• AVR Freaks

Hot!H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR

Page: < 12 Showing page 2 of 2
Author
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/03 08:19:13 (permalink)
5 (1)
A list of the conversations with wolfSSL support about this issue:

-> to wolfSSL
Hello,
We have a problem with a demo intermittently failing the TLS negotiation when The returned error in Firefox (Windows 10, Firefox 77.0.1 64-bit) is: PR_END_OF_FILE_ERROR
The test is done using the net 3.5.1 Harmony package, meaning that it uses:
<Dependency name="wolfssl" version="v4.1.0"/>
The demo is reported by a customer, please see the post and history:
https://www.microchip.com/forums/m1143893.aspx
I've attached the log that shows an VERSION_ERROR - that's the only error printed by the wolfSSL log, as far as I can tell.
Please help understand what exactly is going on and why the negotiation fails.
A similar error is returned by Chrome: ERR_TIMED_OUT.
Regards,
Adrian.
Attachment(s)
firefox_log.txt
 
<- from wolfSSL
Hi Adrian,
Thank you so much for reaching out to wolfSSL support. I downloaded the wireshark capture and around packet 333 that the user noted there is a client hello for TLS v1. This is likely due to Firefox (depending on the version) attempting to do a TLS v1.3 connection. In some draft forms of TLS 1.3 TLSv1 was used in the client hello packet to initiate a TLS 1.3 connection (this was later changed to TLS v1.2 for obvious reasons, many servers had deprecated TLSv1 and seeing that type in a client hello was problematic for easy adoption).
If Firefox is either attempting a TLS 1.3 draft-18 connection or a TLSv1 connection it might be helpful to have the customer use the wolfSSLv23_server_method() instead of wolfTLSv1_2_server_method_(), this will allow the server to at least attempt to negotiate a different protocol version with Firefox. If they continue to have issue they can try enabling old tls version by making sure NO_OLD_TLS is not defined and they can enable TLS v1.3 draft version one at a time to see if this is a draft form of TLS 1.3. wolfSSL supports both draft 18 and the final draft of TLS 1.3.
Warm Regards,
Kaleb Himes
If you enjoy working with wolfSSL please leave us a star on our github repository https://github.com/wolfSSL/wolfssl!

-> to wolfSSL
Hi Kaleb,
Before posting your response to the forum, I’ve read it again to understand if there’s something that needs to be done from the Harmony TCP/IP stack point of view.
But there is one thing that is not clear to me, please excuse my ignorance as I’m no longer up to speed with the latest TLS developments:
How come this error is just occasional?
Is it possible that the same version of FFox uses TLSv1 or TLSv1.3 alternatively?
Not sure it makes sense.
The customer also notes that a similar behavior is noticed on Chrome, although less frequent.
So how come it works so many times and then it fails?
Regards,
Adrian.
 
<- from wolfSSL
Adrian,
That is a great question that I do not know the answer to unfortunately. I do not know why a browser such as chrome or Firefox would randomly try to do a TLSv1 handshake. Like I hinted at I don't actually know if this is truly a TLSv1 handshake or a drafter version of TLS 1.3 that sends a TLSv1 client hello to initiate the TLSv1.3 handshake. We would have to investigate to make that determination.
I think the chrome or Firefox developers would be best to answer that question. It might be a downgrade attack (user might have someone tampering with his traffic) trying to force a weaker protocol version or it might just be Chrome/Firefox doing their thing and maybe trying to see if a TLS 1.3 draft is available. I am not sure.
What I can say with certainty is that using the wolfSSLv23_server_method() to handle client connections that are prone to change which protocol version is used will allow wolfSSL to at least try and negotiate a different protocol version. wolfSSLv23_server_method() will start with the highest level protocol that is enabled and if a client requests a lower protocol version and that version is enabled in the wolfSSL build then wolfSSL will use the version requested by the client. In most cases users prefer to reject such connections (the current behavior) but if your customer wants it to be allowed they should use the server method that allows protocol version to be negotiated by the client rather than stipulated by the server.
Warm Regards,
Kaleb Himes
If you enjoy working with wolfSSL please leave us a star on our github repository https://github.com/wolfSSL/wolfssl!

<- from wolfSSL
Adrian,
I can now confirm that packet causing the error is a TLS v1.3 client hello. Can you have the customer try turning on support for TLS 1.3 with these settings and using the wolfSSLv23_server_method() should fix this issue for them.
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_ECC
#define HAVE_HKDF
#define HAVE_FFDHE_2048
#define WC_RSA_PSS
Warm Regards,
Kaleb Himes
If you enjoy working with wolfSSL please leave us a star on our github repository https://github.com/wolfSSL/wolfssl!
 
