1 Reply by olle

(25 replies, posted in wolfSSL)

john wrote:

Olle:

I'm sorry for the delay in replying.

I disagree that this is an interoperation issue between OpenSSL and wolfSSL. Our C based client is communicating with the OpenSSL server. I also tried the wolfSSL client with non-blocking sockets, and that worked. (It does print out a lot of WANT_READ errors, but it prints the server's response when I put one in.)

I am trying to run the JNI client now, and I'm having a different problem than you are reporting. I'm going to have to pull in my coworker who wrote the JNI code and see if we can figure this out.

And to commiserate with you, I am no expert at Java/JNI.

--John

Sorry for being unclear I do think WolfSSL cannot communicate with a "normal" OpenSSL server. But I/we are having these problems with a specific configuration of an OpenSSL server (one that we cannot change but must use). And as I understood from previous posts in the thread it does not reply as expected after the initial handshake.

Go to forum: wolfSSL

2 Reply by olle

(25 replies, posted in wolfSSL)

Ok, now I am a bit confused.

The last attempt was using the example client in WolfSSL and it gave the same communication/error as when I used the example client in WolfSSL-JNI. Is both of those using non-blocking communication but have not implemented the WANT_READ/WRITE retry?

Today I tried two things in the JNI example client:
1: adding retry on WANT_READ/WRITE

// call wolfSSL_connect
boolean again = true;
while (again) {
     ret = ssl.connect();
     if (ret == WolfSSL.SSL_SUCCESS) {
         again = false;
     } else {
         final int err = ssl.getError(ret);
         final String errString = WolfSSL.getErrorString(err);
         System.out.println("wolfSSL_connect failed. err = " + err + ", " + errString);
         if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) {
            System.exit(1);
         }
     }
}

But that does not work since I get err = -313 (fatal) from the connect.

2: Make the session blocking (a bit of a guess):

ssl = new WolfSSLSession(sslCtx);
ssl.setUsingNonblock(0); //added this line.

Same error as before.

So if the problems are due to this is there any way to solve it from the JNI side? It seems that if there was a WANT_READ/WRITE it is changed before it reaches the JNI layer.

/Olle
PS I got the example JNI client to communicate with a WolfSSL server (without these changes) but it won't communicate with the OpenSSL server (see previous posts in this topic), so I kind of still think it is a mismatch in how the actual DTLS communication is handled in OpenSSL and WoldSSL, but then I am no expert at DTLS.

Go to forum: wolfSSL

3 Reply by olle

(25 replies, posted in wolfSSL)

I found out how to make the example client accept ipv6 addresses. I Just added the TEST_IPV6 flag to C_EXTRA_FLAGS, instead of CFLAGS.

C_EXTRA_FLAGS="-DTEST_IPV6"

Hope it helps someone else.

Go to forum: wolfSSL

4 Reply by olle

(25 replies, posted in wolfSSL)

Hi, again

We have trying different combinations of servers clients

The following client/server combination works (DTLS1 and PSK):

s> openssl s_server -accept 11111 -cert ./certs/server-ecc.pem -key ./certs/ecc-key.pem -psk 1A2B3C4D -dtls1
c> ./examples/client/client -u -l PSK-AES256-CBC-SHA -s -v 2

but when we use our (wolfssl) jni client we get:

