1 (edited by hp28190 Yesterday 04:56:51)

Topic: TLS 1.3 doesn't work but TLS 1.2 does

Hi,

I have a personnal project which the main pupose is to make RGB lamps (2 or 3) connected to the internet to change the colors to send to a person a special message thru the colors.

For the moment, I use a STM32F7 bord, until I receive my wi-fi module (ESP32) and they have to act like https server.

Because it would be use for years and over the internet, I want to use TLS 1.3 and one or two ciphers suites to make it time proof and securised.

The change of colors would be made with a html page with a little script.

Well Now about my problem:

I've achieve to serve the page with TLS 1.2 and chrome/firefox as client and it works perfectly.

But I wasn't able to serve it with TLS 1.3, chrome give me "ERR_CONNECTION_REFUSED" and firefox "SSL_ERROR_NO_CYPHER_OVERLAP".

So I decided to use wireshark to check the suites used by my browsers. I've also defined debug option for wolfssl to get some log.

Both of them have seems to have the suite AES128-GCM-SHA256 declared so I didn't figure why it's failling with the error "Unsupported cipher suite, ClientHello" given by wolfSSL.

So there is my logs messages to help if I missed something, and I give my user_settings.h and wireshark files to help figure what's happen.

Thanks in advance for your help.

Edit: I see you have release V4.6.0 and I'm currently on V4.5.0 If it's matter.

:Start new context
D:wolfSSL Entering TLSv1_3_server_method_ex
D:wolfSSL Entering wolfSSL_CTX_new_ex
D:wolfSSL Entering wolfSSL_CertManagerNew
D:wolfSSL Leaving WOLFSSL_CTX_new, return 0
D:ciphersuites:TLS13-AES128-GCM-SHA256
D:Start certificate buff
D:wolfSSL Entering wolfSSL_CTX_use_certificate_buffer
D:wolfSSL Entering PemToDer
D:Checking cert signature type
D:wolfSSL Entering GetExplicitVersion
D:wolfSSL Entering GetSerialNumber
D:Got Cert Header
D:wolfSSL Entering GetAlgoId
D:wolfSSL Entering GetObjectId()
D:Got Algo ID
D:Getting Cert Name
D:Getting Cert Name
D:Got Subject Name
D:wolfSSL Entering GetAlgoId
D:wolfSSL Entering GetObjectId()
D:wolfSSL Entering GetObjectId()
D:Got Key
D:Not ECDSA cert signature
D:wolfSSL Leaving wolfSSL_CTX_use_certificate_buffer, return 1
D:Start private key buff
D:wolfSSL Entering wolfSSL_CTX_use_PrivateKey_buffer
D:wolfSSL Entering PemToDer
D:wofSSL Entering GetAlgoId
D:wolfSSL Entering GetObjectId()
D:wolfSSL Leaving wolfSSL_CTX_use_PrivateKey_buffer, return 1
D:Start socket
D:fin init
D:En attente de connexion
D:wolfSSL Entering SSL_new
D:wolfSSL Leaving SSL_new, return 0
D:wolfSSL Entering SSL_set_fd
D:wolfSSL Entering SSL_set_read_fd
D:wolfSSL Leaving SSL_set_read_fd, return 1
D:wolfSSL Entering SSL_set_write_fd
