Hello,

Thank you very much for your help.
It is a pleasure to use your library.

Best Regards,
Sam

Hello Kaleb J. Himes,

Thank you for your answer. Unfortunately, I can not agree with the results of your investigation.

Regarding i0.wp.com:

When you connect using TLS 1.2 then there is no TLS error, and you can get HTTP response as follow:

LD_LIBRARY_PATH=/mnt/raw/e2ibuildenv/wolfssl/out/i686/lib/ ./examples/client/.libs/client -S i0.wp.com -h i0.wp.com  -p 443 -d -x -C -g -i -v 3
Session Ticket CB: ticketSz = 192, ctx = initial session
peer's cert info:
 issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 subject: /OU=Domain Control Validated/CN=*.wp.com
 altname = wp.com
 altname = *.wp.com
 serial number:68:86:4a:83:77:1a:bb:7d 
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is X25519
Client Random : F73F976937698B8DF04965E6B80D5AA158A4938A28B1153D881AA138E63BA8EB
SSL connect ok, sending GET...
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 11 Dec 2018 04:56:07 GMT
Con
tent-Type: text/html
Content-Length: 37
Connection: close

Direct IP/Hostna

Generally the problem is because you can NOT get HTTP response from i0.wp.com using  -v d, but you can when you manually force -v 3

Could you please take, a look once again on i0.wp.com host? In the browser, yes you got the message:

Sorry, the parameters you provided were not valid

but this HTTP response and this is expected, there is NO SSL error.

With WolfSSL and option -v d or -v 4 ( when TLS 1.3 is used) it fails with:
SSL_read reply error -425, The security parameter is invalid
this is SSL error.

you will be able to get HTTP response also using WolfSSL when you force TLS 1.2, but in this case you must do this manually.

Regarding your question. Please find my answer in the following post:
https://www.wolfssl.com/forums/post4111.html#p4111

Thank you,
SamSam

Hello,

WolfSSL 3.15.5 compiled as follow:

cd wolfssl-3.15.5
./configure CFLAGS=-DWOLFSSL_STATIC_RSA \
--enable-all \
--enable-tls13 
make

Do not allow to connect to hosts
dev.ssllabs.com and i0.wp.com with TLS 1.3

examples/client/.libs/client -S dev.ssllabs.com -h dev.ssllabs.com  -p 443 -d -x -C -g -i -v 4
wolfSSL_connect error -424, Extension type not allowed in handshake message type
wolfSSL error: wolfSSL_connect failed




examples/client/.libs/client -S i0.wp.com -h i0.wp.com  -p 443 -d -x -C -g -i -v 4
peer's cert info:
issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
subject: /OU=Domain Control Validated/CN=*.wp.com
altname = wp.com
altname = *.wp.com
serial number:68:86:4a:83:77:1a:bb:7d
SSL version is TLSv1.3
SSL cipher suite is TLS_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client Random : 7E84EF48D807C5269C50DD5B3DEEDF3D4B4672A43E74BC8841DC4C0867A741D4
SSL connect ok, sending GET...
SSL_read reply error -425, The security parameter is invalid
wolfSSL error: SSL_read failed


Could you please check this?

Best Regards,
SamSam

Hello,

I used head. The information about this was in the first post:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure  --enable-all
make

Regards,
SSS

I think  you ask about this information:

$ uname -a
Linux ubuntu-VirtualBox 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux

$ gcc -###
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/4.6/lto-wrapper
Target: i686-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu/Linaro 4.6.3-1ubuntu5' --with-bugurl=file:///usr/share/doc/gcc-4.6/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.6 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --enable-targets=all --disable-werror --with-arch-32=i686 --with-tune=generic --enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu --target=i686-linux-gnu
Thread model: posix
gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

Please let me know if you need anything more.

Best Regards,
SSS

Hello,

Yes it works. Thank you very much.
However I had two compilation errors:

CC     wolfcrypt/src/src_libwolfssl_la-asn.lo
wolfcrypt/src/asn.c: In function 'GetAsnTimeString':
wolfcrypt/src/asn.c:4978:31: error: declaration of 'min' shadows a global declaration [-Werror=shadow]
./wolfcrypt/src/misc.c:241:29: error: shadowed declaration is here [-Werror=shadow]
cc1: all warnings being treated as errors  CC     wolfcrypt/src/src_libwolfssl_la-coding.lo

tests/api.c: In function ‘test_wolfSSL_ASN1_TIME_adj’:
tests/api.c:18689:20: error: integer overflow in expression [-Werror=overflow]
cc1: all warnings being treated as errors
make[1]: *** [tests/tests_unit_test-api.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/tmp/t/wolfssl'
make: *** [all] Error

The first one was easy to fix by changing variable name from "min" to "mins".
The second one I simple commented. But as I understand there is problem with time_t overflow.

What will be the proper fix?

Best Regards,
SSS

Hello,

When I try to connect to pro.beatport.com host using Wolfssl folowing error is received:

wolfSSL_connect error -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed

How to reproduce:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure  --enable-all
make

examples/client/.libs/client -S pro.beatport.com  -h pro.beatport.com  -p 443 -d -x -C -g -i -v d

Could you please help?

