Hi SamSam,

I just reviewed dev.ssllabs.com domain, they do not support TLS v1.3 so this is an expected result. Interestingly I can even scan their own website with their own tool to show this:

https://www.ssllabs.com/ssltest/analyze … 130.202.77

Configuration

Protocols
TLS 1.3    No
TLS 1.2    Yes
TLS 1.1    Yes
TLS 1.0    Yes
SSL 3    No
SSL 2    No
For TLS 1.3 tests, we only support RFC 8446.

So they have added support to their tool for detecting TLS1.3 but their servers do not yet support TLS1.3 connections!

This is a valid and successful TLS 1.3 connection! You have sent a "HTTP GET request" with the -g option which the server processes AFTER the connection has already succeeded and it is the get request that the server doesn't like. If you visit that domain in a browser all you will see is the message "Sorry, the parameters you provided were not valid". So whatever service is running at that domain wants something specific, maybe a custom protocol, maybe a user-name and password, not sure but as for as the TLS goes it worked splendidly! (See attached wireshark). What is interesting in the wireshark is that i0.wp.com shows up as IP 192.0.77.2 which shouldn't be a DNS resolvable domain. Not sure what's there but it may not be a safe service to use for testing.

Cheers,

K

Hello Kaleb J. Himes,

Thank you for your answer. Unfortunately, I can not agree with the results of your investigation.

Regarding i0.wp.com:

When you connect using TLS 1.2 then there is no TLS error, and you can get HTTP response as follow:

LD_LIBRARY_PATH=/mnt/raw/e2ibuildenv/wolfssl/out/i686/lib/ ./examples/client/.libs/client -S i0.wp.com -h i0.wp.com  -p 443 -d -x -C -g -i -v 3
Session Ticket CB: ticketSz = 192, ctx = initial session
peer's cert info:
 issuer : /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 subject: /OU=Domain Control Validated/CN=*.wp.com
 altname = wp.com
 altname = *.wp.com
 serial number:68:86:4a:83:77:1a:bb:7d 
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL curve name is X25519
Client Random : F73F976937698B8DF04965E6B80D5AA158A4938A28B1153D881AA138E63BA8EB
SSL connect ok, sending GET...
HTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 11 Dec 2018 04:56:07 GMT
Con
tent-Type: text/html
Content-Length: 37
Connection: close

Direct IP/Hostna

Generally the problem is because you can NOT get HTTP response from i0.wp.com using  -v d, but you can when you manually force -v 3

Could you please take, a look once again on i0.wp.com host? In the browser, yes you got the message:

but this HTTP response and this is expected, there is NO SSL error.

With WolfSSL and option -v d or -v 4 ( when TLS 1.3 is used) it fails with:
SSL_read reply error -425, The security parameter is invalid
this is SSL error.

you will be able to get HTTP response also using WolfSSL when you force TLS 1.2, but in this case you must do this manually.

Regarding your question. Please find my answer in the following post:
https://www.wolfssl.com/forums/post4111.html#p4111

Thank you,
SamSam

Hi SamSam

Thanks for reporting this issue!
The default maximum ticket size as Kaleb has said was 4 bytes and needs to be 8 bytes.
This was chosen based on interoperability testing and that it doesn't really need to be a bigger than that!
The TLS 1.3 specification allows for the nonce to be up to 255 bytes.
I've put up a pull request, #1973, that changes the maximum to 8 bytes. I was able to connect to the i0.wp.com website.
The pull request will be merged into master soon.

Thanks,
Sean

--
Sean Parkinson, wolfSSL