D:wolfSSL Leaving SSL_set_write_fd, return 1
D:wolfSSL Entering SSL_accept_TLSv13()
D:Wrong case, to be adjust (my_IORecv)
D:Received bytes:5
D:Data received
D:    16 03 01 02 00                                  |.....
D:Client attempting to connect with different version
D:Wrong case, to be adjust (my_IORecv)
D:Received bytes:512
D:Data received
D:    01 00 01 fc 03 03 a5 ce 0d 33 64 e0 b4 0e 41 d2 |.........3d...A.
D:    a3 7b 76 cb 50 74 19 18 55 f4 6d 1c 20 7d fc b8 |.{v.Pt..U.m. }..
D:    f5 7a b0 80 70 bb 20 63 67 35 fd a6 6d ee 44 8c |.z..p. cg5..m.D.
D:    9c d0 87 b8 b5 8c e2 16 6f 30 bb 87 e4 af 9a d9 |........o0......
D:    e9 8c 83 d2 32 50 18 00 20 2a 2a 13 01 13 02 13 |....2P.. **.....
D:    03 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 |..+./.,.0.......
:    14 00 9c 00 9d 00 2f 00 35 01 00 01 93 2a 2a 00 |....../.5....**.
D:    00 00 17 00 00 ff 01 00 01 00 00 0a 00 0a 00 08 |................
D:    ba ba 00 1d 00 17 00 18 00 0b 00 02 01 00 00 23 |...............#
D:    00 00 00 10 00 0e 00 0c 02 68 32 08 68 74 74 70 |.........h2.http
D:    2f 31 2e 31 00 05 00 05 01 00 00 00 00 00 0d 00 |/1.1............
D:    12 00 10 04 03 08 04 04 01 05 03 08 05 05 01 08 |................
D:    06 06 01 00 12 00 00 00 33 00 2b 00 29 ba ba 00 |........3.+.)...
D:    01 00 00 1d 00 20 04 50 e6 d6 61 5a 3c 33 44 71 |..... .P..aZ<3Dq
D:    f6 a6 cd 5b 60 f4 be 81 2a 49 d8 ee b4 9b 8d 5a |...[`...*I.....Z
D:    d7 d8 77 98 47 51 00 2d 00 02 01 01 00 2b 00 0b |..w.GQ.-.....+..
D:    0a 5a 5a 03 04 03 03 03 02 03 01 00 1b 00 03 02 |.ZZ.............
D:    00 02 fa fa 00 01 00 00 15 00 e5 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |...............
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:received record layer msg
D:got HANDSHAKE
D:wolfSSL Entering DoTls13HandShakeMsg()
D:wolfSSL Entering DoTls13HandShakeMsgType
D:processing client hello
D:wolfSSL Entering DoTls13ClientHello
D:Supported Versions extension received
D:client random
D:    a5 D:Public Curve25519 Key
D:    ce a4 11 50 32 f4 88 07 2d 31 da 97 94 04 f7 cc |...P2...-1......
D:    ad ce 5e e5 ce a6 1f 4d fa 5f 3c f9 82 92 9c 49 |..^....M._<....I
D:Verified suite validity
D:Unsupported cipher suite, ClientHello
D:wolfSSL Entering SendAlert
D:Data to send
D:    15 03 03 00 02 02 28                            |......(
D:Wrong case, to be adjust (my_IOsend)
D:Send of bytes:7
D:wolfSSL Leaving SendAlert, return 0
D:wolfSSL Leaving DoTls13HandShakeMsgType(), return -501
D:wolfSSL Leaving DoTls13HandShakeMsg(), return -501
D:wolfSSL error occurred, error = -501
D:wolfSSL error occurred, error = -501
D:wolfSSL Entering SSL_get_error
D:Connection TLS 1.3 failed

