• Registered: 2016-09-10
  • Posts: 18

Topic: Getting connectivity issue when trying SSL cipher ECDHE-RSA-AES256-SHA

Hi,

I am trying SSL connectivity with wolfssl-3.9.10 code for the following cipher:
ECDHE-RSA-AES256-SHA.

But connection is failing with following error on server side:
error = -501, can't match cipher suite
wolfSSL error: SSL_accept failed

We have tried following set of commands.

./configure --enable-ecc
make

./examples/server/server -d -l ECDHE-RSA-AES256-SHA -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem
./examples/client/client -A ./certs/server-ecc.pem

Also tried with following set of  commands:
./examples/server/server -d -l ECDHE-RSA-AES256-SHA -c ./certs/server-ecc-rsa.pem -k ./certs/ecc-key.pem
./examples/client/client -A ./certs/server-ecc-rsa.pem

Both are failing with error(-501).

Please correct the command usage/ certificate usage if I am doing anything wrong here.

FYI:
SSL connectivity is happening for cipher ECDHE-ECDSA-AES256-SHA with following commands:

./configure --enable-ecc
make

./examples/server/server -d -l ECDH-ECDSA-AES256-SHA -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem
./examples/client/client -A ./certs/server-ecc.pem

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: Getting connectivity issue when trying SSL cipher ECDHE-RSA-AES256-SHA

Hi ravi.kumar,

Let me break down the cipher suite to better explain why the above use-case would never be expected to work:



Part 1 of the suite:
ECDHE means that the client and server will agree on encryption keys using Ephemeral Elliptic Curve Diffie-Hellman.

Part 2 of the suite:
RSA means that the client will verify the key is valid using the RSA algorithm. (NOTICE: you're sending a cert that contains an ecc-key, not an rsa key)

Part 3 of the suite:
AES256 means that the actual encryption will be performed with the AES algorithm using a 256-bit key

Part 4 of the suite:
SHA means that the SHA algorithm will be used for securely hashing parts of the TLS messages.

Extracted certificate indicators that this would not work:

 12         Subject Public Key Info:                                                
 13             Public Key Algorithm: id-ecPublicKey  <--- NOTICE ecPublicKey indicates ECC key not RSA key                              
 14                 Public-Key: (256 bit)                                    
 15                 pub:-                                                           
 16                     04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:               
 17                     9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:               
 18                     16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:               
 19                     21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33:               
 20                     0b:80:34:89:d8                                              
 21                 ASN1 OID: prime256v1                                            
 22                 NIST CURVE: P-256   <--- NOTICE: ECC keys use curve id's, RSA keys do not

You are sending a certificate that contains an ecc key, NOT an RSA key. So the cipher suite you have chosen is incompatible with the certificate you selected since the client will try to verify the ECC key you are sending with RSA algorithm.

If you desire to test with either "certs/server-ecc.pem" or "certs/server-ecc-rsa.pem" please select a "ECDHE-ECDSA" cipher suite since both of those certificates contain ECC keys.

For testing with "ECDHE-RSA" please select one of the certificates from the certs directory that contains an RSA key.


Warmest Regards,

Kaleb


EDIT: I can agree in this improper use case it might be more helpful to return or set an alternate error code IE "Cert contains ECC key. Invalid key type for ECDHE-RSA suite" or something to that effect. I've made a note of it and we will review the return code location and message to see if there is something more indicative of the underlying cause of failure that might be returned instead.

Kaleb J. Himes's Website

Share

  • Registered: 2016-09-10
  • Posts: 18

Re: Getting connectivity issue when trying SSL cipher ECDHE-RSA-AES256-SHA

Hi Kaleb J. Himes,

Thank you for your support. I understand, I tried with correct certificate and it works.

Regards,
Ravi.

Share

  • Registered: 2017-03-18
  • Posts: 1

Re: Getting connectivity issue when trying SSL cipher ECDHE-RSA-AES256-SHA

I myself recently faced with such a task. Trying to solve it, but a little that turns out. Tell me, can my problem be complicated by the use of a proxy server, or are these things unrelated?

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: Getting connectivity issue when trying SSL cipher ECDHE-RSA-AES256-SHA

Hi Mabne,

Typically a proxy connection works like so:

    Hey Bob,               Hey Bob, Alice would
    What time is it?       like to know the time
  ---------------->     --------------->
  |                |  |                 |
Alice             Proxy                Bob
  |                |  |                 |
  <----------------      <--------------
   Hey Alice,                Hey Proxy, it's 5AM
   Bob said it's 5AM

So Alice only ever connected with proxy server. Alice only did one handshake. The proxy then went out on it's own and connected to Bob. Alice has no control over the connection to Bob and no way to control it if she wanted to. The use of a proxy server does not complicate the problem.

What is the error you are seeing when you try to connect to the proxy server?
wolfSSL error codes can be found in <wolfssl-root>/wolfssl/error-ssl.h and <wolfssl-root>/wolfssl/wolfcrypt/error-crypt.h to further explain what the error code means once you have identified it.

Please let me know the error code so I can better understand the issue you are seeing and avoid making incorrect assumptions.


Regards,

Kaleb

Kaleb J. Himes's Website

Share