Best Regards,
SamSam

Hello Kaleb,

No I don't have any timelines. I am using wolfSSL as a TLS backed for PyCurl (Python curl wrapper).
The project is OpenSource plugin for Set-Top-Boxes with Engima2 software.

Here is the link to the repository of this project:
https://gitlab.com/iptvplayer-for-e2/iptvplayer-for-e2

Thank you very much for all information and fix.

Best Regards,
SamSam

Hello @embhorn,

Thank you for the update and for the fix.

These is my test results:

mkdir /mnt/work/wolfsssl_test/
cd /mnt/work/wolfsssl_test/
git clone https://github.com/wolfSSL/wolfssl.git
mkdir rootfs
cd wolfssl/
./autogen.sh

export CC="gcc -Wno-error=overflow"
./configure --enable-all --prefix=/mnt/work/wolfsssl_test/rootfs
make
make install
# TEST 1 - with wolfSSL_CTX_UseSupportedCurve call
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -t
# PASS

# TEST 2 - wolfSSLv23_client_method_ex
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -v d
# PASS

cd ..
wget https://curl.haxx.se/download/curl-7.61.0.tar.gz
tar -xvf curl-7.61.0.tar.gz
cd curl-7.61.0
./configure --prefix=/mnt/work/wolfsssl_test/rootfs --without-ssl --with-wolfssl=/mnt/work/wolfsssl_test/rootfs
make
make install

export LD_LIBRARY_PATH=/mnt/work/wolfsssl_test/rootfs/lib
# TEST 3 curl
/mnt/work/wolfsssl_test/rootfs/bin/curl https://www.tvnow.de/
# PASS

Thank you very much. What is the expected date when official release will be deployed with this patch?

Best Regards,
SamSam

@embhorn

Your question is strange because in the first post you can find these informations.

As you can see the problem is with commands:

./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -v d

and

./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -t

So, the problem is when wolfSSLv23_client_method_ex  is used or when method wolfSSL_CTX_UseSupportedCurve was called.
In such situation wwolfSSL does not send information about elliptic_curves extension and this is a problem.
I checked this using wireshark.

I already wrote this two times. So, your question is really strange. Did you read my posts?

Regards,
SamSam

@Kaleb J. Himes

Thank you for the update.

I did not modify the client source code.

In provided by me examples I do use TLS1.3 nowhere. I used parameter "-t" because with this option function wolfSSL_CTX_UseSupportedCurve  is called.

The problem is when wolfSSL_CTX_UseSupportedCurve is called, as it is done by the libcurl or when you use method wolfSSLv23_client_method_ex  then wwolfSSL does not send information about elliptic_curves extension.

I gave step by step scenario how to reproduce the problem.

At now there is no possible to connect to http://www.tvnow.de/ via curl when the wolfSSL 3.15.3 (./configure --enable-all) is used as SSL backend and this is the main problem, all others are only my own investigation.

Best regards,
Sam Sam

Hello,

Build wolfSSL 3.15.3
./configure --enable-all
make

Use wolfSSL client to connect to host

ww.tvnow.de

1. default method wolfTLSv1_2_client_method_ex without wolfSSL_CTX_UseSupportedCurve call

examples/client/.libs/client -S HOST_NAME -h HOST_NAME -p 443 -d -x -C -g -i 

client use wolfTLSv1_2_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- signature_algorithms
- ec_point_formats
- elliptic_curves
- SessionTicket TLS
- server_name
- Unknown 23

result: SSL handshake successful

2. default method wolfTLSv1_2_client_method_ex with wolfSSL_CTX_UseSupportedCurve call

examples/client/.libs/client -S HOST_NAME -h HOST_NAME  -p 443 -d -x -C -g -i -t

client use wolfTLSv1_2_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- signature_algorithms
- elliptic_curves
- SessionTicket TLS
- server_name
- Unknown 23
Information about ec_point_formats is missed.
result: SSL handshake failed with error wolfSSL_connect error -313, revcd alert fatal error

3. method wolfSSLv23_client_method_ex

examples/client/.libs/client -S HOST_NAME  -h HOST_NAME  -p 443 -d -x -C -g -i -v d

client use wolfSSLv23_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- Unknown 43
- signature_algorithms
- elliptic_curves
- Unknown 51
- SessionTicket TLS
- server_name
Information about ec_point_formats is missed.
result: SSL handshake failed with error wolfSSL_connect error -313, revcd alert fatal error

Summary:
The wolfSSL does not send information about elliptic_curves extension when:
- method wolfSSLv23_client_method_ex
or
- wolfSSL_CTX_UseSupportedCurve was call

It causes  SSL handshake failed.

It looks that host www.tvnow.de need information about  ec_point_formats extension, but the wolfSSL in describad cases does not send it?
Can you explain why? It is posible to call some function to add this extension to "Client Hello" message?

Please note that libcurl always call wolfSSL_CTX_UseSupportedCurve
https://github.com/curl/curl/blob/10d8f … s/cyassl.c

  CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x17); /* secp256r1 */
  CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x19); /* secp521r1 */
  CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x18); /* secp384r1 */

and also use wolfSSLv23_client_method as default.

This results to make impossible to connect to some host using libcurl + wolfSSL.

It looks like bug in the wolfSSL library.
Can you please take a look on this and give solution for this problem, please?

Regards,
Sam Sam