My user_settings, because we can add only one file with a message.

#ifndef USER_SETTINGS_H
#define USER_SETTINGS_H

#undef NO_WOLFSSL_CLIENT
#define NO_WOLFSSL_CLIENT

#undef HAVE_SNI
#define HAVE_SNI

// #undef STM32F7
// #define STM32F7

#undef NO_STM32_HASH
#define NO_STM32_HASH

#undef NO_STM32_CRYPTO
#define NO_STM32_CRYPTO

#undef DEBUG_WOLFSSL 
#define DEBUG_WOLFSSL

#undef WOLFSSL_DEBUG_TLS
#define WOLFSSL_DEBUG_TLS

#undef NO_FILESYSTEM 
#define NO_FILESYSTEM

#undef NO_WOLFSSL_DIR
#define NO_WOLFSSL_DIR

// #undef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
// #define WOLFSSL_TLS13_MIDDLEBOX_COMPAT

#undef LARGE_STATIC_BUFFERS
#define  LARGE_STATIC_BUFFERS

#undef WOLFSSL_TLS13
#define WOLFSSL_TLS13

#undef NO_OLD_TLS
#define NO_OLD_TLS

#undef WOLFSSL_NO_TLS12
#define WOLFSSL_NO_TLS12

#undef WOLFSSL_AEAD_ONLY
#define WOLFSSL_AEAD_ONLY

#undef FREERTOS
#define FREERTOS

#undef WOLFSSL_LWIP
#define WOLFSSL_LWIP

#undef NO_MAIN_DRIVER   
#define NO_MAIN_DRIVER

#undef NO_WRITEV
#define NO_WRITEV

// #undef WOLFSSL_USER_IO  
// #define WOLFSSL_USER_IO

#undef HAVE_TLS_EXTENSIONS
#define HAVE_TLS_EXTENSIONS

#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES

#undef SINGLE_THREADED  
#define SINGLE_THREADED

// #undef  HAVE_THREAD_LS
// #define HAVE_THREAD_LS

#undef TFM_TIMING_RESISTANT
#define TFM_TIMING_RESISTANT

#undef ECC_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT

#undef HAVE_AESGCM
#define HAVE_AESGCM

#undef GCM_SMALL
#define GCM_SMALL

// #undef WOLFSSL_SHA512
// #define WOLFSSL_SHA512

// #undef WOLFSSL_SHA384
// #define WOLFSSL_SHA384

#undef HAVE_HKDF
#define HAVE_HKDF

#undef HAVE_ECC
#define HAVE_ECC

// #undef ALT_ECC_SIZE
// #define ALT_ECC_SIZE

// #undef HAVE_COMP_KEY
// #define HAVE_COMP_KEY

#undef NO_DSA
#define NO_DSA

#undef NO_RC4
#define NO_RC4

#undef NO_HC128
#define NO_HC128

#undef NO_RABBIT
#define NO_RABBIT

#undef NO_RC4
#define NO_RC4

#undef NO_PSK
#define NO_PSK

#undef NO_MD4
#define NO_MD4

#undef NO_MD5
#define NO_MD5

#undef NO_DES3
#define NO_DES3

#undef NO_CAMELLIA
#define NO_CAMELLIA

#undef NO_BLAKE2B
#define NO_BLAKE2B

#undef NO_SHA
#define NO_SHA

#undef NO_RSA
#define NO_RSA

// #undef WC_NO_RSA_OAEP
// #define WC_NO_RSA_OAEP

// #undef WC_RSA_BLINDING
// #define WC_RSA_BLINDING

#undef NO_AES_CBC
#define NO_AES_CBC

#undef NO_PWDBASED
#define NO_PWDBASED

// #undef NO_ERROR_STRINGS
// #define NO_ERROR_STRINGS

// #undef WOLFSSL_NO_SIGALG
// #define WOLFSSL_NO_SIGALG

// #undef NO_HMAC
// #define NO_HMAC

// #undef  HAVE_ENCRYPT_THEN_MAC
// #define HAVE_ENCRYPT_THEN_MAC

// #undef TFM_ECC256
// #define TFM_ECC256

#undef HAVE_CURVE25519
#define HAVE_CURVE25519

#undef CURVED25519_SMALL
#define CURVED25519_SMALL

#undef CURVE25519_SMALL
#define CURVE25519_SMALL

#undef ED25519_SMALL
#define ED25519_SMALL

#undef WC_RSA_PSS
#define WC_RSA_PSS

// #undef HAVE_POLY1305
// #define HAVE_POLY1305

// #undef HAVE_ONE_TIME_AUTH
// #define HAVE_ONE_TIME_AUTH

// #undef  HAVE_CHACHA
// #define HAVE_CHACHA

// #undef HAVE_HASHDRBG
// #define HAVE_HASHDRBG

#undef HAVE_TLS_EXTENSIONS
#define HAVE_TLS_EXTENSIONS

#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES

#undef HAVE_EXTENDED_MASTER
#define HAVE_EXTENDED_MASTER

#undef NO_SESSION_CACHE
#define NO_SESSION_CACHE

#undef NO_PWDBASED
#define NO_PWDBASED

#undef WC_NO_ASYNC_THREADING
#define WC_NO_ASYNC_THREADING

// #undef HAVE_DH_DEFAULT_PARAMS
// #define HAVE_DH_DEFAULT_PARAMS

#undef USE_FAST_MATH
#define USE_FAST_MATH

// #undef FAST_HUGE_MATH
// #define FAST_HUGE_MATH

// #undef WOLFSSL_SP_SMALL
// #define WOLFSSL_SP_SMALL

#undef USE_SLOW_SHA
#define USE_SLOW_SHA

#undef  NO_WOLFSSL_MEMORY
#define NO_WOLFSSL_MEMORY

#undef WOLFSSL_SMALL_STACK
#define WOLFSSL_SMALL_STACK 

// #undef  OPENSSL_EXTRA
// #define OPENSSL_EXTRA

#define HAVE_ECC384
#define HAVE_ECC_SECPR2
#define HAVE_ECC_SECPR3
#define HAVE_ALL_CURVES

#endif /* USER_SETTINGS_H */
Post's attachments

wireshark_tls13.pcapng 8.25 kb, 1 downloads since 2021-01-11 

You don't have the permssions to download the attachments of this post.

Share

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hi hp28190,

Looks like the client is connecting with TLS v1.2 only based on the wireshark. Also only using the signature algo X25519 (ED/Curve25519). Have you tried omitting the `WOLFSSL_TLS13_MIDDLEBOX_COMPAT` option? Perhaps try adding `HAVE_ED25519`.

Thanks,
David Garske, wolfSSL

Share

3 (edited by hp28190 Yesterday 01:31:42)

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hi dgarske,

After dealing with some MISRA errors, it seems to work (adding ED25519 define). I only have to correct my programm now beacause the page doesn't show up.

An other question for my project:

WolfSSL can use ATECC608A, thru the appropriate lib, but does it need a specific ATECC608 implementation ?

If I look to the Microchip page, there is 3 availables cases:
-Raw
-Trust&GO
-TrustFLEX

I also found some define like WOLFSSL_ATECC_TNGTLS in the Github file wolfssl/wolfcrypt/src/port/atmel/readme, but no information about the case needed by Wolfssl.

Thanks for your time.

hp28190

Share

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hi hp28190,

For the ATECC we've got some examples and demo videos available.

See this repo for our ATECC specific examples:
https://github.com/wolfSSL/microchip-atecc-demos/

Here are two demo videos for using the ATECC with wolfSSL (Microchip ShieldsUp webinar 24 and 29:
https://www.youtube.com/watch?v=bEPG5p7CMzA
https://drive.google.com/drive/folders/ … sp=sharing

You need to have the CryptoAuthLib and set a couple of build options. This page explains the difference between the ATECC provisioning options:
https://www.microchip.com/design-center … t-platform

Thanks,
David Garske, wolfSSL

Share

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hi dgarske,

I will see all of this with a lot of attention.

Thanks for your help

hp28190

Share

6 (edited by hp28190 Yesterday 08:33:46)

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hey here we go again,

After dealing with my program problems, It doesn't connect completely because of a memory problem (Error -125 returned by wolfssl)

I've checked my heap and stack size, and they are adapted to my futur ESP32 bord.

Do you have any idea about resolving this memory problem ?

Sub-question: Is there a complete file with all #definable ? Because every time I search in the forum, i found a new one (the last was ECC_SHAMIR).

Now for help there is my wolfssl logs and setting file.

Thanks in advance

:wolfSSL Entering SSL_new
D:wolfSSL Leaving SSL_new, return 0
D:wolfSSL Entering SSL_set_fd
D:wolfSSL Entering SSL_set_read_fd
D:wolfSSL Leaving SSL_set_read_fd, return 1
D:wolfSSL Entering SSL_set_write_fd
D:wolfSSL Leaving SSL_set_write_fd, retrn 1
D:wolfSSL Entering SSL_accept_TLSv13()
D:Wrong case, to be adjust (my_IORecv)
D:Received bytes:5
D:Data received
D:    16 03 01 02 00                                  |.....
D:Client attempting to connect with different version
D:growing input buffer

