<![CDATA[wolfSSL - Embedded SSL Library — ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/topic692-ecc-extensions-not-sent-in-dtls.html Wed, 02 Sep 2015 21:56:09 +0000 PunBB <![CDATA[Re: ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2176.html#p2176 Hi Simon,

I tried connecting to the example Scandium server using Eclipse across a local host connection and saw Scandium send all of DTLS 1.2 flight 4 at once for a grand size of 1,985 bytes. Then the scenario you described earlier. The reason for this is our MTU size for DTLS is set to a conservative 1,500 but is not large enough to handle that size. This is a larger size than what is expected to be sent. A temporary fix for this is to adjust the size in wolfssl/internal.h about line 811 setting MAX_MTU to be 2500 rather than 1500. After doing that I was then able to get farther in the handshake.

Regards,
Jacob

]]> Wed, 02 Sep 2015 21:56:09 +0000 https://www.wolfssl.com/forums/post2176.html#p2176 <![CDATA[Re: ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2170.html#p2170 Re,
  Scandium now supports that a client does not send "Supported Elliptic Curves" and "Supported Point Formats" extension.
  So I taked time to retest that with wolfssl.
  I successfully passed the ClientHello message but I still encountered the same problem as I described previously.
  I also tested what you proposed about modifying the client.c example.
  But In all case,  the client never answer after the "Server Hello Done" from the server... no error in output even when debug mod is activated.
Too bad :'( !
Simon

]]> Mon, 31 Aug 2015 14:21:40 +0000 https://www.wolfssl.com/forums/post2170.html#p2170 <![CDATA[Re: ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2121.html#p2121 Hi sbernard,

To answer the question about Supported Elliptic Curves after enabling them as a configure option they then need to be added to the client ssl struct. In example,

code to init ssl struct ....

    if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1) != SSL_SUCCESS)
        printf("handle error\n);

   ...code to make connection and then clean up

If using the example wolfSSL client this function call can be added in at line 788 of the current one. As soon as one has been added then the client sends out the ECC curve extension. With wireshark there should then be Extension: elliptic_curves when looking at the client hello. Just as farther info when using, all available curve options are

WOLFSSL_ECC_SECP160R1 = 0x10,
WOLFSSL_ECC_SECP192R1 = 0x13,
WOLFSSL_ECC_SECP224R1 = 0x15,
WOLFSSL_ECC_SECP256R1 = 0x17,
WOLFSSL_ECC_SECP384R1 = 0x18,
WOLFSSL_ECC_SECP521R1 = 0x19

Unfortunately the ECC Point Format Extension has not yet been added. There is some internal code started for it but it has gotten pushed to the back burner.

Regards,
Jacob

]]> Wed, 29 Jul 2015 20:13:38 +0000 https://www.wolfssl.com/forums/post2121.html#p2121 <![CDATA[Re: ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2119.html#p2119 OK I tested with the option you proposed and a wolfssl client and server, and it works !

1) You didn't answered about the "Supported Elliptic Curves" and "Supported Point Formats" extension issue.
2) I workaround the "Supported Elliptic Curves" and "Supported Point Formats" extension issue by modifying scandium code, but I encountered another issue this time the handshake go to Server Hello Done, but the wolfssl client never answer

C=> Client Hello
S=> Hello Verify Request
C=> Client Hello
S=> Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done

I compare the 2 wireshark captures (wolf/wolf and wolf/scandium) and I don't see any problems hmm.
I tried to launch wolfssl in debug mode and it seems to be in a strange state :  

connect state: HELLO_AGAIN_REPLY
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
received record layer msg
wolfSSL Entering DoDtlsHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
More records in input
growing input buffer

wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
Embed Receive From error
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
    Socket timeout
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
Embed Receive From error
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
    Socket timeout
... ... ... ....
wolfSSL Entering EmbedReceiveFrom()
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
Embed Receive From error
wolfSSL Entering wolfSSL_get_using_nonblock
wolfSSL Leaving wolfSSL_get_using_nonblock, return 0
    Socket timeout
]]> Tue, 28 Jul 2015 13:53:45 +0000 https://www.wolfssl.com/forums/post2119.html#p2119 <![CDATA[Re: ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2116.html#p2116 Hi sbernard,

Try using the following options. I am providing flags for both server and client in the case you would like to test wolfSSL internally before testing an external connection:

For TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

Server options:

./examples/server/server -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem

Client options: 

./examples/client/client -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem

To read more about these options and flags please use:

./examples/server/server -help
]]> Mon, 27 Jul 2015 17:13:00 +0000 https://www.wolfssl.com/forums/post2116.html#p2116 <![CDATA[ECC extensions not sent in DTLS]]> https://www.wolfssl.com/forums/post2114.html#p2114 Hi,
  As I said in my previous post. I tried to connect wolfssl(3.6.0) to Eclipse Scandium(master).
  As I failed to use PSK, I tried to use RPK with Elliptic curves using TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite.
  So I tried to configure wolfssl like this : 

./configure --enable-dtls --enable-aesccm --enable-supportedcurves --enable-scep
./examples/client/client -h 127.0.0.1 -p 5684 -u -v 3

(I also tried adding --enable-tlsx)
But in all case, wolfssl did not add the "Supported Elliptic Curves" and "Supported Point Formats" extension in Client_Hello.
This is not really mandatory as the spec say : "A TLS client that proposes ECC cipher suites in its ClientHello message SHOULD include these extensions"
But, Scandium refuse to continue handshake, if those extensions are not present for ECC, I think this is mainly a scandium issue (I will open it). But I think wolfssl should add this extension as the specification recommend it.

The same issue was present in openssl in the past, it was fixed now.

Simon

]]> Mon, 27 Jul 2015 15:58:58 +0000 https://www.wolfssl.com/forums/post2114.html#p2114