• Registered: 2024-09-29
  • Posts: 8

Topic: Trying to force specific cipher suite

I don't understand why my DTLS 1.2 server is rejecting a cipher suite it is apparently supporting.

On the client side I have this: 

wolfSSL_CTX_set_cipher_list(ctx, "DHE-PSK-AES128-CBC-SHA256");

In wireshark I see this cipher suite being offered: 

Cipher Suite: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 (0x00b2)

On the server side with

wolfSSL_get_ciphers(cipher_buffer, BUFFER_SIZE);

I see that the particular cipher is enabled: 

DHE-PSK-AES128-CBC-SHA256

I do however get a -501 error from the server. What could be wrong?:

wolfSSL Leaving DoClientHello, return -501
[15:33:43.709690] wolfSSL Leaving DoHandShakeMsgType(), return -501
[15:33:43.709696] wolfSSL Leaving DoDtlsHandShakeMsg(), return -501
[15:33:43.709702] wolfSSL Entering SendAlert
[15:33:43.709708] wolfSSL Entering SendAlert
[15:33:43.709714] SendAlert: 40 handshake_failure
[15:33:43.709720] growing output buffer
[15:33:43.709727] wolfSSL Entering EmbedSendTo
[15:33:43.710274] Shrinking output buffer
[15:33:43.710295] wolfSSL Leaving SendAlert, return 0
[15:33:43.710307] wolfSSL error occurred, error = 501 line:22167 file:src/internal.c
[15:33:43.710314] wolfSSL error occurred, error = 501 line:10166 file:src/ssl.c
[15:33:43.710323] wolfSSL Entering wolfSSL_get_error
[15:33:43.710329] wolfSSL Leaving wolfSSL_get_error, return -501

Share

  • Registered: 2021-07-06
  • Posts: 152

Re: Trying to force specific cipher suite

Hi Sunnysunday,

Are you confident you are not setting your WOLFSSL_CTX/WOLFSSL ciphers at runtime before connecting?  wolfSSL_get_ciphers gets the full list of enabled cipher suites in the library, not the currently enabled cipher suites in your WOLFSSL.

Thanks,
Kareem

Share

3 Reply by Sunnysunday (edited by Sunnysunday Yesterday 14:27:14)

  • Registered: 2024-09-29
  • Posts: 8

Re: Trying to force specific cipher suite

Thank you for the answer.

Is there a function to list all currently enabled cipher suites in my WOLFSSL?

Also, is there a way to enforce specific elliptic curves on cipher suites using DHE other than the ones currently usable with wolfSSL_UseSupportedCurve(), e.g. I would like the client to only present CURVE25519 (or the server to only accept that curve).

Share