wolfSSL Entering DTLSv1_client_method
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_set_jobject
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Filename [../certs/crl/cliCrl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/caEccCrl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/caEcc384Crl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/eccCliCRL.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/eccSrvCRL.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
not .pem file, skipping
Filename [../certs/crl/crl.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Filename [../certs/crl/crl2.pem]
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetRevoked
wolfSSL Entering GetSerialNumber
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
Registered I/O callbacks
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing hello verify request
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
Requires PSK
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
No Cert required
No KeyExchange required
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering wolfSSL_get_jobject
PSK Client Callback:64
 | PSK hint : ''
Arrays.toString(key) = [18, 52, 86, 120, -112, 18, 52, 86, 120, -112, 18, 52, 86, 120, -112, -86, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
got CHANGE CIPHER SPEC
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing finished
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: SECOND_REPLY_DONE
wolfSSL Leaving SSL_connect(), return 1
wolfSSL Entering SSL_get_peer_certificate
wolfSSL Entering SSL_get_version
SSL version is DTLS
wolfSSL Entering SSL_get_current_cipher
wolfSSL Entering SSL_CIPHER_get_name
wolfSSL Entering wolfSSL_get_cipher_name_from_suite
SSL cipher suite is TLS_PSK_WITH_AES_256_CBC_SHA
wolfSSL Entering SSL_write()
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SSL_write(), return 14
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
wolfSSL Entering wolfSSL_get_jobject
wolfSSL error occurred, error = 308 line:14009 file:src/internal.c
wolfSSL Leaving wolfSSL_read_internal(), return -308
read failed
wolfSSL Entering SSL_CTX_free
CTX ref count not 0 yet, no free
wolfSSL Leaving SSL_CTX_free, return 0

which to to me looks like a successful connection (that we mess up when receiving data from the server, probably need to wait for the response in a loop or something).

I then wanted to test the wolfssl c-client on "our" server to see what differs in the communication. But we can't get the example client to accept an ipv6 address:

tingco@thomedev08tomas:~/dev/olle/wolfssl-3.13.0$ ./examples/client/client -u -p 41230 -h fd00:aaaa::3 -l PSK-AES256-CBC-SHA -s -v 2
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering EVP_get_cipherbyname
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
Not defined [TEST_IPV6]
peer [fd00:aaaa::3]
wolfSSL error: no entry for host

Looking in the code we see that this can only happen if the TEST_IPV6 is not set. Tried various configure parameters  --enable-ipv6 and CFLAGS="-DTEST_IPV6" but we cannot get the TEST_IPV6 flag set. Any tips?


PS I am still hoping for David Garskes:

We believe this may be a bug with our DTLS 1.0 code and we hope to have a fix available shortly. Thanks for your details report and we will provide you a followup soon.

since we see the second CLIENT_HELLO after SERVER_HELLO, SERVER_HELLO_DONE.

Go to forum: wolfSSL

5 Reply by olle

(25 replies, posted in wolfSSL)

We have a 32-bit (armv7l) board.

We are currently trying things out with the CPPFLAGS=-DTIME_T_NOT_LONG and then all tests pass (using make test), we get:

======================================
   wolfssl 3.13.0: ./test-suite.log
======================================

# TOTAL: 11
# PASS:  11
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

Also added a printf (tests/api.c line 10685) but it never passed that line (seems like the "#if !defined(TIME_T_NOT_LONG) && !defined(NO_64BIT)" is not true). The double negation makes it kind of hard to know if we should run the code in 32-bit mode or not.

To be sure we added printf:s for dateStr at 10700 and 10706 and those are fine (as asserted in the code).

So I guess the test work fine now, thanks for the flag tip!

But it seems that we are now back to the "not accepted extra CLIENT_HELLO" in the JNI-client.

Go to forum: wolfSSL

6 Reply by olle

(25 replies, posted in wolfSSL)

After getting the wolfssl and jni-3.13.0 release running (minus the failing test, see above) I get the same error as before:

