Handshake with TLS 1.3 server fails using MbedTLS about mongoose HOT 8 CLOSED

Thanks for the update. I've just fixed it in our code.
Very sorry for the noise. It turns out we were not reading the certificate correctly with the upgrade in clients, yet that was somehow working with some sites but not others.

Many thanks for your feedback on this and sorry to have wasted your time.

from mongoose.

Hello Mark,
we just use MbedTLS, there is nothing special in that besides possible API differences.
Our tests run on Windows, Mac, and Ubuntu 22.04 (what Github provides) and they all pass.
You should start by using 7.13, and you could even try our built-in TLS1.3
However, a bit of googling yields: "The error you are getting means that you have received a fatal alert from the server.
This fatal alert was sent after the server received the ClientHello message from your client.
This means that the server couldn’t find common parameters for a TLS handshake. Usually it is the server can’t support the proposed ciphersuites, however it could be other cases such as unsupported eliptic curves and hashes.", so you should check your credentials and what those servers expect from you, AND, in the specific code you are using, if there is an mbed configuration file, that will have specifics on what it will support, so you have to make it match, or remove that file and expect your OS will solve that.

from mongoose.

Hi! And thanks for the update.

This problem is happening on my and other users machines over different OSes, the only thing we have done is upgrade the mongoose client code, which is why I brought it here.

I had seen it's reporting a fatal error, 21 response being a MSG_ALERT, 22 being MSG_HANDSHAKE, and that 40 represents ERR_SSL_VERSION_OR_CIPHER_MISMATCH. The logs show the earlier negotiation of ciphers is identical between the 2 endpoints I have logged, showing all 104 ciphers are the same.

I'm really trying to narrow down why only upgrading mongoose client causes this issue, downgrading fixes it. No mbed tls changes (as we're just using the system installed libs), just mongoose.c/h file changes in our code.

Our code is simply trying to request JSON served over https, there's no auth/credentials involved here. It's as simple as can be.

I'll continue to dig into this, I'm trying to reproduce with a local nginx as a reverse proxy and controlling tls versions.

from mongoose.

Hmm... that's weird.
There's been a lot of re-write in the TLS interface to make room for our own stack, and we've been favoring embedded-friendly features (elliptic curves and lighter-weight algorithms). I'm not familiar with pre-7.6.
So you have a CA cert and you just validate it, but there is a cypher exchange anyway and that is failing... Make sure your cert file contents start with dashes, and check how you pass that cert in options. It should fail in a different way if that was the case, but, it doesn't harm to try.

from mongoose.

Also apologies, we are using 7.13, not 7.11 as I reported, I'll update the post.

The ca.pem file is also constant between the scenarios too, it's well formatted and works with curl specified directly:

curl -vvv --cacert data/webui/common/ca.pem https://5card.carr-designs.com/state?table=blue\&player=THOMC

from mongoose.

I just tried your Google endpoint in my Linux with both OpenSSL and MbedTLS and it works with no hassle. Looks like this is a problem with your specific version of MbedTLS.
We've been very reluctant to rely on OS libraries, for a while we've been building against specific versions compiled on-the-fly. I think a quick fix for your issue can be to do that. In examples/http-client:

$ make mbedtls
$ make CFLAGS_EXTRA="-DMG_TLS=MG_TLS_MBED mbedtls/library/libmbedtls.a mbedtls/library/libmbedcrypto.a mbedtls/library/libmbedx509.a"

from mongoose.

@markjfisher hello Mark,
I just got the same issue, could you please share the details about how it was fixed?

from mongoose.

@CaptainTeemo :

Very sorry for the noise. It turns out we were not reading the certificate correctly with the upgrade in clients, yet that was somehow working with some sites but not others.

This is not a Mongoose issue, please do not do necroposting nor thread hijacking,
If you have an actual issue, please open an issue, honor the issue template so we can know your scenario and reproduce the issue if necessary, and let us know exactly what you are doing
Please follow the guidelines in the documentation, examples and tutorials available.

from mongoose.