#21
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/03 08:21:46 (permalink)
0
I've verified that the the Harmony NET code uses the wolfSSLv23_server_method() (and not the old one wolfTLSv1_2_server_method).
So use MHC to enable the TLSv1.3 in the demo, check the mentioned wolfSSL symbols, and let's see the result.
#22
BillP
Super Member
  • Total Posts : 414
  • Reward points : 0
  • Joined: 2014/09/28 07:53:35
  • Location: CA
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/05 10:06:39 (permalink)
0
It would be helpful for readers of this post if the repo versions used in the responses were listed.
 
As I noted in another post, the net v3.6.1 and wolfssl 4.4.0 do not play well together.  I get compile errors.
 
I tried the TLS1.3 option in the wolfssl library (as suggested above) and it causes many compile errors.  Furthermore, there are none of the #defines listed above in the configuration.h file, so where do I look for those defines?
 
Finally, has any of this actually been tested or is all of this just a "what might work"? 
 
As a final note, all of my comments are based on a testcase using net 3.6.1 and wolfssl v4.3.0 that works on Firefox.  On Chrome, I get a time_out error during  the "Establishing secure connection". 
IMHO, there are too many unknowns involved in this Harmony/https/wolfSSL/browser settings testcase.  Ugg...
#23
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/06 06:22:30 (permalink)
5 (2)
net 3.6.1 requires wolfSSL v4.3.0 - see the package.xml - it won't work with 4.4.0.
 
Regarding the "unknowns":
I think that all the settings supported/required by wolfSSL are part of the MHC configuration, so there should be nothing  missing for any TLS application.
However, there are situations in which wolfSSL expertise is required, true. 
 
 
#24
BillP
Super Member
  • Total Posts : 414
  • Reward points : 0
  • Joined: 2014/09/28 07:53:35
  • Location: CA
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/06 07:21:53 (permalink)
0
OK.  Since the version of wolfSSL is dependent on the version of net, why are they not sync'd by the Content Manager?  In fact, why is there a v4.4.0 even on the github repo if it does not work with the latest net repo?
 
Is there a way the Content Manager can correct this inconsistency? or do I have to do a manual download to revert to the previous version of wolfSSL?
#25
campbellCustom
Junior Member
  • Total Posts : 104
  • Reward points : 0
  • Joined: 2014/08/30 14:35:35
  • Location: 0
  • Status: offline
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/06 12:19:10 (permalink)
0
Still using net v3.5.1 with wolfssl-v4.1.0
 
I have turned on TLS 1.3 support in MHC and added configuration defines. Still getting PR_END_OF_FILE_ERROR

Added these:
#define WC_RSA_PSS
#define HAVE_HKDF
Removed this:
//#define NO_DH
 
// This call:
    net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfSSLv23_server_method());
// is replaced with:
    net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfTLSv1_3_server_method());

 
These changes are in the web_net_server_nvm_mpfs project. The blocking uart is causing serious performance problems, so I do not have a debug uart listing for this post. I may modify the wolfssl_server demo further when time allows.
 
I will attempt to attach a wireshark trace that shows TLS1.2 and 1.3 traffic.
Firefox seems to use TLS1.2 some of the time, and TLS1.3 other times. Maybe related to the error?
 
I think the error occurs around packet 1000.
#26
campbellCustom
Junior Member
  • Total Posts : 104
  • Reward points : 0
  • Joined: 2014/08/30 14:35:35
  • Location: 0
  • Status: offline
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/06 15:55:18 (permalink)
0
I have modified the wolfssl_server demo to use TLS1.3 and got a console output that corresponds with the Firefox error.
 
Somewhere in the console output there is still a -326 appearing. The attachment is the corresponding wireshark trace. There are an alarming amount of pause frames.
 