> tshark -r tcpdump.pcap
  1   0.000000      0.0.0.0 -> 255.255.255.255 DHCP 301 DHCP Discover - Transaction ID 0xb1c2b360
  2   3.038098 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 135 Client Hello
  3   3.038662 fd00:bbbb::d -> fd00:aaaa::8f94:6639:35b5:a7 DTLSv1.0 182 Server Hello, Server Hello Done
  4   3.041331 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 129 Client Hello
  5   3.041764 fd00:bbbb::d -> fd00:aaaa::8f94:6639:35b5:a7 DTLSv1.0 77 Alert (Level: Fatal, Description: Handshake Failure)
  6   3.046269 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 104 Client Key Exchange
  7   3.049022 fd00:aaaa::8f94:6639:35b5:a7 -> fd00:bbbb::d DTLSv1.0 153 Change Cipher Spec, Encrypted Handshake Message
  8   4.000737      0.0.0.0 -> 255.255.255.255 DHCP 301 DHCP Discover - Transaction ID 0xb1c2b360

Go to forum: wolfSSL

7 Reply by olle

(25 replies, posted in wolfSSL)

Another question (should it be a new topic?) when I run the tests for WolfSSL on out Arm box I get different results on:

./testsuite/testsuite.test

gives:  All tests passed! while

make test

fails: Total 8, Pass 7, Fail 1 (see post above). On my MacBook all 8 Pass with both calls.

/Olle

Go to forum: wolfSSL

8 Reply by olle

(25 replies, posted in wolfSSL)

Now I am a bit ashamed. When you asked what version I am using I realized that the dumps are probably not on an official release.

I started with 3.12.2 but we had some issues so I cloned the GitHub repo, and when I realized that the issues were our config parameters I forgot to switch back to 3.12.2 so the dumps are from a GitHub clone.

I am now trying to build the official 3.13.0 release but it is failing in the tests, and I want those to work (as they did before) before I try the JNI part again.

The current output is (and test-suite.log is attached) if you have any quick tip otherwise I will continue with it on monday (as it is Friday late afternoon here).

Do you know why the server isn't sending the hello verify request? Is that an option you disabled? I'm going to try to hack my server so it doesn't send the hello verify request message. The client should be able to handle not getting it. (The client is required to respond to the message, but the server is not required to send it.)

No I looked through their CMakeList.txt and can't find any parameters/config to OpenSSL. I will try to find out if they do anything in the C code Monday. 

Thanks for the help
/Olle


tingco@thomedev08tomas:~/dev/olle/wolfssl-3.13.0$ make test
make -j3  check-am
make[1]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make -j3   testsuite/testsuite.test tests/unit.test  scripts/sniffer-testsuite.test scripts/resume.test scripts/tls-cert-fail.test scripts/crl-revoked.test scripts/ocsp.test   scripts/psk.test    
make[2]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: warning: -jN forced in submake: disabling jobserver mode.
make[2]: Nothing to be done for `scripts/sniffer-testsuite.test'.
make[2]: Nothing to be done for `scripts/resume.test'.
make[2]: Nothing to be done for `scripts/tls-cert-fail.test'.
make[2]: Nothing to be done for `scripts/crl-revoked.test'.
make[2]: Nothing to be done for `scripts/ocsp.test'.
make[2]: Nothing to be done for `scripts/psk.test'.
make[2]: `tests/unit.test' is up to date.
make[2]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make -j3  check-TESTS
make[2]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: warning: -jN forced in submake: disabling jobserver mode.
make[3]: Entering directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[3]: warning: -jN forced in submake: disabling jobserver mode.
PASS: scripts/tls-cert-fail.test
PASS: scripts/sniffer-testsuite.test
PASS: scripts/psk.test
PASS: scripts/ocsp.test
PASS: scripts/resume.test
PASS: scripts/crl-revoked.test
PASS: testsuite/testsuite.test
./build-aux/test-driver: line 107: 23910 Aborted                 (core dumped) "$@" > $log_file 2>&1
FAIL: tests/unit.test
============================================================================
Testsuite summary for wolfssl 3.13.0
============================================================================
# TOTAL: 8
# PASS:  7
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/wolfssl/wolfssl/issues
============================================================================
make[3]: *** [test-suite.log] Error 1
make[3]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[2]: *** [check-TESTS] Error 2
make[2]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory `/home/tingco/dev/olle/wolfssl-3.13.0'
make: *** [check] Error 2

Go to forum: wolfSSL

9 Reply by olle

(25 replies, posted in wolfSSL)

Hi,

Could you tell us about the project you're working on and interest in working with our JNI solution?