D:Wrong case, to be adjust (my_IORecv)
D:Received bytes:512
D:Data received
D:    01 00 01 fc 03 03 d0 a6 3d 60 44 ed 60 ae 75 67 |........=`D.`.ug
D:    ea b2 04 26 3a 60 4f d8 ed 52 63 42 96 68 52 d8 |...&:`O..RcB.hR.
D:    c7 aa 25 6d 78 4c 20 a3 f1 d9 11 aa c3 8f cf bf |..%mxL .........
D:    16 19 9c c3 1b ad 64 17 d0 94 58 68 03 99 9d d7 |......d...Xh....
D:    51 91 3f 7a ec 8c 98 00 20 4a 4a 13 01 13 02 13 |Q.?z.... JJ.....
D:    03 c0 2b c0 2f c0 2c c0 30 cc a9 cc a8 c0 13 c0 |..+./.,.0.......
D:    14 00 9c 00 9d 00 2f 00 35 01 00 01 93 1a 1a 00 |....../.5.......
D:    00 00 17 00 00 ff 01 00 01 00 00 0a 00 0a 00 08 |................
D:    4a 4a 00 1d 00 17 00 18 00 0b 00 02 01 00 00 23 |JJ.............#
D:    00 00 00 10 00 0e 00 0c 02 68 32 08 68 74 74 70 |.........h2.http
type
D:Secure Renegotiation extension received
D:    00                                              |.
D:Supported Groups extension received
D:    00 08 4a 4a 00 1d 00 17 00 18                   |..JJ......
D:Point Formats extension received
D:    01 00                                           |..
D:Session Ticket extension received
D:ALPN extension received
D:    00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31       |...h2.http/1.1
D:Certificate Status Request extension received
D:    01 00 00 00 00                                  |.....
D:Signature Algorithms extension received
D:    00 10 04 03 08 04 04 01 05 03 08 05 05 01 08 06 |................
D:    06 01                                           |..
D:Unknown TLS extension type
D:Key Share extension received
D:    00 29 4a 4a 00 01 00 00 1d 00 20 64 0d 2b 06 e7 |.)JJ...... d.+..
D:    39 6e 0b f1 96 c0 60 1b 8e c5 a7 69 80 b3 16 93 |9n....`....i....
D:    e8 1f f1 a7 81 d3 dc 7a 97 7b 2f                |.......z.{/
D:Unknown TLS extension type
D:Skipping Supported Versions - already D:Public Curve25519 Key
D:    ce a4 11 50 32 f4 88 07 2d 31 da 97 94 04 f7 cc |...P2...-1......
D:    ad ce 5e e5 ce a6 1f 4d fa 5f 3c f9 82 92 9c 49 |..^....M._<....I
D:Verified suite validity
D:Derive Early Secret
D:  Salt
D:    NULL
D:  IKM
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
D:  PRK
D:    33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 |3...`~.;.....h..
D:    10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a |......&`.....p.*
D:wolfSSL Leaving DoTls13ClientHello, return 0
D:Shrinking input buffer

D:wolfSSL Leaving DoTls13HandShakeMsgType(), return 0
D:wolfSSL Leaving DoTls13HandShakeMsg(), return 0
D:accept state ACCEPT_CLIENT_HELLO_DONE
D:accept state ACCEPT_HELLO_RETRY_REQUEST_DONE
D:accept state ACCEPT_FIRST_REPLY_DONE
D:accept state ACCEPT_SECOND_REPLY_DONE
D:wolfSSL Entering SendTls13ServerHello
D:growing output buffer

D:Server random
D:    a1 97 0b 6d ad 4b bb 66 84 0f 7f bb 99 d8 d6 a4 |...m.K.f........
D:    60 e4 26 0d 94 d9 56 74 5b c9 27 aa 1b 24 d8 cb |`.&...Vt[.'..$..
D:Key Share extension to write
D:Supported Versions extension to write
D:Data to send
D:    16 03 03 00 7a 02 00 00 76 03 03 a1 97 0b 6d ad |....z...v.....m.
D:    4b bb 66 84 0f 7f bb 99 d8 d6 a4 60 e4 26 0d 94 |K.f........`.&..
D:    d9 56 74 5b c9 27 aa 1b 24 d8 cb 20 a3 f1 d9 11 |.Vt[.'..$.. ....
D:    aa c3 8f cf bf 16 19 9c c3 1b ad 64 17 d0 94 58 |...........d...X
D:    68 03 99 9d d7 51 91 3f 7a ec 8c 98 13 01 00 00 |h....Q.?z.......
D:    2e 00 33 00 24 00 1d 00 20 ce a4 11 50 32 f4 88 |..3.$... ...P2..
D:    07 2d 31 da 97 94 04 f7 cc ad ce 5e e5 ce a6 1f |.-1........^....
D:    4d fa 5f 3c f9 82 92 9c 49 00 2b 00 02 03 04    |M._<....I.+....
D:Wrong case, to be adjust (my_IOsend)
D:Send of bytes:127
D:Shrinking output buffer