 
 
 
 
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state SERVER_HELLO_SENT<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_THIRD_REPLY_DONE<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13EncryptedExtensions<CR><LF>
 
 
 
wolfSSL (1): Derive Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Server Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Key<CR><LF>
 
 
 
wolfSSL (1): Derive Server Key<CR><LF>
 
 
 
wolfSSL (1): Derive Client IV<CR><LF>
 
 
 
wolfSSL (1): Derive Server IV<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state SERVER_EXTENSIONS_SENT<CR><LF>
 
 
 
wolfSSL (1): accept state CERT_REQ_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Certificate<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state: Not advanced, more fragments to send<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Certificate<CR><LF>
 
 
 
wolfSSL (1): accept state CERT_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13CertificateVerify<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Trying RSA private key<CR><LF>
 
 
 
wolfSSL (1): Using RSA private key<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering RsaSign<CR><LF>
 
 
 
wolfSSL (1): wolfSSL Using RSA PSS padding<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering VerifyRsaSign<CR><LF>
 
 
 
wolfSSL (1): wolfSSL Using RSA PSS un-padding<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state CERT_VERIFY_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Finished<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Derive Finished Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Finished Secret<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Derive Master Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Traffic Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Server Traffic Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Key<CR><LF>
 
 
 
wolfSSL (1): Derive Server Key<CR><LF>
 
 
 
wolfSSL (1): Derive Client IV<CR><LF>
 
 
 
wolfSSL (1): Derive Server IV<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state: Advanced from last buffered fragment send<CR><LF>
 
 
 
wolfSSL (1): accept state  TICKET_SENT<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): SSL version error<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -326<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
SSL Connection Negotiation Failed - Aborting<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_free<CR><LF>
 
 
 
wolfSSL (1): CTX ref count not 0 yet, no free<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DtlsMsgPoolReset()<CR><LF>
 
 
 
Waiting for Client Connection on port: 443<CR><LF>
 
 
 
Received a clear ssl connection<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_new<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_set_fd<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_set_read_fd<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_set_write_fd<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept()<CR><LF>
 
 
 
wolfSSL (1): Client attempting to connect with different version<CR><LF>
 
 
 
wolfSSL (1): growing input buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept()<CR><LF>
 
 
 
wolfSSL (1): received record layer msg<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13HandShakeMsg()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13HandShakeMsgType<CR><LF>
 
 
 
wolfSSL (1): processing client hello<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13ClientHello<CR><LF>
 
 
 
wolfSSL (1): Supported Versions extension received<CR><LF>
 
 
 
wolfSSL (1): Adding signature algorithms extension<CR><LF>
 
 
 
wolfSSL (1): Secure Renegotiation extension received<CR><LF>
 
 
 
wolfSSL (1): Supported Groups extension received<CR><LF>
 
 
 
wolfSSL (1): Point Formats extension received<CR><LF>
 
 
 
wolfSSL (1): Session Ticket extension received<CR><LF>
 
 
 
wolfSSL (1): ALPN extension received<CR><LF>
 
 
 
wolfSSL (1): Certificate Status Request extension received<CR><LF>
 
 
 
wolfSSL (1): Key Share extension received<CR><LF>
 
 
 
wolfSSL (1): Skipping Supported Versions - already processed<CR><LF>
 
 
 
wolfSSL (1): Signature Algorithms extension received<CR><LF>
 
 
 
wolfSSL (1): PSK Key Exchange Modes extension received<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering MatchSuite<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering VerifyServerSuite<CR><LF>
 
 
 
wolfSSL (1): Verified suite validity<CR><LF>
 
 
 
wolfSSL (1): Derive Early Secret<CR><LF>
 
 
 
wolfSSL (1): Shrinking input buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state ACCEPT_CLIENT_HELLO_DONE<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_HELLO_RETRY_REQUEST_DONE<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_FIRST_REPLY_DONE<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_SECOND_REPLY_DONE<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13ServerHello<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Key Share extension to write<CR><LF>
 
 
 
wolfSSL (1): Supported Versions extension to write<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state SERVER_HELLO_SENT<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_THIRD_REPLY_DONE<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13EncryptedExtensions<CR><LF>
 
 
 
wolfSSL (1): Derive Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Server Handshake Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Key<CR><LF>
 
 
 
wolfSSL (1): Derive Server Key<CR><LF>
 
 
 
wolfSSL (1): Derive Client IV<CR><LF>
 
 
 
wolfSSL (1): Derive Server IV<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state SERVER_EXTENSIONS_SENT<CR><LF>
 
 
 
wolfSSL (1): accept state CERT_REQ_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Certificate<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state: Not advanced, more fragments to send<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Certificate<CR><LF>
 
 
 
wolfSSL (1): accept state CERT_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13CertificateVerify<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Trying RSA private key<CR><LF>
 
 
 
wolfSSL (1): Using RSA private key<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering RsaSign<CR><LF>
 
