Unable to connect to website

[ardyesp]

Hello, thanks for providing this library. I am using ESP32C3 module and unable to connect to pq.cloudflareresearch.com. Is it because of the cipher mismatch. The library offers TLS_AES_128_GCM_SHA256 and the website is expecting TLS_AES_256_GCM_SHA384. The same program works with other websites.

I have enabled the TLS 1.3 in the user_settings.h, here are the log messages -

Connecting to: pq.cloudflareresearch.com:443
Connected to server
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
wolfSSL Entering wolfSSL_set_fd
wolfSSL Entering wolfSSL_set_read_fd
wolfSSL Leaving wolfSSL_set_read_fd, return 1
wolfSSL Entering wolfSSL_set_write_fd
wolfSSL Leaving wolfSSL_set_write_fd, return 1
Starting SSL handshake...
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
PSK Key Exchange Modes extension to write
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
-------->  Server attempting to accept with different version
received record layer msg
got ALERT!
Alert type: handshake_failure
wolfSSL error occurred, error = 40
wolfSSL error occurred, error = -313
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -313
SSL connect failed with error: -313
Error details: wolfSSL Entering wolfSSL_ERR_error_string
received alert fatal error
wolfSSL Entering wolfSSL_free
Free SSL: 0x3fcadf40
Free'ing client ssl
PSK Key Exchange Modes extension free
Key Share extension free
Supported Versions extension free
Signature Algorithms extension to free
Point Formats extension free
Supported Groups extension free
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0

The openssl s_client reports TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

[anhu]

Hi,

Thanks for reaching out to us. Is the project disabling AES-256?

[anhu]

Hi,

this message:

TLS 1.2 or lower

...indicates you are not enabling TLS 1.3.

Warm regards, Anthony

[ardyesp]

Thanks for prompt reply @anhu. I did enable TLS1.3 and have a check in the code:

#ifdef WOLFSSL_TLS13
  Serial.println("TLS 1.3 support enabled");
#else
  Serial.println("WARNING: TLS 1.3 not available, using TLS 1.2");
#endif

ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());

It produces the following log messages:

Initializing WolfSSL...
--------> TLS 1.3 support enabled
wolfSSL Entering wolfSSLv23_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 108 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL Entering wolfSSL_CTX_set_verify
wolfSSL Entering wolfSSL_CTX_SetMinVersion
WolfSSL initialized successfully

[ardyesp]

Is the project disabling AES-256?

I don't see any setting in the user_settings.h to enable or disable AES-256

[anhu]

        #ifdef WOLFSSL_TLS13
        if (ssl->options.tls1_3) {
            WOLFSSL_MSG("TLS 1.3");
            return wolfSSL_connect_TLSv13(ssl);
        }
        #endif

        WOLFSSL_MSG("TLS 1.2 or lower");
        WOLFSSL_ENTER("wolfSSL_connect");

This is the relevant code I was referencing in my previous message. It is in ssl.c. Either WOLFSSL_TLS13 is not defined (but you claim it is) or ssl->options.tls1_3 is false. That message is not printed anywhere else in the code. Can you double check that WOLFSSL_TLS13 is defined and confirm that ssl->options.tls1_3 is false?