D:wolfSSL Leaving SendTls13ServerHello, return 0
D:accept state SERVER_HELLO_SENT
D:accept state ACCEPT_THIRD_REPLY_DONE
D:Peer Curve25519 Key
D:    64 0d 2b 06 e7 39 6e 0b f1 96 c0 60 1b 8e c5 a7 |d.+..9n....`....
D:    69 80 b3 16 93 e8 1fD:KE Secret
D:    c5 f4 a0 32 75 54 0b 46 a4 e0 c4 d1 91 92 13 4d |...2uT.F.......M
D:    3d 88 b4 a8 ce 3c 68 0c f6 5a a4 e5 8b 63 93 61 |=....<h..Z...c.a
D:wolfSSL Entering SendTls13EncryptedExtensions
D:Derive Handshake Secret
D:  PRK
D:    33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 |3...`~.;.....h..
D:    10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a |......&`.....p.*
D:  Info
D:    00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 |. .tls13 derived
D:    20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 | ...B.........o.
D:    24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 |$'.A.d..L....xR.
D:    55                                              |U
D:  OKM
D:    6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 |o&......g.T.....
D:    16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba |..v..H%....Wl6..
D:  Salt
D:    6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 |o&......g.T.....
D:    16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba |..v..H%....Wl6..
D:  IKM
D:    c5 f4 a0 32 75 54 0b 46 a4 e0 c4 d1 91 92 13 4d |...2uT.F.......M
D:    3d 88 b4 a8 ce 3c 68 0c f6 5a a4 e5 8b 63 93 61 |=....<h..Z...c.a
D:  PRK
D:    53 58 dd ca 11 61 57 65 0c 28 fe d3 72 01 f6 c6 |SX...aWe.(..r...
D:    a6 2b e2 03 4b f6 02 10 c2 89 f6 d4 95 25 ba d4 |.+..K........%..
D:Derive Client Handshake Secret
D:  PRK
D:    53 58 dd ca 11 61 57 65 0c 28 fe d3 72 01 f6 c6 |SX...aWe.(..r...
D:    a6 2b e2 03 4b f6 02 10 c2 89 f6 d4 95 25 ba d4 |.+..K........%..
D:  Info
D:    00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 |. .tls13 c hs tr
D:    61 66 66 69 63 20 99 b5 1d f8 45 62 fc 7a 6a ad |affic ....Eb.zj.
D:    3a af 44 09 73 10 e9 aa 69 20 bc 67 87 1e 33 24 |:.D.s...i .g..3$
D:    4b c1 d6 16 f1 e1                               |K.....
D:  OKM
D:    1b f4 4b f6 27 6a 30 a4 75 28 f8 48 09 27 99 46 |..K.'j0.u(.H.'.F
D:    be 36 26 7d 25 3c 5a 69 31 11 62 5a e2 8e 95 fd |.6&}%<Zi1.bZ....
D:Derive Server Handshake Secret
D:  PRK
D:    53 58 dd ca 11 61 57 65 0c 28 fe d3 72 01 f6 c6 |SX...aWe.(..r...
D:    a6 2b e2 03 4b f6 02 10 c2 89 f6 d4 95 25 ba d4 |.+..K........%..
D:  Info
D:    00 20 12 74 6c 73 31 33e1 22 aa cf 40 1a b1 bf 16 68 cc             |.."..@....h.
D:Provisioning ENCRYPT key
D:    7f 71 ab 29 a5 18 c5 2a 6b b8 5e f7 26 e9 29 56 |.q.)...*k.^.&.)V
D:Provisioning DECRYPT key
D:    7a dd 18 51 2a ca 08 ba 0d 09 0a a2 f3 c9 be 55 |z..Q*..........U
D:growing output buffer

D:wolfSSL Entering BuildTls13Message
D:wolfSSL Leaving BuildTls13Message, return -125
D:wolfSSL error occurred, error = -125
D:wolfSSL Entering SSL_get_error
D:Connection TLS 1.3 failed
D:wolfSSL Entering SSL_free
D:CTX ref count not 0 yet, no free
D:Shrinking output buffer

D:wolfSSL Leaving SSL_free, return 0
D:wolfSSL Entering SSL_CTX_free
D:CTX ref count down to 0, doing full free
D:wolfSSL Entering wolfSSL_CertManagerFree
D:wolfSSL Leaving SSL_CTX_free, return 0
#ifndef USER_SETTINGS_H
#define USER_SETTINGS_H

/* File setting for differents option for WolfSSL compilation.    
*Let the user to define some macro which can be find in the documentation
*This version is based on the ./configure made with the librarie
*/