 
 
wolfSSL (1): wolfSSL Using RSA PSS padding<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering VerifyRsaSign<CR><LF>
 
 
 
wolfSSL (1): wolfSSL Using RSA PSS un-padding<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state CERT_VERIFY_SENT<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SendTls13Finished<CR><LF>
 
 
 
wolfSSL (1): growing output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Derive Finished Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Finished Secret<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering BuildTls13Message<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering EncryptTls13<CR><LF>
 
 
 
wolfSSL (1): Derive Master Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Traffic Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Server Traffic Secret<CR><LF>
 
 
 
wolfSSL (1): Derive Client Key<CR><LF>
 
 
 
wolfSSL (1): Derive Server Key<CR><LF>
 
 
 
wolfSSL (1): Derive Client IV<CR><LF>
 
 
 
wolfSSL (1): Derive Server IV<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -327<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): Shrinking output buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): accept state: Advanced from last buffered fragment send<CR><LF>
 
 
 
wolfSSL (1): accept state  TICKET_SENT<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_get_error<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_accept_TLSv13()<CR><LF>
 
 
 
wolfSSL (1): received record layer msg<CR><LF>
 
 
 
wolfSSL (1): got CHANGE CIPHER SPEC<CR><LF>
 
 
 
wolfSSL (1): growing input buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (2): wolfSSL Entering DecryptTls13<CR><LF>
 
 
 
wolfSSL (1): received record layer msg<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13HandShakeMsg()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13HandShakeMsgType<CR><LF>
 
 
 
wolfSSL (1): processing finished<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering DoTls13Finished<CR><LF>
 
 
 
wolfSSL (1): Shrinking input buffer<LF><CR>
 
 
 
<LF>
 
 
 
wolfSSL (1): Derive Resumption Secret<CR><LF>
 
 
 
wolfSSL (1): accept state ACCEPT_FINISHED_DONE<CR><LF>
 
 
 
wolfSSL (1): accept state TICKET_SENT<CR><LF>
 
 
 
SSL Connection Opened: Starting Clear Text Communication<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_peek()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering wolfSSL_read_internal()<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering ReceiveData()<CR><LF>
 
 
 
wolfSSL (0): wolfSSL error occurred, error = -323<CR><LF>
 
 
 
wolfSSL (2): wolfSSL Entering SSL_pending<CR><LF>
 
 
 

post edited by campbellCustom - 2020/07/06 15:56:57
#27
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/07 06:28:27 (permalink)
0
Kaleb- wolfSSL support - was saying that the call to use should be  wolfSSLv23_server_method() and not the old wolfTLSv1_2_server_method. So I do not think that your change was beneficial.
This log is obtained with using the old method?
I still see the VERSION ERROR in there.
If so, please go back to the code using  wolfSSLv23_server_method() and let's see how that one behaves.
Then I'll notify wolfSSL again.
 
#28
campbellCustom
Junior Member
  • Total Posts : 104
  • Reward points : 0
  • Joined: 2014/08/30 14:35:35
  • Location: 0
  • Status: offline
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/07 08:33:09 (permalink)
0
At the beginning of the thread this call is used: wolfSSLv23_server_method().
 
You asked that I change to TLS1.3 in MHC:

So use MHC to enable the TLSv1.3 in the demo, check the mentioned wolfSSL symbols, and let's see the result.

 
I did this in MHC.
When I regenerate code, the merge wanted to use the TLS 1.3 method:

// This call:
    net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfSSLv23_server_method());
// is replaced with:
    net_pres_wolfSSLInfoStreamServer0.context = wolfSSL_CTX_new(wolfTLSv1_3_server_method());

 
I allowed this change thinking the goal was to add TLS1.3 support.
 
My apologies if the last two posts were not clear. The traffic and logs are using the the TLS 1.3 call.
 
If the intent here is to add TLS1.3 support, and use the v23 call. I can do that.
#29
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/07 10:58:56 (permalink)
0
Sorry for not being clear about this.
From Kaleb's email my understanding was that wolfSSLv23_server_method() should be used, as this would be able to perform the required negotiation. Please check if this is what you make of it too.
Now, I did not know that enabling TLSv1.3 would force the change to wolfTLSv1_3_server_method(). I'll have to check what exactly the intent is here and if this is correct - probably is, judging by the name.
 
But meanwhile, please let's do a test with using the wolfSSLv23_server_method() so that wolfSSL support can look over the log.
 
