Topic: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Hi,
  I tried to connect wolfssl(3.6.0) to Eclipse Scandium (master). 
  I use wolf as a client(./examples/client/client) and scandium as server (ExampleDTLSServer.class).
  I try to use PSK but it seems there is no cipher suite compatible.

  Scandium support only : TLS_PSK_WITH_AES_128_CCM_8 and TLS_PSK_WITH_AES_128_CBC_SHA256 for PSK.
  I configure wolfssl to use PSK like that:

./configure --enable-dtls --enable-psk
./examples/client/client -h 127.0.0.1 -p 5684 -u -v 3 -s

  With wireshark I see the Client Hello contains only: Cipher Suite: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256.
  I looked at the doc and TLS_PSK_WITH_AES_128_CBC_SHA256 should be supported too.

  I probably missed something ?

Simon

P.S : It could be great if wolfssl supports this 2 cipher suite TLS_PSK_WITH_AES_128_CCM_8 and TLS_PSK_WITH_AES_128_CBC_SHA256 as they was mandatory in OMA Lightweight M2M specification [ last one was : OMA-TS-LightweightM2M-V1_0-20150707-D].

Share

2 (edited by Kaleb J. Himes 2015-07-27 10:06:37)

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Hi sbernard,

The following options are what you're looking for to get TLS_PSK_WITH_AES_128_CBC_SHA256

Server options:

./examples/server/server -s -u -v 3 -l PSK-AES128-CBC-SHA256

Client options:

./examples/client/client -s -u -v 3 -l PSK-AES128-CBC-SHA256

TLS_PSK_WITH_AES_128_CCM_8

Configure options:

./configure --enable-psk --enable-dtls --enable-aesccm

Server options:

./examples/server/server -s -u -v 3 -l PSK-AES128-CCM-8

Client options:

./examples/client/client -s -u -v 3 -l PSK-AES128-CCM-8

A colleague of mine wanted me to also point out that the flags following the "-l" option can be found in <wolfssl-root>/src/internal.c in:

static const char* const cipher_names[] 

3 (edited by sbernard 2015-07-29 01:32:40)

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Thx a lot for this explanation.

Maybe a good improvement could be to add all the supported PSK ciphersuite when --enablepsk is used. (This will be more accessible for noob like me tongue)

So, I retested wolfssl. I tried with a wolfssl client and a wolfssl server, and it works.
I retried with wolfssl client and scandium server and this failed with a

err = -373, Out of order message, fatal
wolfSSL error: SSL_connect failed

I suspect this is because scandium doesn't sent ServerKeyExchange for PSK and wolfssl expect it.
if I'm right, I think this is a bug, I read the spec again and it seems the ServerKeyExchange was optionnal :

"To help the client in selecting which identity to use, the server can provide a "PSK identity hint" in the ServerKeyExchange message.  If no hint is provided, the ServerKeyExchange message is omitted. "
(source : https://tools.ietf.org/html/rfc4279#section-2)

Simon

Share

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Hi sbernard,

Apologies for the time to get back to you. Could you help me to understand the full scope of your project, end goal, why is scandium server necessary etc. It would help when discussing with the wolfSSL team.

In regards to your last, we are looking into it and will get back to you as soon as possible. If you have any other questions in the meantime please do not hesitate to reply here or open a new case.

My Sincerest Regards,

Kaleb

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

No problem.

In fact, I work on Leshan project. We use DTLS/Scandium for secure our Lightweight M2M communication. (I do some contribution to scandium too)

I currently test the resume handshake feature with scandium at server side.
As scandium seems to not really do that at client side, I choose to test this with other client, this is also a good way to test scandium interoperability with other opensource DTLS implementation.

So I tried with :
- tinydtls : the handshake is ok but it seems it doen't not handle session id at all (so no resume).
- wolfssl : I did not succeed to make an handshake. (see my 2 posts)
- bouncycastle : I did not succeed to make an handshake too. (It seems it does not handle several message on the same flight)
- mbedTls(polarsll) : handshake is ok except there is some issue with certificate message, I need to test the resume session now.

I take some times to report the problems I encounter because it's the way opensource works smile.

Simon

Share

6 (edited by Kaleb J. Himes 2015-07-31 09:22:59)

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Hi sbernard,

Firstly thank you so much for the details of your project!

I discussed your issue with the team last night. By commenting out this line in our example server:

503 //        SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");

We were able to reproduce your error.

A commit has been made to fix the bug. If you clone our github development branch (https://github.com/wolfSSL/wolfssl.git) you should now be able to test successfully against scandium server (we have not tested against scandium ourselves but will if you have any other complications). Thank you so much for contacting us with your issue! It has been highly helpful and we hope we have helped you in turn.

My Sincerest Regards,

Kaleb

7 (edited by sbernard 2015-09-21 08:56:14)

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

We finished to implement the session resumption in Scandium. We use gnuTLS for our test and we faced some bugs with it too. It seems DTLS implementation are not yet very stable. Do you have the same feeling ? Maybe DTLS is no so much used ?

Anyway, I take some time to retest with wolfssl.
But I encountered a new problem.
When I try :

./examples/server/server -s -u -v 3 -l PSK-AES128-CCM-8


I get this error :

 wolfSSL error: client can't set cipher list 1 

I failed it with master, v3.6.8 and v3.6.6.
With v3.6.2, I get the out of orderer message, I previously reported you.

I successfully done an handshake and a resume handshake using the commit :  37ba6aeee739c3d7a1dd7cec684ab796af7ecbab fix psk no identify hint example logic

I maybe found a regression.

Simon

Share

Re: TLS_PSK_WITH_AES_128_CBC_SHA256 not available with DTLS ?

Hi Simon,

wolfSSL has several large users of DTLS which drive us to maintain and progress our DTLS implementation.

Using wolfSSL 3.6.6, if you want support for static key PSK cipher suites, you'll need to define WOLFSSL_STATIC_PSK while compiling wolfSSL.  We added a note to the README to explain this:

Note 1)
wolfSSL as of 3.6.6 no longer enables SSLv3 by default.  wolfSSL also no
longer supports static key cipher suites with PSK, RSA, or ECDH.  This means
if you plan to use TLS cipher suites you must enable DH (DH is on  by default),
or enable ECC (ECC is on by default on 64bit systems), or you must enable static
key cipher suites with
    WOLFSSL_STATIC_DH
    WOLFSSL_STATIC_RSA
    or
    WOLFSSL_STATIC_PSK

though static key cipher suites are deprecated and will be removed from future
versions of TLS.  They also lower your security by removing PFS.

When compiling ssl.c wolfSSL will now issue a comipler error if no cipher suites
are available.  You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES
in the event that you desire that, i.e., you're not using TLS cipher suites.

Best Regards,
Chris