Of course. We are making a Smart Home system, i.e. controlling dimmers, smart plugs, measuring energy and water consumption among other things. (here is an add for the system https://www3.fortum.com/products-and-se … ter-living)

We support several communication standards, among them Z-Wave and their new Z/IP protocol. And here is where we ran into problems: Z/IP uses only PSK DTLS1 based on OpenSSL and that combined with that our "smart" part of the solution is written in Java I/we thought it wouldn't be such a problem, just use BC (Bouncy Castle) and be done with it. But BC had a known issue that they don't fully support the Hello protocol so we lost the first message in every DTLS session. So we had to find another solution, I couldn't find any other pure Java options I went for the second best a JNI solution again couldn't find any based on OpenSSL bud did find WolfSSL which seems actually better than OpenSSL in a lot of ways. And with WolfSSL we got PSK DTLS1 working but sadly not with the Z/IP server.

The problems:
- I cannot send you a working Z/IP server since we have a disclosure agreement with Sigma Designs, anyway the server does not work without the special Z/IP hardware chips from Sigma Designs.
- Sigma Design does not seem super interested in helping us since their Z/IP server works with their own C client (https://github.com/Z-WavePublic/libzwaveip).

Some motivation for you is that if we can get WolfSSL working with the Z/IP client (and decide to use it) we will buy the commercial license for it.


/Olle
PS We are working on other ways to communicate with the server one is writing our own JNI code to the working C code provided by Sigma Designs.

Go to forum: wolfSSL

10 Reply by olle

(25 replies, posted in wolfSSL)

I couldn't find a way to add a second attachment so here is dump of working communication (frame 20-25) using their client.

A question: Can the communication at frame 20 somehow depend on the previous communication with fd00:aaaa::3 ?

/Olle

Go to forum: wolfSSL

11 Reply by olle

(25 replies, posted in wolfSSL)

Hi again,

Sorry for the late reply (was on vacation).

I use the JNI example and modified the MyPskClientCallback class (full code below) to use the following psk: 123456789012345678901234567890AA (yes the code it a bit weird but it generates the same byte array as the server uses).

I also have a wireshark dump of the communication if that helps?

I am a noob at DTLS but from reading about more about the Heartbeat extension I understood it shouldn't affect the handshake so I guess it is not relevant to our problem?

Thanks for the response
/Olle Sundblad

package com.wolfssl.example;

import com.wolfssl.WolfSSLPskClientCallback;
import com.wolfssl.WolfSSLSession;

import java.util.Arrays;

class MyPskClientCallback implements WolfSSLPskClientCallback {

    public long pskClientCallback(final WolfSSLSession ssl, final String hint,
                                  final StringBuffer identity, final long idMaxLen, final byte[] key,
                                  final long keyMaxLen) {

        System.out.println("PSK Client Callback:" + key.length);

        // we don't use hint here, just print out
        System.out.println(" | PSK hint : " + hint);

        // set the client identity
        if (identity.length() != 0) {
            System.out.println("identity StringBuffer is not empty!");
            return 0;
        }
        identity.append("Client_identity");

        // create key "123456789012345678901234567890AA"
        for (int i = 0; i < 32; i += 2) {
            final int hb = (i + 1) % 10;
            final int lb = (i + 2) % 10;
            key[i/2] = i < 30 ? (byte) ((hb << 4) + lb) : (byte) ((0xa << 4) + 0xa);
        }
        System.out.println("Arrays.toString(key) = " + Arrays.toString(key));

        // return size of key
        return 16;
    }
}

Go to forum: wolfSSL

12 Topic by olle

(25 replies, posted in wolfSSL)

Hi,

I am new to WolfSSL and trying to write a DTLS 1.0 client (using Java JNI) that communicates with an OpenSSL server (that I cannot change). And I cannot get it to work.

