Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mbedTLS 3.4.0 failing with Chrome (Ubuntu and Android) #7885

Open
DL6ER opened this issue Jul 5, 2023 · 3 comments
Open

mbedTLS 3.4.0 failing with Chrome (Ubuntu and Android) #7885

DL6ER opened this issue Jul 5, 2023 · 3 comments
Assignees
@waleed-elmelegy-arm

Comments

@DL6ER
Copy link

DL6ER commented Jul 5, 2023

Summary

I set up a webserver with mbedTLS v3.4.0 and CivetWeb v1.16. However, I see that Chrome rejects connection with ERR_SSL_VERSION_OR_CIPHER_MISMATCH, Firefox works fine

System information

Mbed TLS version (number or commit id): 3.4.0
Operating system and version: Linux
Configuration (if not default, please attach mbedtls_config.h): default
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): default
Additional environment information: nothing worth mentioning

Expected behavior

Chrome should load the page as does Firefox

Actual behavior

Chrome rejects the connection showing ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Steps to reproduce

  • Generate suitable ECDSA certificate and use it with mbedTLS
  • This is most easily seen when using cipher suite B, but doesn't even work for the default set, either

Additional information

Debug output from mbedTLS for Chrome (not working!)

mbedTLS(ssl_tls12_server.c:1048, 3): client hello v3, handshake type: 1
mbedTLS(ssl_tls12_server.c:1056, 3): client hello v3, handshake len.: 508
mbedTLS(ssl_tls12_server.c:1158, 3): dumping 'client hello, version' (2 bytes)
mbedTLS(ssl_tls12_server.c:1158, 3): 0000:  03 03                                            ..
mbedTLS(ssl_tls12_server.c:1173, 3): dumping 'client hello, random bytes' (32 bytes)
mbedTLS(ssl_tls12_server.c:1173, 3): 0000:  d7 a1 e9 f2 3d 28 14 f0 bc ea c5 58 53 a2 8b 29  ....=(.....XS..)
mbedTLS(ssl_tls12_server.c:1173, 3): 0010:  f9 a5 5b b8 0a 4c 91 24 4e d6 3b 80 7a 98 22 d9  ..[..L.$N.;.z.".
mbedTLS(ssl_tls12_server.c:1190, 3): dumping 'client hello, session id' (32 bytes)
mbedTLS(ssl_tls12_server.c:1190, 3): 0000:  7b 3d a1 33 6f bf 7a 2b ae c1 cd 46 c0 3e 66 71  {=.3o.z+...F.>fq
mbedTLS(ssl_tls12_server.c:1190, 3): 0010:  95 e2 13 8a 56 c7 99 ee ab c6 93 81 fa ea a1 31  ....V..........1
mbedTLS(ssl_tls12_server.c:1264, 3): dumping 'client hello, ciphersuitelist' (32 bytes)
mbedTLS(ssl_tls12_server.c:1264, 3): 0000:  5a 5a 13 01 13 02 13 03 c0 2b c0 2f c0 2c c0 30  ZZ.......+./.,.0
mbedTLS(ssl_tls12_server.c:1264, 3): 0010:  cc a9 cc a8 c0 13 c0 14 00 9c 00 9d 00 2f 00 35  ............./.5
mbedTLS(ssl_tls12_server.c:1286, 3): dumping 'client hello, compression' (1 bytes)
mbedTLS(ssl_tls12_server.c:1286, 3): 0000:  00                                               .
mbedTLS(ssl_tls12_server.c:1315, 3): dumping 'client hello extensions' (403 bytes)
mbedTLS(ssl_tls12_server.c:1315, 3): 0000:  9a 9a 00 00 00 1b 00 03 02 00 02 44 69 00 05 00  ...........Di...
mbedTLS(ssl_tls12_server.c:1315, 3): 0010:  03 02 68 32 00 10 00 0e 00 0c 02 68 32 08 68 74  ..h2.......h2.ht
mbedTLS(ssl_tls12_server.c:1315, 3): 0020:  74 70 2f 31 2e 31 00 17 00 00 00 12 00 00 00 2d  tp/1.1.........-
mbedTLS(ssl_tls12_server.c:1315, 3): 0030:  00 02 01 01 00 0b 00 02 01 00 00 33 00 2b 00 29  ...........3.+.)
mbedTLS(ssl_tls12_server.c:1315, 3): 0040:  ca ca 00 01 00 00 1d 00 20 7a 65 b2 39 b1 39 77  ........ ze.9.9w
mbedTLS(ssl_tls12_server.c:1315, 3): 0050:  e4 76 a6 8c ba 26 80 c5 cb 87 08 ac f3 ac c8 ad  .v...&..........
mbedTLS(ssl_tls12_server.c:1315, 3): 0060:  8e 5b 9d 2e 51 8c a3 d7 5e 00 2b 00 07 06 9a 9a  .[..Q...^.+.....
