Topic: Receiving handshake response in TLSv1.3 after negotiation is finished

I'm trying the wolfssl_tcp_client demo app from the Microchip Harmony 3 repo:
https://github.com/Microchip-MPLAB-Harm … tcp_client

This app allows you send an openurl command with the web page you want to GET and forwards the response to a debug serial port. The code of the app is here:
https://github.com/Microchip-MPLAB-Harm … /src/app.c

Although I had to add the forwarding code (send the received data to the serial port) after lines 404 (ht-tp version) and 457 (ht-tps version), I was trying pretty much the original app and the ht-tp version worked fine, but the ht-tps version didn't.

After having enabed debug (I also added a few additional messages in some parts of the code), I noticed the problem was in the EccVerify function of internal.c. There was a signature verification error and I thought it might be related with a CA validation problem, so I decided to manually return a 0 value (ok) so that the process could continue.

As a result, the negotiation finishes successfully (SSL Connection Opened: Starting Clear Text Communication in the attached log file, from line 426 of app.c) but right after the application data is sent, I receive a handshake record instead of an application data record (I guess it's generated when I tried to extract data from the socket using NET_PRES_SocketRead, line 457 of app.c). The output in the log file is this:
User calling wolfSSL_read in error state, not allowed

What am I missing here? Other than ignoring the signature validation, I'm using the original app and actually the negotiation seems to work fine.

Regards

Post's attachments

attachments.zip 11.08 kb, 1 downloads since 2022-12-14 

You don't have the permssions to download the attachments of this post.

Share

Re: Receiving handshake response in TLSv1.3 after negotiation is finished

Hi mamonetti,

Sorry to hear about this issue.
Please share your build configuration (configuration.h/user_settings.h), and your target platform.  Please also confirm if you are registering any CA certificates, and if so which function you are using.

Thanks,
Kareem

Share

Re: Receiving handshake response in TLSv1.3 after negotiation is finished

Hi Kareem,

Attached you have the configuration.h file I'm using (pretty much the default one).

Regarding the hardware, I'm using a SAME54 Xplained Pro demo board (ATSAME54P20A) and I'm not registering any CA certificate, that's why I thought the EccVerify function was returning an error code.

One thing I actually want to find out is whether you can decide in real time (maybe through some function callback) if the CA validation has to be performed or can be skipped (this would mean you'd be trusting the server with no actual check).

Regards

Post's attachments

configuration.h 23.92 kb, 1 downloads since 2022-12-15 

You don't have the permssions to download the attachments of this post.

Share

Re: Receiving handshake response in TLSv1.3 after negotiation is finished

Hi mamonetti,

Thanks for sharing and for your patience.

Your wolfSSL build settings look good to me.  The problem is Harmony is shipping an outdated wolfSSL release.  I do recognize the wolfSSL_read issue you are seeing, it should be fixed by this PR: https://github.com/wolfSSL/wolfssl/pull/4203  However, rather than cherry-picking it, I would strongly recommend you upgrade to our latest release, 5.5.3, for the best security and functionality.  You can find our latest release in our Github repo: https://github.com/wolfSSL/wolfssl/releases

You will need to register the appropriate CA certificates on startup for our verification to succeed, please retry after adding your CA certificates.

Yes, you can toggle our CA checking at runtime using wolfSSL_set_verify.  Set the second parameter to SSL_VERIFY_PEER to enable validation, SSL_VERIFY_NONE to disable it.  We strongly recommend against using SSL_VERIFY_NONE in production, as it removes a lot of the benefit of SSL.  You can find more information on wolfSSL_set_verify here: https://www.wolfssl.com/documentation/m … set_verify

Please let me know if you have any further questions.

Thanks,
Kareem

Share