You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by SamSam
Pages 1
Hello,
Thank you very much for your help.
It is a pleasure to use your library.
Best Regards,
Sam
Hello Kaleb J. Himes,
Thank you for your answer. Unfortunately, I can not agree with the results of your investigation.
Regarding i0.wp.com:
When you connect using TLS 1.2 then there is no TLS error, and you can get HTTP response as follow:
LD_LIBRARY_PATH=/mnt/raw/e2ibuildenv/wolfssl/out/i686/lib/ ./examples/client/.libs/client -S i0.wp.com -h i0.wp.com -p 443 -d -x -C -g -i -v 3
Session Ticket CB: ticketSz = 192, ctx = initial session
peer's cert info:
issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
subject: /OU=Domain Control Validated/CN=*.wp.com
altname = wp.com
altname = *.wp.com
serial number:68:86:4a:83:77:1a:bb:7d
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is X25519
Client Random : F73F976937698B8DF04965E6B80D5AA158A4938A28B1153D881AA138E63BA8EB
SSL connect ok, sending GET...
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 11 Dec 2018 04:56:07 GMT
Con
tent-Type: text/html
Content-Length: 37
Connection: close
Direct IP/HostnaGenerally the problem is because you can NOT get HTTP response from i0.wp.com using -v d, but you can when you manually force -v 3
Could you please take, a look once again on i0.wp.com host? In the browser, yes you got the message:
Sorry, the parameters you provided were not valid
but this HTTP response and this is expected, there is NO SSL error.
With WolfSSL and option -v d or -v 4 ( when TLS 1.3 is used) it fails with:
SSL_read reply error -425, The security parameter is invalid
this is SSL error.
you will be able to get HTTP response also using WolfSSL when you force TLS 1.2, but in this case you must do this manually.
Regarding your question. Please find my answer in the following post:
https://www.wolfssl.com/forums/post4111.html#p4111
Thank you,
SamSam
Hello,
WolfSSL 3.15.5 compiled as follow:
cd wolfssl-3.15.5
./configure CFLAGS=-DWOLFSSL_STATIC_RSA \
--enable-all \
--enable-tls13
makeDo not allow to connect to hosts
dev.ssllabs.com and i0.wp.com with TLS 1.3
examples/client/.libs/client -S dev.ssllabs.com -h dev.ssllabs.com -p 443 -d -x -C -g -i -v 4
wolfSSL_connect error -424, Extension type not allowed in handshake message type
wolfSSL error: wolfSSL_connect failedexamples/client/.libs/client -S i0.wp.com -h i0.wp.com -p 443 -d -x -C -g -i -v 4
peer's cert info:
issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
subject: /OU=Domain Control Validated/CN=*.wp.com
altname = wp.com
altname = *.wp.com
serial number:68:86:4a:83:77:1a:bb:7d
SSL version is TLSv1.3
SSL cipher suite is TLS_AES_128_GCM_SHA256
SSL curve name is SECP256R1
Client Random : 7E84EF48D807C5269C50DD5B3DEEDF3D4B4672A43E74BC8841DC4C0867A741D4
SSL connect ok, sending GET...
SSL_read reply error -425, The security parameter is invalid
wolfSSL error: SSL_read failed
Could you please check this?
Best Regards,
SamSam
Hello,
I used head. The information about this was in the first post:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-all
make
Regards,
SSS
I think you ask about this information:
$ uname -a
Linux ubuntu-VirtualBox 3.2.0-24-generic-pae #39-Ubuntu SMP Mon May 21 18:54:21 UTC 2012 i686 i686 i386 GNU/Linux
$ gcc -###
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/4.6/lto-wrapper
Target: i686-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu/Linaro 4.6.3-1ubuntu5' --with-bugurl=file:///usr/share/doc/gcc-4.6/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.6 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --enable-targets=all --disable-werror --with-arch-32=i686 --with-tune=generic --enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu --target=i686-linux-gnu
Thread model: posix
gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)Please let me know if you need anything more.
Best Regards,
SSS
Hello,
Yes it works. Thank you very much.
However I had two compilation errors:
CC wolfcrypt/src/src_libwolfssl_la-asn.lo
wolfcrypt/src/asn.c: In function 'GetAsnTimeString':
wolfcrypt/src/asn.c:4978:31: error: declaration of 'min' shadows a global declaration [-Werror=shadow]
./wolfcrypt/src/misc.c:241:29: error: shadowed declaration is here [-Werror=shadow]
cc1: all warnings being treated as errors CC wolfcrypt/src/src_libwolfssl_la-coding.lotests/api.c: In function ‘test_wolfSSL_ASN1_TIME_adj’:
tests/api.c:18689:20: error: integer overflow in expression [-Werror=overflow]
cc1: all warnings being treated as errors
make[1]: *** [tests/tests_unit_test-api.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/tmp/t/wolfssl'
make: *** [all] Error
The first one was easy to fix by changing variable name from "min" to "mins".
The second one I simple commented. But as I understand there is problem with time_t overflow.
What will be the proper fix?
Best Regards,
SSS
Hello,
When I try to connect to pro.beatport.com host using Wolfssl folowing error is received:
wolfSSL_connect error -313, revcd alert fatal error
wolfSSL error: wolfSSL_connect failed
How to reproduce:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-all
make
examples/client/.libs/client -S pro.beatport.com -h pro.beatport.com -p 443 -d -x -C -g -i -v dCould you please help?
Best Regards,
SamSam
Hello Kaleb,
No I don't have any timelines. I am using wolfSSL as a TLS backed for PyCurl (Python curl wrapper).
