1 (edited by tiagomts 2021-02-27 07:26:05)

Topic: wolfSSL_read with tls and no tls (normal tcp) connections?

I need configure a service to receive normal tcp connections and tls connections in a same port. Is it possible using wolfssl and wolfSSL_read funcion? If yes, I also need to identify if a connectio arrive using SSL or no, how I do it?

I did a test and I can receive TLS connections but when a try receive a TCP packet, wolfssl return this error log. (err = -311, unknown type in record hdr).

below a resume of my configuration


    xWolfSSL_ServerContext = NULL;
    /* Attempt to create a context that uses the TLS 1.2 server protocol. */
    xWolfSSL_ServerContext = wolfSSL_CTX_new(wolfTLSv1_2_server_method());

    if (xWolfSSL_ServerContext != NULL) {
        int result = NULL;
        // Load the Root CA certificate.
        result = wolfSSL_CTX_load_verify_buffer_ex(xWolfSSL_ServerContext,
        &ca_cert_pem, (long) sizeof(ca_cert_pem),
        // Load the Intermediate CA certificate.
        result = wolfSSL_CTX_load_verify_buffer_ex(xWolfSSL_ServerContext,
        &int_cert_pem, (long) sizeof(int_cert_pem),
        result = wolfSSL_CTX_use_certificate_buffer(xWolfSSL_ServerContext,
        &server_cert_pem, (long) sizeof(server_cert_pem),
        (int) SSL_FILETYPE_PEM);
        result = wolfSSL_CTX_use_PrivateKey_buffer(xWolfSSL_ServerContext,
        &server_key_pem, (long) sizeof(server_key_pem),
        (int) SSL_FILETYPE_PEM);

WOLFSSL* xWolfSSL_Object;
    int err = 0;
    char errBuffer[80];

    /* A connection has been accepted by the server.  Create a
     wolfSSL object for use with the newly connected socket. */
    xWolfSSL_Object = NULL;
    xWolfSSL_Object = wolfSSL_new(xWolfSSL_ServerContext);

    if (xWolfSSL_Object != NULL) {
        /* Associate the created wolfSSL object with the connected socket. */
        xReturned = wolfSSL_set_fd(xWolfSSL_Object, conn->socketHandler);
        while (1) {
              count = wolfSSL_read(xWolfSSL_Object, (char *)buffer_req, BUFSIZE);


Re: wolfSSL_read with tls and no tls (normal tcp) connections?

Hi tiagomts,

That is a very uncommon use case. Usually they would be different ports. You could inspect the first 5 bytes to see if its a TLS header and if it was not then treat as clear text. You would need to use custom IO callbacks and add logic to handle the packets without TLS headers. For the non-secure data packets you would need to add your own custom header to know the size. Have you considered using a TLS NULL cipher (HAVE_NULL_CIPHER), which does not encrypt data, but does do the authentication and integrity?

Here is an example using custom IO callbacks:
https://github.com/wolfSSL/wolfssl-exam … callback.c

David Garske, wolfSSL