1 (edited by pkLAppS 2019-07-14 22:01:58)

Topic: TLS 1.3/WebSockets/Browsers/Self signed certificate

Hello there,

I'm trying to use wolfSSL 3.5.1 for my application.

I use self signed certificate and root authority for development. Anything works well when the client and server are using wolfSSL.

If i use wolfTLSv1_2_server_method(), then google chrome works well as well.

And if I switch to TSL 1.3, chrome is unable to establish connection over WebSockets with this error:

Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR

---

I've configured

www.example.org

as an alias to localhost.

Attempts of an HTTPS connections over TLS 1.3 are failing with:

www.example.org sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Edited:
HTTPS connections from Firefox are reporting following error (certs changed to localhost):

An error occurred during a connection to localhost:5083. SSL received a malformed Server Hello handshake message. Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO 

--

Is there something special about certificates for TLS 1.3? Is there anything special the browsers expect from the server side on handshake?

---

Here is some info about app configuration:

certificates are created with wildcard for

*.example.org

:

openssl genrsa -out example.org.key 2048
openssl req -new -key example.org.key -out example.org.csr

openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.org.crt
cat example.org.crt ca.crt > example.org.bundle.crt

Certificates files are:

"ca" : "/opt/lapps/conf/ssl/ca.crt",
"cert" : "/opt/lapps/conf/ssl/example.org.bundle.crt",
"key" : "/opt/lapps/conf/ssl/example.org.key"

Here is the section responsible for certs load (server side):

     if(wolfSSL_CTX_load_verify_locations(this->raw_context(),ca.c_str(),nullptr) != SSL_SUCCESS)
     {
       throw std::system_error(ENOENT,std::system_category(),ca);
     }
     
     if(wolfSSL_CTX_use_PrivateKey_file(this->raw_context(),kfile.c_str(), SSL_FILETYPE_PEM) == SSL_SUCCESS)
     {
       if(wolfSSL_CTX_use_certificate_file(this->raw_context(),cert.c_str(),SSL_FILETYPE_PEM) != SSL_SUCCESS)
       {
         throw std::system_error(ENOENT,std::system_category(),cert);
       }
     }
     else
     {
       throw std::system_error(ENOENT,std::system_category(),kfile);
     }


Chrome build: Version 75.0.3770.100 (Official Build) (64-bit)

wolfSSL configured as follows:

./configure CFLAGS=-pipe -O2 -march=native -mtune=native -fomit-frame-pointer -fstack-check -fstack-protector-strong -mfpmath=sse -msse2avx -ftree-vectorize -funroll-loops -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING --prefix=/usr/local --enable-tls13 --enable-openssh --enable-aesni --enable-intelasm --enable-keygen --enable-certgen --enable-certreq --enable-curve25519 --enable-ed25519 --enable-intelasm --enable-harden

wolfSSL library initialization and context creation code is here https://github.com/ITpC/LAppS/blob/LApp … lfSSLLib.h



I would appreciate any clue on how to properly configure and use TLS 1.3 on my server side for browsers to work with.

With best regards,
Paul.

Share

Re: TLS 1.3/WebSockets/Browsers/Self signed certificate

PKLApps,

TLS 13 wasn't added until release 3.12.0 and at that time it was still in draft form. Please try testing with release 4.0.0 and let us know if you have any issues.


Warm Regards,

KH