The project is OpenSource plugin for Set-Top-Boxes with Engima2 software.
Here is the link to the repository of this project:
https://gitlab.com/iptvplayer-for-e2/iptvplayer-for-e2
Thank you very much for all information and fix.
Best Regards,
SamSam
Hello @embhorn,
Thank you for the update and for the fix.
These is my test results:
mkdir /mnt/work/wolfsssl_test/
cd /mnt/work/wolfsssl_test/
git clone https://github.com/wolfSSL/wolfssl.git
mkdir rootfs
cd wolfssl/
./autogen.sh
export CC="gcc -Wno-error=overflow"
./configure --enable-all --prefix=/mnt/work/wolfsssl_test/rootfs
make
make install
# TEST 1 - with wolfSSL_CTX_UseSupportedCurve call
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -t
# PASS
# TEST 2 - wolfSSLv23_client_method_ex
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -v d
# PASS
cd ..
wget https://curl.haxx.se/download/curl-7.61.0.tar.gz
tar -xvf curl-7.61.0.tar.gz
cd curl-7.61.0
./configure --prefix=/mnt/work/wolfsssl_test/rootfs --without-ssl --with-wolfssl=/mnt/work/wolfsssl_test/rootfs
make
make install
export LD_LIBRARY_PATH=/mnt/work/wolfsssl_test/rootfs/lib
# TEST 3 curl
/mnt/work/wolfsssl_test/rootfs/bin/curl https://www.tvnow.de/
# PASSThank you very much. What is the expected date when official release will be deployed with this patch?
Best Regards,
SamSam
@embhorn
Your question is strange because in the first post you can find these informations.
As you can see the problem is with commands:
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -v dand
./examples/client/client -h 217.118.168.60 -p 443 -d -x -C -g -i -tSo, the problem is when wolfSSLv23_client_method_ex is used or when method wolfSSL_CTX_UseSupportedCurve was called.
In such situation wwolfSSL does not send information about elliptic_curves extension and this is a problem.
I checked this using wireshark.
I already wrote this two times. So, your question is really strange. Did you read my posts?
Regards,
SamSam
@Kaleb J. Himes
Thank you for the update.
I did not modify the client source code.
In provided by me examples I do use TLS1.3 nowhere. I used parameter "-t" because with this option function wolfSSL_CTX_UseSupportedCurve is called.
The problem is when wolfSSL_CTX_UseSupportedCurve is called, as it is done by the libcurl or when you use method wolfSSLv23_client_method_ex then wwolfSSL does not send information about elliptic_curves extension.
I gave step by step scenario how to reproduce the problem.
At now there is no possible to connect to http://www.tvnow.de/ via curl when the wolfSSL 3.15.3 (./configure --enable-all) is used as SSL backend and this is the main problem, all others are only my own investigation.
Best regards,
Sam Sam
Hello,
Build wolfSSL 3.15.3
./configure --enable-all
make
Use wolfSSL client to connect to host
ww.tvnow.de
1. default method wolfTLSv1_2_client_method_ex without wolfSSL_CTX_UseSupportedCurve call
examples/client/.libs/client -S HOST_NAME -h HOST_NAME -p 443 -d -x -C -g -i client use wolfTLSv1_2_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- signature_algorithms
- ec_point_formats
- elliptic_curves
- SessionTicket TLS
- server_name
- Unknown 23
result: SSL handshake successful
2. default method wolfTLSv1_2_client_method_ex with wolfSSL_CTX_UseSupportedCurve call
examples/client/.libs/client -S HOST_NAME -h HOST_NAME -p 443 -d -x -C -g -i -tclient use wolfTLSv1_2_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- signature_algorithms
- elliptic_curves
- SessionTicket TLS
- server_name
- Unknown 23
Information about ec_point_formats is missed.
result: SSL handshake failed with error wolfSSL_connect error -313, revcd alert fatal error
3. method wolfSSLv23_client_method_ex
examples/client/.libs/client -S HOST_NAME -h HOST_NAME -p 443 -d -x -C -g -i -v dclient use wolfSSLv23_client_method_ex method and in the "Client Hello" message wolfSSL send information about following extensions:
- Unknown 43
- signature_algorithms
- elliptic_curves
- Unknown 51
- SessionTicket TLS
- server_name
Information about ec_point_formats is missed.
result: SSL handshake failed with error wolfSSL_connect error -313, revcd alert fatal error
Summary:
The wolfSSL does not send information about elliptic_curves extension when:
- method wolfSSLv23_client_method_ex
or
- wolfSSL_CTX_UseSupportedCurve was call
It causes SSL handshake failed.
It looks that host www.tvnow.de need information about ec_point_formats extension, but the wolfSSL in describad cases does not send it?
Can you explain why? It is posible to call some function to add this extension to "Client Hello" message?
Please note that libcurl always call wolfSSL_CTX_UseSupportedCurve
https://github.com/curl/curl/blob/10d8f … s/cyassl.c
CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x17); /* secp256r1 */
CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x19); /* secp521r1 */
CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x18); /* secp384r1 */and also use wolfSSLv23_client_method as default.
This results to make impossible to connect to some host using libcurl + wolfSSL.
It looks like bug in the wolfSSL library.
Can you please take a look on this and give solution for this problem, please?
Regards,
Sam Sam
Pages 1
wolfSSL - Embedded SSL Library → Posts by SamSam
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.018 seconds (95% PHP - 5% DB) with 5 queries