mbedTLS(ssl_tls12_server.c:1315, 3): 0070:  03 04 03 03 00 0a 00 0a 00 08 ca ca 00 1d 00 17  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0080:  00 18 00 0d 00 14 00 12 04 03 08 04 04 01 05 03  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0090:  08 05 05 01 08 06 06 01 02 01 00 05 00 05 01 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00a0:  00 00 00 00 23 00 00 ff 01 00 01 00 da da 00 01  ....#...........
mbedTLS(ssl_tls12_server.c:1315, 3): 00b0:  00 00 15 00 de 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00c0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00d0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00e0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00f0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0100:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0110:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0120:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0130:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0140:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0150:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0160:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0170:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0180:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0190:  00 00 00                                         ...
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 39578 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 27 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 17513 (ignoring)
mbedTLS(ssl_tls12_server.c:1463, 3): found alpn extension
mbedTLS(ssl_tls12_server.c:1441, 3): found extended master secret extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 18 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 45 (ignoring)
mbedTLS(ssl_tls12_server.c:1384, 3): found supported point formats extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 51 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 43 (ignoring)
mbedTLS(ssl_tls12_server.c:1375, 3): found supported elliptic curves extension
mbedTLS(ssl_tls12_server.c:1361, 3): found signature_algorithms extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 5 (ignoring)
mbedTLS(ssl_tls12_server.c:1452, 3): found session ticket extension
mbedTLS(ssl_tls12_server.c:1348, 3): found renegotiation extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 56026 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 21 (ignoring)
mbedTLS(ssl_tls12_server.c:814, 3): trying ciphersuite: 0xc02b (TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256)
mbedTLS(ssl_tls12_server.c:723, 3): ciphersuite requires certificate
mbedTLS(ssl_tls12_server.c:732, 3): candidate certificate chain, certificate #1:
mbedTLS(ssl_tls12_server.c:732, 3): cert. version     : 3
mbedTLS(ssl_tls12_server.c:732, 3): serial number     : 33:36:37:35:33:35:36:32:39:31:32:37:30:39:33
mbedTLS(ssl_tls12_server.c:732, 3): issuer name       : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): subject name      : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): issued  on        : 2001-01-01 00:00:00
mbedTLS(ssl_tls12_server.c:732, 3): expires on        : 2030-12-31 23:59:59
mbedTLS(ssl_tls12_server.c:732, 3): signed using      : ECDSA with SHA256
mbedTLS(ssl_tls12_server.c:732, 3): EC key size       : 521 bits
mbedTLS(ssl_tls12_server.c:732, 3): basic constraints : CA=false
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(X)' (519 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  6c 7e b1 4b c6 0c 25 c3 5d 1d ac 59 64 02 78 56
mbedTLS(ssl_tls12_server.c:732, 3):  ac 02 b4 fb a1 13 6c 48 87 5c ca 8c 65 d5 2f 78
mbedTLS(ssl_tls12_server.c:732, 3):  99 af 13 df 0e 1e c5 bb 55 5a e9 99 83 9e c9 54
mbedTLS(ssl_tls12_server.c:732, 3):  30 a4 38 46 92 10 2b d6 a5 2e b3 24 1e c7 b6 12