#undef BENCH_EMBEDDED
#define BENCH_EMBEDDED

#undef NO_WOLFSSL_CLIENT
#define NO_WOLFSSL_CLIENT

// #undef HAVE_SNI
// #define HAVE_SNI

#define FP_MAX_BITS 512

#define SIZEOF_LONG_LONG 8


// #undef  WOLFSSL_STM32F7
// #define  WOLFSSL_STM32F7

// #undef NO_STM32_HASH
// #define NO_STM32_HASH

// #undef NO_STM32_CRYPTO
// #define NO_STM32_CRYPTO

// #undef WOLFSSL_ARMASM
//#define WOLFSSL_ARMASM

/*******************************************/
//             Define to use ATECC
/*******************************************/

// #undef WOLFSSL_ATECC508A
// #define WOLFSSL_ATECC508A

//#undef WOLFSSL_ATECC_PKCB
//#define WOLFSSL_ATECC_PKCB

//#undef WOLFSSL_ATMEL
//#define WOLFSSL_ATMEL
/********************************************/  //ATECC


#undef DEBUG_WOLFSSL // To be modified for production
#define DEBUG_WOLFSSL

#undef WOLFSSL_DEBUG_TLS
#define WOLFSSL_DEBUG_TLS

// #undef WOLFSSL_MEMORY_LOG
// #define WOLFSSL_MEMORY_LOG

// #define WOLFSSL_TRACK_MEMORY

#undef NO_FILESYSTEM //To be modified in production to use cert fil etc Mais deja défini par IAR
#define NO_FILESYSTEM

#undef NO_WOLFSSL_DIR
#define NO_WOLFSSL_DIR

#undef WOLFSSL_NO_MALLOC
#define WOLFSSL_NO_MALLOC

// #undef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
// #define WOLFSSL_TLS13_MIDDLEBOX_COMPAT

// #undef LARGE_STATIC_BUFFERS
// #define  LARGE_STATIC_BUFFERS

#undef WOLFSSL_TLS13
#define WOLFSSL_TLS13

#undef NO_OLD_TLS
#define NO_OLD_TLS

#undef WOLFSSL_NO_TLS12
#define WOLFSSL_NO_TLS12

#undef WOLFSSL_AEAD_ONLY
#define WOLFSSL_AEAD_ONLY

#undef FREERTOS
#define FREERTOS

#undef WOLFSSL_LWIP
#define WOLFSSL_LWIP

#undef NO_MAIN_DRIVER   //Si IAR, deja défini, mais pas pour GCC 
#define NO_MAIN_DRIVER

// #undef NO_WRITEV
// #define NO_WRITEV

#undef WOLFSSL_USER_IO  //Si IAR, deja défini, mais pas pour GCC 
#define WOLFSSL_USER_IO

