Topic: [SOLVED] wolfSSL_connect() returns with error:40

I am trying to connect to a remote server. My trying is successful with bsd sockets on my linux machines, but not in my cortex-M.

The init code is like:

wolfSSL_Debugging_ON();

/*Init library.*/
wolfSSL_Init();

/*Init context.*/
auto& tls = m_ctx.client.tls;
tls.ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());

/*Init verification buffer.*/
auto success = wolfSSL_CTX_load_verify_buffer(tls.ctx, (unsigned char*)cert_get(), cert_get_len(), SSL_FILETYPE_PEM);
ASSERT(success == WOLFSSL_SUCCESS);

/* Setup the async IO callbacks */
wolfSSL_CTX_SetIORecv(tls.ctx, tls_receive);
wolfSSL_CTX_SetIOSend(tls.ctx, tls_send);


/*Create TLS handle.*/
tls.ssl = wolfSSL_new(tls.ctx);
ASSERT(tls.ssl != nullptr);

The loop code like:

auto rc = wolfSSL_connect(me->_ctx.client.tls.ssl);

Debug output:

Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK

DEBUG: asyncio 72 bytes transmit

Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_connect()

DEBUG: asyncio 7 bytes received

wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_connect()
mqtt_manager.cpp: TLS data read 5 bytes.
mqtt_manager.cpp: TLS data read 2 bytes.
received record layer msg
got ALERT!
Got alert
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering SSL_connect()
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = -313

IO under wolfssl is running in an async manner.

Share

Re: [SOLVED] wolfSSL_connect() returns with error:40

Hi burakkirazli,

Looks like the TLS server did not like something in the client_hello and sent back an alert 40 (handshake_failure). Can you describe more about the server and what build options you are using? Perhaps you can send a Wireshark trace and print a run-time list of enabled cipher suites?

#ifndef WOLFSSL_CIPHER_LIST_MAX_SIZE
    #define WOLFSSL_CIPHER_LIST_MAX_SIZE 4096
#endif
static void ShowCiphers(void)
{
    char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
    int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));

    if (ret == WOLFSSL_SUCCESS)
        printf("%s\n", ciphers);
}

Thanks,
David Garske, wolfSSL

Share

3 (edited by burakkirazli 2019-11-22 00:15:07)

Re: [SOLVED] wolfSSL_connect() returns with error:40

Hi David,

Chipher suite:

DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-PSK-AES128-CBC-SHA256:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256:
EDH-RSA-DES-CBC3-SHA


My configuration:

#define SINGLE_THREADED
#define FREERTOS
#define NO_FILESYSTEM
#define WOLFSSL_NO_SOCK
#define WOLFSSL_USER_IO
#define NO_DEV_RANDOM
#define NO_WRITEV
#define WC_NO_HARDEN

//#define HAVE_ECC
#define HAVE_DH
#define HAVE_ED25519
#define HAVE_SHA512
#define WOLFSSL_SHA512
#define WOLFSSL_STM32F4
#define NO_STM32_CRYPTO
#define NO_STM32_HASH
#define NO_INLINE
#define WOLFSSL_IGNORE_FILE_WARN
#define NO_ASN_TIME


I attached what is transmitted to the server as binary output. Unfortunately, i can not use wireshark at this platform.

Post's attachments

transmit.PNG
transmit.PNG 8.73 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] wolfSSL_connect() returns with error:40

I changed my configuration to these:

#define SINGLE_THREADED
#define FREERTOS
#define NO_FILESYSTEM
#define WOLFSSL_NO_SOCK
#define WOLFSSL_USER_IO
#define NO_DEV_RANDOM
#define NO_WRITEV
#define WC_NO_HARDEN

#define HAVE_HASHDRBG
#define HAVE_HKDF
#define HAVE_AESCCM
#define HAVE_AESGCM
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#define HAVE_CAMELLIA
#define HAVE_SRP
#define HAVE_ECC
#define HAVE_CURVE25519
#define HAVE_ED25519
#define WOLFSSL_TLS12
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
#define NO_OLD_TLS
#define HAVE_SHA512
#define WOLFSSL_SHA512

#define WOLFSSL_STM32F4
#define NO_STM32_CRYPTO
#define NO_STM32_HASH
#define NO_INLINE
#define WOLFSSL_IGNORE_FILE_WARN
#define NO_ASN_TIME

#define DEBUG_WOLFSSL


wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
wolfSSL Entering TLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering wolfSSL_CTX_load_verify_buffer_ex
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
        Parsed new CA
        Already have this CA, not adding again
        Freeing Parsed CA
        Freeing der CA
                OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Processed at least one valid CA. Other stuff OK
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_connect()
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer

Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
TASK.cpp: TLS Send Callback

DEBUG-asyncio 134 bytes transmit

Shrinking output buffer

wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
wolfSSL error occurred, error = -323
DEBUG-asyncio 2337 bytes received
wolfSSL Entering SSL_connect()
wolfSSL error occurred, error = -323
wolfSSL Entering SSL_connect()
TASK.cpp: TLS data read 5 bytes.
growing input buffer

TASK.cpp: TLS data read 84 bytes.
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering DoServerHello
Point Formats extension received
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoServerHello, return 0
Shrinking input buffer

wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
TASK.cpp: TLS data read 5 bytes.
growing input buffer

TASK.cpp: TLS data read 1929 bytes.
received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
wolfSSL Entering DoCertificate
wolfSSL Entering ProcessPeerCerts
Loading peer's cert chain
        Put another cert into chain
        Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
ASN Key decode error RSA
wolfSSL Leaving ConfirmSignature, return -142
Confirm signature failed
Failed to verify CA from chain
growing output buffer

TASK.cpp: TLS Send Callback
DEBUG-asyncio 7 bytes transmit
Shrinking output buffer

Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetObjectId()
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAltNames
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
wolfSSL Entering ConfirmSignature
ASN Key decode error RSA
wolfSSL Leaving ConfirmSignature, return -142
Confirm signature failed
Failed to verify Peer's cert
        No callback override available, fatal
wolfSSL Leaving ProcessPeerCerts, return -142
wolfSSL Leaving DoCertificate, return -142
wolfSSL Leaving DoHandShakeMsgType(), return -142
wolfSSL Leaving DoHandShakeMsg(), return -142
wolfSSL error occurred, error = -142
wolfSSL error occurred, error = -142
wolfSSL Entering SSL_connect()
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = -142

Share

Re: [SOLVED] wolfSSL_connect() returns with error:40

Hi burakkirazli,

Error -142 is `ASN_GETINT_E`. Happening on call to `wc_RsaPublicKeyDecode`. My best guess is you heap allocation failed when trying to parse the RSA certificate from the peer. Check your heap space and either make more available or switch to a stack based math by defining USE_FAST_MATH. It might be helpful to look at this example user_settings.h file, which describes many build options. https://github.com/wolfSSL/wolfssl/blob … settings.h

Thanks,
David Garske, wolfSSL

Share

Re: [SOLVED] wolfSSL_connect() returns with error:40

Hi Dgarske,

I found the actual reason of why my setup failed.

One of my configuration uses realloc. I did not implemented realloc and existing setup was using standart realloc. I implemented it and it works.

Thanks.

Share

Re: [SOLVED] wolfSSL_connect() returns with error:40

Hi burakkirazli,

Thanks for letting us know the fix was due to not having XREALLOC / realloc implemented correctly when using the normal math.

David Garske, wolfSSL

Share