search

openziti / tlsuv

TLS and HTTP(s) client library for libuv
https://docs.openziti.io/tlsuv/
MIT License
45 stars 7 forks source link

TLS handshake fails on Windows with mbedtls 3.0 #100

Closed scareything closed 2 years ago

scareything commented 2 years ago

The "TLS to IP address" test failures on Windows in #94 are caused by the handshake with 1.1.1.1 failing. The same code successfully handshakes on other platforms, and also (obviously) when linking mbedtls 2 on Windows.

Here are the uv-mbed logs from a failed test:

[     0.000] VERB uv-mbed\src\http.c:359 client not connected, starting connect sequence
[     0.000] DEBG uv-mbed\src\tcp_src.c:128 resolving '1.1.1.1:443'
[     0.000]TRACE uv-mbed\src\tcp_src.c:88 resolved status = 0
[     0.015] VERB uv-mbed\src\http.c:219 src connected status = 0
[     0.015]TRACE uv-mbed\src\tls_link.c:87 TLS(00000000017BEB70) starting handshake(st = 0)
[     0.078]TRACE uv-mbed\src\tls_link.c:101 TLS(00000000017BEB70) starting handshake(sending 332 bytes, st = 1)
[     0.109]TRACE uv-mbed\src\tls_link.c:112 TLS(00000000017BEB70)[1]: 1460
[     0.109]TRACE uv-mbed\src\tls_link.c:132 TLS(00000000017BEB70) continuing handshake(1460 bytes received)
[     0.125]TRACE uv-mbed\src\tls_link.c:138 TLS(00000000017BEB70) continuing handshake(sending 0 bytes, st = 1)
[     0.125]TRACE uv-mbed\src\tls_link.c:112 TLS(00000000017BEB70)[1]: 1343
[     0.125]TRACE uv-mbed\src\tls_link.c:132 TLS(00000000017BEB70) continuing handshake(1343 bytes received)
[     0.218]TRACE uv-mbed\src\tls_link.c:138 TLS(00000000017BEB70) continuing handshake(sending 7 bytes, st = 3)
[     0.218]  ERR uv-mbed\src\tls_link.c:161 TLS(00000000017BEB70) handshake error X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
[     0.218]  ERR uv-mbed\src\http.c:163 handshake failed status[3]

and the corresponding packet capture:

4   0.070727    10.0.1.37   1.1.1.1 TLSv1.2 386 Client Hello
5   0.085954    1.1.1.1 10.0.1.37   TCP 60  443 → 51583 [ACK] Seq=1 Ack=333 Win=68608 Len=0
6   0.093981    1.1.1.1 10.0.1.37   TLSv1.2 1514    Server Hello
7   0.094103    10.0.1.37   1.1.1.1 TCP 54  51583 → 443 [ACK] Seq=333 Ack=1461 Win=260672 Len=0
8   0.095148    1.1.1.1 10.0.1.37   TLSv1.2 1397    Certificate, Server Key Exchange, Server Hello Done
9   0.095207    10.0.1.37   1.1.1.1 TCP 54  51583 → 443 [ACK] Seq=333 Ack=2804 Win=260800 Len=0
10  0.216410    10.0.1.37   1.1.1.1 TLSv1.2 61  Alert (Level: Fatal, Description: Bad Certificate)

A successful test (executed on macOS) looks like this:

[     0.425] VERB uv-mbed/src/http.c:359 client not connected, starting connect sequence
[     0.425] DEBG uv-mbed/src/tcp_src.c:128 resolving '1.1.1.1:443'
[     0.426]TRACE uv-mbed/src/tcp_src.c:88 resolved status = 0
[     0.444] VERB uv-mbed/src/http.c:219 src connected status = 0
[     0.444]TRACE uv-mbed/src/tls_link.c:87 TLS(0x16d2d29b8) starting handshake(st = 0)
[     0.444]TRACE uv-mbed/src/tls_link.c:101 TLS(0x16d2d29b8) starting handshake(sending 332 bytes, st = 1)
[     0.469]TRACE uv-mbed/src/tls_link.c:112 TLS(0x16d2d29b8)[1]: 1460
[     0.469]TRACE uv-mbed/src/tls_link.c:132 TLS(0x16d2d29b8) continuing handshake(1460 bytes received)
[     0.469]TRACE uv-mbed/src/tls_link.c:138 TLS(0x16d2d29b8) continuing handshake(sending 0 bytes, st = 1)
[     0.470]TRACE uv-mbed/src/tls_link.c:112 TLS(0x16d2d29b8)[1]: 1343
[     0.470]TRACE uv-mbed/src/tls_link.c:132 TLS(0x16d2d29b8) continuing handshake(1343 bytes received)
[     0.480]TRACE uv-mbed/src/tls_link.c:138 TLS(0x16d2d29b8) continuing handshake(sending 85 bytes, st = 1)
[     0.501]TRACE uv-mbed/src/tls_link.c:112 TLS(0x16d2d29b8)[1]: 250
[     0.501]TRACE uv-mbed/src/tls_link.c:132 TLS(0x16d2d29b8) continuing handshake(250 bytes received)
[     0.501]TRACE uv-mbed/src/tls_link.c:138 TLS(0x16d2d29b8) continuing handshake(sending 0 bytes, st = 2)
[     0.501]TRACE uv-mbed/src/tls_link.c:153 TLS(0x16d2d29b8) handshake completed
4   0.017780    10.0.1.37   1.1.1.1 TLSv1.2 386 Client Hello
5   0.037597    1.1.1.1 10.0.1.37   TCP 60  443 → 51806 [ACK] Seq=1 Ack=333 Win=68608 Len=0
6   0.042090    1.1.1.1 10.0.1.37   TLSv1.2 1514    Server Hello
7   0.042201    10.0.1.37   1.1.1.1 TCP 54  51806 → 443 [ACK] Seq=333 Ack=1461 Win=260672 Len=0
8   0.043255    1.1.1.1 10.0.1.37   TLSv1.2 1397    Certificate, Server Key Exchange, Server Hello Done
9   0.043296    10.0.1.37   1.1.1.1 TCP 54  51806 → 443 [ACK] Seq=333 Ack=2804 Win=260800 Len=0
10  0.053813    10.0.1.37   1.1.1.1 TLSv1.2 139 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
11  0.073266    1.1.1.1 10.0.1.37   TCP 60  443 → 51806 [ACK] Seq=2804 Ack=418 Win=68608 Len=0
12  0.074055    1.1.1.1 10.0.1.37   TLSv1.2 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message

mbedtls_debug_windows.log tls_to_ip_windows.pcapng.zip

mbedtls_debug_macos.log tls_to_ip_macos.pcapng.zip

scareything commented 2 years ago

fixed by https://github.com/netfoundry/mbedtls/commit/fa6d2a39eebf73381cce12ecac757dab2ca5ce90