1 (edited by steffen.mueller4 2015-11-03 01:52:09)

Topic: [SOLVED] JNI call setCipherList does not change the cipher suites

Hi everybody,

I'm trying to build a JSSE integration for wolfSSL within a small research project (https://github.com/steffenmueller4/wolf … ntegration).
Therefore, I have to implement the methods

edu.kit.aifb.eorg.wolfssl.WolfSSLSocketImpl.setEnabledCipherSuites(...)

and

edu.kit.aifb.eorg.wolfssl.WolfSSLServerSocketImpl.setEnabledCipherSuites(...)

to set the enabled cipher suite list.
I tried to invoke the methods from wolfSSL (see: https://www.wolfssl.com/documentation/w … -javadocs/)

com.wolfssl.WolfSSLContext.setCipherList(...)

and

com.wolfssl.WolfSSLSession.setCipherList(...)

However, neither the first nor the second change it right.
For example, when I set the the enabled cipher suite to TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, wolfSSL negotiates TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for a connection.
Do I misunderstand the methods? Do I do anything wrong? What do I do wrong? Is there any pre-/postcondition when calling the methods? Does anybody have a hint/idea to fix it (or to improve the complete code :-))?

Thanks
Steffen

PS: I use wolfSSL 3.6.9 + the JNI library in version 1.2.0.

Share

Re: [SOLVED] JNI call setCipherList does not change the cipher suites

Ok, I tested a lot of things...

Current state is that setting the cipher suite using the JNI library does not seem to work correctly
I tried to set the cipher list at various positions in the source code. Furthermore, I tried to set the cipher suites via the context as well as the session...
Now, I checked in a version that sets the suites via the session. This version works reasonably. However, if I set the suites, for example, to {"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"} (in the unit test "SendReceiveWithDifferentCipherSuite") the sockets cannot connect:

connect state: CLIENT_HELLO_SENT
16:38:05,679 DEBUG [LoggingCallback]  - wolfSSL Entering SSL_get_error
16:38:05,679 DEBUG [LoggingCallback]  - wolfSSL Leaving SSL_get_error, return -501
16:38:05,679 DEBUG [LoggingCallback]  - wolfSSL Entering ERR_error_string
16:38:05,679 ERROR [SSLSocketBaseClientServer]  - Error in server
java.io.IOException: wolfSSL_connect failed. err = -501, can't match cipher suite
    at edu.kit.aifb.eorg.wolfssl.WolfSSLSocketImpl.doneConnect(WolfSSLSocketImpl.java:229)
    at edu.kit.aifb.eorg.wolfssl.WolfSSLServerSocketImpl.accept(WolfSSLServerSocketImpl.java:90)
    at edu.kit.aifb.eorg.wolfssl.SSLSocketTestServer.getSSLSocket(SSLSocketTestServer.java:55)
    at edu.kit.aifb.eorg.wolfssl.SSLSocketBaseClientServer.run(SSLSocketBaseClientServer.java:102)

Additionally, setting the cipher suites in the JNI lib does not even work when using the Java test client and server (see: attached picture).

Does anybody have an idea to get it working?

Thanks,
Steffen

Post's attachments

Error_JNI_setCipherSuite.png
Error_JNI_setCipherSuite.png 134.75 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] JNI call setCipherList does not change the cipher suites

Hi Steffen,

Make sure to be careful on the format of the string being used to set the cipher suites. An example of a setting a cipher suite would be DHE-RSA-AES256-SHA256 and is delimitated by : for example a valid string would be "AES256-SHA256:DHE-RSA-AES256-SHA256". Is the return value of set cipher suite being looked at? In this case the function could be returning SSL_FAILURE due to not being able to set a cipher suite from the list. More in detailed reading about the set cipher suite function can be found at https://www.wolfssl.com/documentation/w … index.html . Let us know if changing the format of the string does not help.

Regards,
Jacob

Share

4 (edited by steffen.mueller4 2015-11-04 11:42:47)

Re: [SOLVED] JNI call setCipherList does not change the cipher suites

Hi Jacob,

thanks for your advice.
However, the suite seems to be set correctly in my unit test class. Java uses the IETF RFC cipher suite format mentioned in my previous post, i.e., TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_DHE_RSA_WITH_AES_256_CBC_SHA256. The string is transformed by the class WolfSSLCipherSuiteList (https://github.com/steffenmueller4/wolf … eList.java) to the wolfssl format you mentioned.
The error from the previous post (wolfSSL_connect failed. err = -501) occurs despite the setCipherList method from the wolfssl JNI library returns WolfSSL.SSL_SUCCESS in line 197 of the socket implementation class (https://github.com/steffenmueller4/wolf … tImpl.java).

Regarding the wolfSSL JNI test server and client: I started both, the client and the server, with the parameter

-l DHE-RSA-AES256-SHA256

I think, this is correct, isn't it? However, the error in the picture occured. In contrast to this, the wolfSSL test server and client (the c implementation from the wolfssl lib) worked with this parameter.

Regards,
Steffen

Share

Re: [SOLVED] JNI call setCipherList does not change the cipher suites

Ok, switching the cipher suites seems to work now, since I fixed another bug...

Best regards,
Steffen

Share