#undef SINGLE_THREADED  //Si IAR, déja défini
#define SINGLE_THREADED

// #undef  HAVE_THREAD_LS
// #define HAVE_THREAD_LS

#undef TFM_TIMING_RESISTANT
#define TFM_TIMING_RESISTANT

#undef ECC_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT

#undef HAVE_AESGCM
#define HAVE_AESGCM

#undef GCM_SMALL
#define GCM_SMALL

#undef WOLFSSL_SHA512
#define WOLFSSL_SHA512

// #undef NO_64BIT
// #define NO_64BIT

#undef WOLFSSL_SHA384
#define WOLFSSL_SHA384

// #undef USE_SLOW_SHA256
// #define USE_SLOW_SHA256

// #undef USE_SLOW_SHA512
// #define USE_SLOW_SHA512

#undef HAVE_HKDF
#define HAVE_HKDF

#undef HAVE_ECC
#define HAVE_ECC

#undef ALT_ECC_SIZE
#define ALT_ECC_SIZE

// #undef WOLFSSL_STATIC_ECC
// #define WOLFSSL_STATIC_ECC

#undef ECC_SHAMIR

// #undef HAVE_COMP_KEY
// #define HAVE_COMP_KEY

#undef NO_DSA
#define NO_DSA

#undef NO_RC4
#define NO_RC4

#undef NO_HC128
#define NO_HC128

#undef NO_RABBIT
#define NO_RABBIT

#undef NO_RC4
#define NO_RC4

#undef NO_PSK
#define NO_PSK

#undef NO_MD4
#define NO_MD4

#undef NO_MD5
#define NO_MD5

#undef NO_DES3
#define NO_DES3

#undef NO_CAMELLIA
#define NO_CAMELLIA

#undef NO_BLAKE2B
#define NO_BLAKE2B

#undef NO_SHA
#define NO_SHA

#undef NO_RSA
#define NO_RSA

// #undef WC_NO_RSA_OAEP
// #define WC_NO_RSA_OAEP

// #undef WC_RSA_BLINDING
// #define WC_RSA_BLINDING

#undef NO_AES_CBC
#define NO_AES_CBC

#undef NO_PWDBASED
#define NO_PWDBASED

#undef NO_ERROR_STRINGS
#define NO_ERROR_STRINGS

// #undef WOLFSSL_NO_SIGALG
// #define WOLFSSL_NO_SIGALG

// #undef NO_HMAC
// #define NO_HMAC

// #undef  HAVE_ENCRYPT_THEN_MAC
// #define HAVE_ENCRYPT_THEN_MAC

#undef TFM_ECC256
#define TFM_ECC256

#undef HAVE_CURVE25519
#define HAVE_CURVE25519

#undef HAVE_ED25519
#define HAVE_ED25519

#undef WOLFSSL_NO_CLIENT_AUTH
#define WOLFSSL_NO_CLIENT_AUTH

#undef CURVED25519_SMALL
#define CURVED25519_SMALL

#undef CURVE25519_SMALL
#define CURVE25519_SMALL

#undef ED25519_SMALL
#define ED25519_SMALL

#undef WC_RSA_PSS
#define WC_RSA_PSS

// #undef HAVE_POLY1305
// #define HAVE_POLY1305

// #undef HAVE_ONE_TIME_AUTH
// #define HAVE_ONE_TIME_AUTH

// #undef  HAVE_CHACHA
// #define HAVE_CHACHA

#undef HAVE_HASHDRBG
#define HAVE_HASHDRBG

#undef HAVE_TLS_EXTENSIONS
#define HAVE_TLS_EXTENSIONS

#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES

// #undef HAVE_EXTENDED_MASTER
// #define HAVE_EXTENDED_MASTER

#undef NO_SESSION_CACHE
#define NO_SESSION_CACHE

#undef NO_PWDBASED
#define NO_PWDBASED

#undef WC_NO_ASYNC_THREADING
#define WC_NO_ASYNC_THREADING

#undef HAVE_DH_DEFAULT_PARAMS
#define HAVE_DH_DEFAULT_PARAMS

#undef USE_FAST_MATH
#define USE_FAST_MATH

// #undef FAST_HUGE_MATH
// #define FAST_HUGE_MATH

#undef WOLFSSL_SP_SMALL
#define WOLFSSL_SP_SMALL

#undef WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_HAVE_SP_ECC

#undef WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_DH

#undef POSITIVE_EXP_ONLY
#define POSITIVE_EXP_ONLY

#undef USE_SLOW_SHA
#define USE_SLOW_SHA

// #undef  NO_WOLFSSL_MEMORY
// #define NO_WOLFSSL_MEMORY

#undef WOLFSSL_SMALL_STACK
#define WOLFSSL_SMALL_STACK 

#undef HAVE_MAX_FRAGMENT
#define HAVE_MAX_FRAGMENT

#undef HAVE_TRUNCATED_HMAC
#define HAVE_TRUNCATED_HMAC

// #undef  OPENSSL_EXTRA
// #define OPENSSL_EXTRA

// #define HAVE_ECC384
// #define HAVE_ECC_SECPR2
// #define HAVE_ECC_SECPR3
// #define HAVE_ALL_CURVES

#endif /* USER_SETTINGS_H */

Share

Re: TLS 1.3 doesn't work but TLS 1.2 does

Hi hp28190,

How do you have the memory setup? I see you have `WOLFSSL_NO_MALLOC` defined, which is odd. It looks like your define for FREERTOS is mapping XMALLOC/XFREE to the pvPortMalloc/vPortFree functions. You need to increase your heap space, which is configured in the FreeRTOSConfig.h. Depending on which FreeRTOS heap implementation you have.

A good template for build options is here:
https://github.com/wolfSSL/wolfssl/blob … settings.h

If you use ./configure from the Linux world it will generate a file wolfssl/options.h, which shows the build options. See ./configure --help for list of enable/disable options.

Thanks,
David Garske, wolfSSL

Share