1 Reply by PaulTLambert

(2 replies, posted in wolfSSL)

I've tracked down the problem in another context, so a similar solution probably applies here.  With TLS 1.2 enabled, IE doesn't accept RSA/MD5 certificates, but Opera does, as reported via the signature_algorithms hello extension.  Switching to an RSA/SHA-1 certificate made IE work with our embedded SSL library.  CyaSSL server.exe is apparently using a certificate not signed by one of the IE-approved signature/hash pairs.

Go to forum: wolfSSL

2 Topic by PaulTLambert

(2 replies, posted in wolfSSL)

I tested CyaSSL's TLS 1.2 server implementation via Internet Explorer 9 and Opera (TLS 1.2 enabled in both).  It works fine with Opera, but not IE.  Has anyone tested CyaSSL's TLS 1.2 with IE?  Should it work?

Specifically, I tested the CyaSSL server.exe sample under Win 7, making small changes to prevent requests for client certs and wrap the "fa shizzle" message with a valid HTTP/HTML response.

//    SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

I build and run server.exe, then go to https://localhost:11111.  In Opera, this works fine: I see the "fa shizzle" message in the browser window.  In IE, however, I get only a failed connection.  Debug output from CyaSSL (below) seems to indicate the IE terminated the handshake.  Any explanations or suggestions appreciated -- thanks.



CyaSSL Entering CYASSL_CTX_new
CyaSSL Leaving CYASSL_CTX_new, return 0
CyaSSL Entering SSL_CTX_set_verify
CyaSSL Entering SSL_CTX_set_default_passwd_cb
CyaSSL Entering SSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
CyaSSL Entering SSL_CTX_use_certificate_chain_file
Getting dynamic buffer
Growing Tmp Chain Buffer
Processing Cert Chain
   Consumed another Cert in Chain
Finished Processing Cert Chain
CyaSSL Entering SSL_CTX_use_PrivateKey_file
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
CyaSSL Entering SSL_set_fd
CyaSSL Leaving SSL_set_fd, return 1
CyaSSL Entering CyaSSL_SetTmpDH
CyaSSL Leaving CyaSSL_SetTmpDH, return 0
CyaSSL Entering SSL_accept()
received record layer msg
CyaSSL Entering DoHandShakeMsg()
processing client hello
CyaSSL Leaving DoHandShakeMsg(), return 0
accept state ACCEPT_CLIENT_HELLO_DONE
accept state HELLO_VERIFY_SENT
accept state ACCEPT_FIRST_REPLY_DONE
accept state SERVER_HELLO_SENT
growing output buffer

Shrinking output buffer

accept state CERT_SENT
accept state KEY_EXCHANGE_SENT
accept state CERT_REQ_SENT
accept state SERVER_HELLO_DONE
Embed Receive error
    Connection reset
CyaSSL error occured, error = -208
CyaSSL Entering SSL_get_error
CyaSSL Leaving SSL_get_error, return -208
CyaSSL Entering ERR_error_string
error = -208, error state on socket
yassl error: SSL_accept failed

Go to forum: wolfSSL