-
Notifications
You must be signed in to change notification settings - Fork 836
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with DTLS 1.3 Handshake over SCTP in WolfSSL #7898
Comments
Hi, |
Hello, Thank you for your response. The issue arises during the DTLS handshake, where this error occurs. Note that, on changing the SSL method to a generic one, that is, |
Hello, Thanks for the response and clarification! I'm going to investigate it and get back to you soon. |
Hi @lakshya-chopra , I'm sorry for the late response, I hope your project is going well. JYI we are adding the missing v1.3 specific method that can be used from both sides (#8012). Please let me know if this is enough to fix your issue. |
Hello @rizlik , |
Hi @lakshya-chopra , The root cause can be something else, but it's hard to guess without further information about your code. |
Hello @rizlik , However, I can provide the life cycle of wolfSSL objects as asked: [The following are components of the O-RAN architecture, with CU being the control unit, and DU - Distributed Unit. They are essentially a split of the baseband unit which connects with the Remote Radio Heads and act as a backbone of the network.]
Thus, from this it would be clear that a single thread is managing all the wolfSSL objects. Do note that we can run TASK_CU and TASK_DU separately. I'd like to add that we have achieved this procedure with OpenSSL (along with the transfer of application datagrams) but due to the lacking DTLS 1.3 support over there, we are trying to make a switch to wolfSSL. PS: Any improvements to this procedure will be appreciated. |
Thanks for the better explanation. |
In this case, CU ( |
but, AFAIU, the connection ends are both managed by the SCTP task. Can you try to split the SCTP task context in two, one for server and one for client, and then use the specific client/server method? |
Well yes. I believe that this could be done, we'll consider your suggestion, and will try to implement it if feasible. |
Update: |
Hi @lakshya-chopra , |
Sure, I can shift to a private mail conversation. However, I would like to provide some debug logs that I got after turning the debugging on: wolfSSL Entering wolfSSL_SSL_do_handshake
wolfSSL Entering wolfSSL_SSL_do_handshake_internal
wolfSSL Entering wolfSSL_accept
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering RetrySendAlert
growing input buffer
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 1
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 2
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 4
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 8
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 16
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 32
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return 0
wolfSSL Entering Dtls13RtxSendBuffered
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 64
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Would block
Embed Receive From error
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
wolfSSL Entering DtlsMsgPoolTimeout
wolfSSL Leaving DtlsMsgPoolTimeout(), return -1
Error trying to retransmit DTLS buffered message
wolfSSL error occurred, error = 308 line:9958 file:src/ssl.c
SSL handshake res: -1
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -308
wolfSSL Entering wolfSSL_ERR_print_errors_fp
error state on socket
wolfSSL Entering wolfSSL_free
Free SSL: 0x7f8758004410
Free'ing server ssl
Unloading cert
wolfSSL Entering wolfSSL_FreeX509
wolfSSL Entering ExternalFreeX509
Unloading key
Shrinking input buffer
wolfSSL Entering DtlsMsgPoolReset
wolfSSL Entering Dtls13RtxFlushBuffered
wolfSSL Entering ClientSessionToSession
wolfSSL Entering wolfSSL_FreeSession
wolfSSL_FreeSession full free
wolfSSL Entering wolfSSL_sk_CIPHER_free
wolfSSL Entering wolfSSL_sk_free
wolfSSL Entering wolfSSL_sk_X509_pop_free
wolfSSL Entering wolfSSL_sk_pop_free
wolfSSL Entering wolfSSL_sk_X509_pop_free
wolfSSL Entering wolfSSL_sk_pop_free
wolfSSL Entering wolfSSL_sk_X509_NAME_pop_free
wolfSSL Entering wolfSSL_sk_pop_free
wolfSSL Entering Dtls13RtxFlushAcks
wolfSSL Entering DtlsMsgPoolReset
wolfSSL Entering Dtls13RtxFlushBuffered
wolfSSL Entering Dtls13RtxFlushBuffered
CTX ref count not 0 yet, no free
wolfSSL Leaving wolfSSL_free, return 0
wolfSSL Entering wolfSSL_SSL_do_handshake
wolfSSL Entering wolfSSL_SSL_do_handshake_internal
wolfSSL Entering wolfSSL_accept
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data) = 128
opened /dev/urandom.
rnd read...
CertSetupCb set. server cert and key not checked
wolfSSL Entering RetrySendAlert
ProcessReply retry in error state, not allowed
wolfSSL error occurred, error = 308 line:9958 file:src/ssl.c
SSL handshake res: -1
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -308
wolfSSL Entering wolfSSL_ERR_print_errors_fp
error state on socket
wolfSSL Entering wolfSSL_free
Free SSL: 0x7f8758004410
Free'ing server ssl
wolfSSL Entering wolfSSL_sk_SSL_CIPHER_free
wolfSSL Entering wolfSSL_sk_free Could you help me spot where the handshake is going wrong? Thanks! ETA:
Here's where it's going wrong, what could be the reason? Edit 2: However, running the client & server example mentioned in that issue, completely worked. Here are the commands I used: ./examples/server/server -u -v 4 -l TLS13-AES256-GCM-SHA384 --pqc KYBER_LEVEL3 Client: ./examples/client/client -u -v 4 -l TLS13-AES256-GCM-SHA384 --pqc KYBER_LEVEL3 -H defCipherList |
Hi @lakshya-chopra , I tried to run |
Hello @rizlik Edit: I too tried make check and 1 unit test failed: There were multiple errors, here's one of them: Edit 2: |
Hello @rizlik , |
Hi @lakshya-chopra , Thanks |
I have a client-server model based on Linux's SCTP sockets, using WolfSSL's DTLS 1.3 server and client methods. However, I'm encountering an issue that prevents both peers from completing the DTLS/SSL handshake:
This error has been documented previously, but the suggested solution makes use of SSLv23_method(), which isn't fully compatible with SCTP or UDP sockets. Since there isn't a direct equivalent for DTLS 1.3, I tried using DTLS1_2_method(), but that didn't work either.
Is there an alternative solution to this problem?
The text was updated successfully, but these errors were encountered: