• Registered: 2018-04-11
  • Posts: 9

Topic: wolfSSL_connect fail with -308, error state on socket

We are using an embedded client in the KEIL MDK environment.  Using the KEIL version of BSD for the interfaces.
Library was built with these settings.
#define HAVE_KEIL_RTX  /* or define RTOS option */
#define WOLFSSL_USER_IO  /* Use own TCP/IP lib */
#define NO_DEV_RANDOM
#define WOLFSSL_KEIL_TCP_NET
#define WOLFSSL_MDK_ARM
#define WOLFSSL_CALLBACKS
#define NO_WOLFSSL_DIR
#define NO_WRITEV
#define USE_FAST_MATH
#define TFM_TIMING_RESISTANT
#define NO_FILESYSTEM
#define NO_ECHOSERVER
#define NO_ECHOCLIENT
#define NO_SIMPLE_SERVER
#define NO_SIMPLE_CLIENT
#define NO_WOLFSSL_SERVER
#define SMALL_SESSION_CACHE
#undef USE_CERT_BUFFERS_1024
#undef WOLFSSL_SMALL_STACK

We do the standard socket create, bind, and connect for the socket using a google.com address and port 443.   After we verify the connect we execute the  wolfssl functions,
wolfSSL_CTX_new(wolfSSLv23_client_method())
wolfSSL_CTX_set_verify(pCtx, WOLFSSL_VERIFY_NONE, 0);
wolfSSL_new(pCtx))
wolfSSL_use_PrivateKey_buffer
wolfSSL_set_fd(pSSL, socket)
wolfSSL_connect(pSSL)

All function calls are successful except the wolfSSL_connect.
Quickly after issuing the wolfSSL _connect we get a -308 error.  We wait for about 10 seconds before reporting the error in hopes that something will be sent to the server. The KEIL TCP debug is enable and we see that the wolfssl library never sends a handshake to the server.  After the socket timeout period the server issues a close on the socket.
We have doubled checked the socket connection and it is definitely connected.
Can someone point us in a direction to determine what the issue is?
Attached is a KEIL TCP LOG.

Thanks

Share

  • Registered: 2018-03-22
  • Posts: 21

Re: wolfSSL_connect fail with -308, error state on socket

There is not attached file.

308 is a general socket failure error.  I say general because there are many things that can cause the socket to close.
If you sniff the Enet traffic you will get a better understanding of why the socket is closing.

Share

  • Registered: 2018-04-11
  • Posts: 9

Re: wolfSSL_connect fail with -308, error state on socket

Thanks.
We found the reason for the socket error.  Due to memory constraints,  we setup the the minimum required to for TLS.  The reason for the socket error was not a socket error itself but that the callbacks for send and receive were not setup.   One of our options ( I believe it was NOFILESYSTEM) caused the the xio callback to not be setup. After using the callback setup we were able to get past that option.   Now wolfssl is establishing a connection with an error of -313.  Here is the log
04/13/18-15:55:19:788 IP         Debug    TSK: ETHPPP  wolfSSL: received record layer msg
04/13/18-15:55:19:789 IP         Debug    TSK: ETHPPP  wolfSSL: got ALERT!
04/13/18-15:55:19:811 IP         Debug    TSK: ETHPPP  wolfSSL: Got alert
04/13/18-15:55:19:811 IP         Debug    TSK: ETHPPP  wolfSSL: wolfSSL error occurred, error = 40
04/13/18-15:55:19:815 IP         Debug    TSK: ETHPPP  wolfSSL: wolfSSL error occurred, error = -313
04/13/18-15:55:19:824 IP         Debug    TSK: ETHPPP  wolfSSL: wolfSSL Entering SSL_connect()

Not sure what this is...

Share

  • Registered: 2018-03-22
  • Posts: 21

Re: wolfSSL_connect fail with -308, error state on socket

Did you find the cause of your 313 error?

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: wolfSSL_connect fail with -308, error state on socket

rmartin92 and Frank42,

A -313, Alert Fatal Error means the peer you are connecting to did not like something about the Client Hello message it received.

This is most commonly cause by an inability to match a common cipher suite or due to a missing extension that the peer wanted to see in the Client Hello message.

Can you tell me which cipher suites were configured and which peer you were trying to connect to? Is the peer publicly accessible so I can test it from my side?

You can dump the configured cipher suites in wolfSSL with:

     char ciphers[4096]; //or some value you think is large enough.                                                         
                                                                                  
     int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));                
                                                                                  
     if (ret == WOLFSSL_SUCCESS)                                                  
         printf("%s\n", ciphers);

Warm Regards,

- K

Kaleb J. Himes's Website

Share