When I look at working communication with the server (using tcpdump) I see that they use the SessionTicket TLS and Heartbeat TLS Extensions, while the example WolfSSL JNI Client that I modified use the ExtendedMasterSecret Extension. I don't know if this difference is actually causing the problem, but wonder if I should turn on these Extensions (SessionTicket and Heartbeat) in the client session or something (and if so how do I do it)?

The support team from the server side said it fails due to that I send a second CLIENT_HELLO (with cookie?) after the first negotiation. When I try to read about DTLS it seems that there are multiple ways to do the handshaking and my client and the server does not agree on how to do it.

Debug logging gives this:

./client.sh -u -s -v 2 -p 41230 -h fd00:aaaa::3 -l PSK-AES256-CBC-SHA
wolfSSL Entering DTLSv1_client_method
wolfSSL Entering DTLSv1_client_method_ex
wolfSSL Entering WOLFSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering wolfSSL_set_jobject
wolfSSL Entering wolfSSL_EnableCRL
wolfSSL Entering wolfSSL_CertManagerEnableCRL
wolfSSL Entering InitCRL
wolfSSL Entering wolfSSL_LoadCRL
wolfSSL Entering wolfSSL_CertManagerLoadCRL
wolfSSL Entering LoadCRL
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
not .pem file, skipping
Getting dynamic buffer
wolfSSL Entering BufferLoadCRL
wolfSSL Entering PemToDer
InitDecodedCRL
ParseCRL
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetNameHash
wolfSSL Entering GetBasicDate
wolfSSL Entering GetBasicDate
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
wolfSSL Entering GetCRL_Signature
About to verify CRL signature
Did NOT find CRL issuer CA
ParseCRL error
FreeDecodedCRL
CRL file load failed, continuing
wolfSSL Entering wolfSSL_SetCRL_Cb
wolfSSL Entering wolfSSL_CertManagerSetCRL_Cb
Registered I/O callbacks
wolfSSL Entering SSL_connect()
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

wolfSSL Entering wolfSSL_get_jobject
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
Requires PSK
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
No Cert required
No KeyExchange required
processing server hello done
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
connect state: HELLO_AGAIN
Adding signature algorithms extension
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
wolfSSL Entering SendClientKeyExchange
wolfSSL Entering wolfSSL_get_jobject
PSK Client Callback:64
 | PSK hint : ''
Arrays.toString(key) = [18, 52, 86, 120, -112, 18, 52, 86, 120, -112, 18, 52, 86, 120, -112, -86, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
growing output buffer

wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

wolfSSL Leaving SendClientKeyExchange, return 0
sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

wolfSSL Entering BuildMessage
wolfSSL Leaving BuildMessage, return 0
wolfSSL Entering wolfSSL_get_jobject
Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
wolfSSL Entering wolfSSL_get_jobject
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40 line:11575 file:src/internal.c
wolfSSL error occurred, error = 313 line:9003 file:src/ssl.c
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -313
wolfSSL Entering ERR_error_string
wolfSSL_connect failed. err = -313, revcd alert fatal error

I think the alert at the end is due to the server not accepting a second CLIENT_HELLO.

I could attach a tcpdump if that helps.


Any help appreciated
Thanks in advance
/Olle Sundblad
PS Full WolfSSL config here: ./configure --enable-jni --enable-dtls --enable-oldtls --enable-psk --enable-aesgcm --enable-opensslextra --enable-ecc --enable-supportedcurves --enable-sctp --enable-debug --enable-sniffer CFLAGS="-DWOLFSSL_STATIC_PSK" C_EXTRA_FLAGS="-g1 -feliminate-unused-debug-symbols -fdebug-types-section -DWOLFSSL_STATIC_RSA"

Go to forum: wolfSSL