1 (edited by waigor 2020-06-21 15:57:48)

Topic: Having MATCH_SUITE_ERROR error when after changing the cipher list

Hi there,

In my application, my device initially use a ECC key and certificate with wolfSSL_CTX_use_certificate_file() and wolfSSL_CTX_use_PrivateKey_file(), then setting the cipher using API wolfSSL_CTX_set_cipher_list() with ECC cipher list. Later on, my devices generate a new certificate with RSA key, i repeat the step above with RSA cipher list, then Wolfssl report MATCH_SUITE_ERROR error during handshake.

If I do the another way around, initialise the device with RSA key, and switch to ECC key later on, this error will not happen.

Anyone know the cause of this and how to fix it? Or is there any limitations on this changing cipher list?

FYI, I initialize the WolfSSL with wolfSSL_Init() and wolfSSL_CTX_load_static_memory() API.

Thanks

Share

Re: Having MATCH_SUITE_ERROR error when after changing the cipher list

Hi waigor,

The RSA keys will use more memory. Have you tried increasing the static memory pool size? What cipher suites are you trying to use with RSA and what TLS version?

Thanks,
David Garske, wolfSSL

Share

3 (edited by waigor 2020-06-22 15:27:52)

Re: Having MATCH_SUITE_ERROR error when after changing the cipher list

Hi David,

Thanks for you reply. I'm currently giving the CTX 1MB (1,048,578 Bytes) memory, and it is still having error. I set the minimum version of TLS to version 1.

Here is the code for the cipher list:
static const char ec_cipher_list[] =
        "ECDHE-ECDSA-AES128-SHA256:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:"
        "ECDHE-ECDSA-AES128-SHA:"
        "ECDHE-ECDSA-AES256-SHA384:"
        "ECDHE-ECDSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-AES256-SHA";

static const char rsa_cipher_list[] =
        "ECDHE-RSA-AES128-GCM-SHA256:"
        "ECDHE-RSA-AES128-SHA:"
        "ECDHE-RSA-AES128-SHA256:"
        "ECDHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-RSA-AES256-SHA:"
        "ECDHE-RSA-AES256-SHA384:"
        "ECDHE-RSA-DES-CBC3-SHA:"
        "DHE-RSA-AES128-SHA256:"
        "DHE-RSA-AES256-SHA256:"
        "DHE-RSA-AES128-SHA:"
        "DHE-RSA-AES256-SHA:"
        "EDH-RSA-DES-CBC3-SHA";

Here is a more clear graph with what is ok what is not, the changes both involve in certificate, key and cipher suites change:

ECC=======>RSA    not ok
RSA=======>ECC    ok
RSA=======>ECC=======>RSA   not ok

Thanks
Waigor

Share

Re: Having MATCH_SUITE_ERROR error when after changing the cipher list

Hi Waigor,

Are you trying to reuse the WOLFSSL_CTX between these connections? If the key/cert is loaded at the WOLFSSL_CTX level it gets shared/reused and only allows certain cipher suites. Have you tried loading the key/cert at the WOLFSSL object level using wolfSSL_use_certificate_file and wolfSSL_use_PrivateKey_file? If you'd like to share some code to review feel free to email us at support@wolfssl.com

Thanks,
David Garske, wolfSSL

Share