 P.S. The naming seems confusing to me, as one function uses SSL, the other TLS. So actually not very clear which one is newer and should be used. Seems like wolfTLSv1_3_server_method() should be the correct one to use.
 
 
 
post edited by rainad - 2020/07/07 11:04:48
#30
campbellCustom
Junior Member
  • Total Posts : 104
  • Reward points : 0
  • Joined: 2014/08/30 14:35:35
  • Location: 0
  • Status: offline
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/07 17:19:45 (permalink)
4 (1)
It looks like adding support for TLS1.3, and then using the wolfSSLv23_server_method() instead of the wolfTLSv1_3_server_method() has fixed the PR_END_OF_FILE_ERROR in the wolfSSL_server demo. I agree that the naming is a confusing.
 
Watching the traffic with TLS 1.3 support added, Firefox seems to switch between TLS1.2 and TLS 1.3 when links are clicked. This is odd, and I haven't figured out exactly why (seems related to new tabs maybe?). I expect the error I was seeing in the wolfSSL_server demo was involved with an attempt to use TLS 1.3. Kaleb's comments on a downgrade attack could indicate that Firefox is occasionally attempting a TLS 1.3 only connection, which could be an error by Firefox. I use this browser for a lot of browsing on a lot of servers, and only see this issue with this embedded server, I doubt every other server has TLS 1.3 support, so what are they doing different?
 
Kaleb's made a good catch in seeing the curious TLSv1 packets in the prior traffic. I'm not sure if this is a problem with the wireshark parser (a deeper field claims v1.2 in that packet... ). 
 
I am still looking at the web_net_server_nvm_mpfs project. I have seen a few timeouts in Firefox (which may have been what I was seeing in Chrome at the beginning of this long thread) at this point I will consider this issue solved and open another thread if I can get a better idea of what is going on.
 
The long term impact of the evolution of browsers has me uneasy about deploying a long life product with encryption and a web server. but I digress...
 
Thank you for your support,
-IC
 
#31
campbellCustom
Junior Member
  • Total Posts : 104
  • Reward points : 0
  • Joined: 2014/08/30 14:35:35
  • Location: 0
  • Status: offline
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/07 17:19:45 (permalink)
0
It looks like adding support for TLS1.3, and then using the wolfSSLv23_server_method() instead of the wolfTLSv1_3_server_method() has fixed the PR_END_OF_FILE_ERROR in the wolfSSL_server demo. I agree that the naming is a confusing.
 
Watching the traffic with TLS 1.3 support added, Firefox seems to switch between TLS1.2 and TLS 1.3 when links are clicked. This is odd, and I haven't figured out exactly why (seems related to new tabs maybe?). I expect the error I was seeing in the wolfSSL_server demo was involved with an attempt to use TLS 1.3. Kaleb's comments on a downgrade attack could indicate that Firefox is occasionally attempting a TLS 1.3 only connection, which could be an error by Firefox. I use this browser for a lot of browsing on a lot of servers, and only see this issue with this embedded server, I doubt every other server has TLS 1.3 support, so what are they doing different?
 
Kaleb's made a good catch in seeing the curious TLSv1 packets in the prior traffic. I'm not sure if this is a problem with the wireshark parser (a deeper field claims v1.2 in that packet... ). 
 
I am still looking at the web_net_server_nvm_mpfs project. I have seen a few timeouts in Firefox (which may have been what I was seeing in Chrome at the beginning of this long thread) at this point I will consider this issue solved and open another thread if I can get a better idea of what is going on.
 
The long term impact of the evolution of browsers has me uneasy about deploying a long life product with encryption and a web server. but I digress...
 
Thank you for your support,
-IC
 
#32
rainad
Moderator
  • Total Posts : 1387
  • Reward points : 0
  • Joined: 2009/05/01 13:39:25
  • Location: 0
  • Status: online
Re: H3 web_net_server_nvm_mpfs Secure Connection Failed: PR_END_OF_FILE_ERROR 2020/07/09 10:45:36 (permalink)
0
Thank you for your tests and for sharing the results.
I'll discuss the findings with wolfSSL support, to understand what exactly is the right choice, and which of these methods should be used or if we should provide a choice to the user through MHC (if this makes sense).
I guess that since the TLSv1.3 spec is relatively new that's why we see these issues.
But your point is important: why does this not happen with other servers?
 
 
#33
Page: < 12 Showing page 2 of 2
Jump to:
© 2020 APG vNext Commercial Version 4.5