolfSSL Entering SendAlert
10:54:51 wolfSSLlog: 1, growing output buffer
10:54:51 wolfSSLlog: 1, Data to send
10:54:51 wolfSSLlog: 1,     15 03 03 00 02 02 46                            |......F
10:54:51 wolfSSLlog: 1, SendBuffered() => 1 byte(s) message success
10:54:51 wolfSSLlog: 1, Shrinking output buffer
10:54:51 wolfSSLlog: 3, wolfSSL Leaving SendAlert, return 0
10:54:51 wolfSSLlog: 0, wolfSSL error occurred, error = -326
10:54:51 wolfSSLlog: 2, wolfSSL Entering SSL_get_error
10:54:51 wolfSSLlog: 3, wolfSSL Leaving SSL_get_error, return -326
10:54:51 wolfSSLlog: 2, wolfSSL Entering wolfSSL_ERR_error_string_n
10:54:51 wolfSSLlog: 2, wolfSSL Entering ERR_error_string
ERROR: Report2AbuseIPDB; TLS Connect Error: record layer version error
10:54:51 wolfSSLlog: 2, wolfSSL Entering SSL_shutdown()
10:54:51 wolfSSLlog: 3, wolfSSL Leaving SSL_shutdown(), return -1
cleanup TLS connection
10:54:51 wolfSSLlog: 2, wolfSSL Entering SSL_free
10:54:51 wolfSSLlog: 1, Free'ing client ssl
10:54:51 wolfSSLlog: 1, CTX ref count not 0 yet, no free
10:54:51 wolfSSLlog: 3, wolfSSL Leaving SSL_free, return 0
SSL object cleared
10:54:51 wolfSSLlog: 2, wolfSSL Entering SSL_CTX_free
10:54:51 wolfSSLlog: 1, CTX ref count down to 0, doing full free
10:54:51 wolfSSLlog: 2, wolfSSL Entering wolfSSL_CertManagerFree
10:54:51 wolfSSLlog: 3, wolfSSL Leaving SSL_CTX_free, return 0

Share

Re: SSL version error -326, TLS Connect Error: record layer version error

Hello BerHav,

Thanks for joining the wolfSSL Forums. I was able to reproduce the issue with the wolfSSL client example in linux. I'll review with the team tomorrow.

./examples/client/client -h api.abuseipdb.com -p 443 -g

connect state: CLIENT_HELLO_SENT
SSL version error
wolfSSL Entering SendAlert
growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0
wolfSSL error occurred, error = 326 line:10162 file:src/internal.c
wolfSSL error occurred, error = 326 line:12350 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -326
wolfSSL Entering ERR_error_string
wolfSSL_connect error -326, record layer version error

Re: SSL version error -326, TLS Connect Error: record layer version error

Thanks for your very fast reaction!
Could it have something to do with the fact that the server most likely has an SNI certificate?

Share

Re: SSL version error -326, TLS Connect Error: record layer version error

Ah, yes!

This works:

./examples/client/client -h api.abuseipdb.com -p 443 -g -S api.abuseipdb.com -v 4 -j

5 (edited by BerHav 2022-08-17 01:54:52)

Re: SSL version error -326, TLS Connect Error: record layer version error

YES!

Thanks for pointing!
For those who experience the same issue:

I added to user_settings.h

 #define HAVE_SNI

and in the code after loading the CTX:

  if (wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, sniHostName,
                         (word16) XSTRLEN(sniHostName)) != WOLFSSL_SUCCESS) {
    wolfSSL_CTX_free(ctx); 
    ctx = NULL;
  }

Share