mbedTLS(ssl_tls12_server.c:732, 3):  9d
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(Y)' (521 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  01 e2 68 b4 9a c8 f2 c5 9e 40 f2 1d 7b 81 a8 09
mbedTLS(ssl_tls12_server.c:732, 3):  7c 25 f2 e6 b0 43 05 00 72 a3 8b c4 14 8a 97 47
mbedTLS(ssl_tls12_server.c:732, 3):  f5 59 e4 a8 8d 6d 37 6d e5 be a5 2e 60 88 3b 72
mbedTLS(ssl_tls12_server.c:732, 3):  da 2a 3f 5d 66 4f 90 e6 0c a1 6a 32 1e 7f eb 7e
mbedTLS(ssl_tls12_server.c:732, 3):  7a 04
mbedTLS(ssl_tls12_server.c:773, 3): certificate mismatch: elliptic curve                              <-------------------
mbedTLS(ssl_tls12_server.c:862, 3): ciphersuite mismatch: no suitable certificate                     <-------------------
mbedTLS(ssl_tls12_server.c:814, 3): trying ciphersuite: 0xc02c (TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384)
mbedTLS(ssl_tls12_server.c:723, 3): ciphersuite requires certificate
mbedTLS(ssl_tls12_server.c:732, 3): candidate certificate chain, certificate #1:
mbedTLS(ssl_tls12_server.c:732, 3): cert. version     : 3
mbedTLS(ssl_tls12_server.c:732, 3): serial number     : 33:36:37:35:33:35:36:32:39:31:32:37:30:39:33
mbedTLS(ssl_tls12_server.c:732, 3): issuer name       : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): subject name      : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): issued  on        : 2001-01-01 00:00:00
mbedTLS(ssl_tls12_server.c:732, 3): expires on        : 2030-12-31 23:59:59
mbedTLS(ssl_tls12_server.c:732, 3): signed using      : ECDSA with SHA256
mbedTLS(ssl_tls12_server.c:732, 3): EC key size       : 521 bits
mbedTLS(ssl_tls12_server.c:732, 3): basic constraints : CA=false
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(X)' (519 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  6c 7e b1 4b c6 0c 25 c3 5d 1d ac 59 64 02 78 56
mbedTLS(ssl_tls12_server.c:732, 3):  ac 02 b4 fb a1 13 6c 48 87 5c ca 8c 65 d5 2f 78
mbedTLS(ssl_tls12_server.c:732, 3):  99 af 13 df 0e 1e c5 bb 55 5a e9 99 83 9e c9 54
mbedTLS(ssl_tls12_server.c:732, 3):  30 a4 38 46 92 10 2b d6 a5 2e b3 24 1e c7 b6 12
mbedTLS(ssl_tls12_server.c:732, 3):  9d
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(Y)' (521 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  01 e2 68 b4 9a c8 f2 c5 9e 40 f2 1d 7b 81 a8 09
mbedTLS(ssl_tls12_server.c:732, 3):  7c 25 f2 e6 b0 43 05 00 72 a3 8b c4 14 8a 97 47
mbedTLS(ssl_tls12_server.c:732, 3):  f5 59 e4 a8 8d 6d 37 6d e5 be a5 2e 60 88 3b 72
mbedTLS(ssl_tls12_server.c:732, 3):  da 2a 3f 5d 66 4f 90 e6 0c a1 6a 32 1e 7f eb 7e
mbedTLS(ssl_tls12_server.c:732, 3):  7a 04
mbedTLS(ssl_tls12_server.c:773, 3): certificate mismatch: elliptic curve                              <-------------------
mbedTLS(ssl_tls12_server.c:862, 3): ciphersuite mismatch: no suitable certificate                     <-------------------
mbedTLS(ssl_tls12_server.c:1638, 1): got ciphersuites in common, but none of them usable
mbedTLS(ssl_msg.c:4868, 2): => send alert message
mbedTLS(ssl_msg.c:4869, 3): send alert level=2 message=40
mbedTLS(ssl_msg.c:2714, 2): => write record
mbedTLS(ssl_msg.c:2798, 3): output record: msgtype = 21, version = [3:3], msglen = 2
mbedTLS(ssl_msg.c:2124, 2): => flush output
mbedTLS(ssl_msg.c:2138, 2): message length: 7, out_left: 7
mbedTLS(ssl_msg.c:2145, 2): ssl->f_send() returned 7 (-0xfffffff9)
mbedTLS(ssl_msg.c:2172, 2): <= flush output
mbedTLS(ssl_msg.c:2851, 2): <= write record
mbedTLS(ssl_msg.c:4880, 2): <= send alert message
mbedTLS(ssl_tls.c:3950, 2): <= handshake
mbedTLS(ssl_tls.c:4868, 2): => free
mbedTLS(ssl_tls.c:4933, 2): <= free

Debug output from Firefox (working!):

mbedTLS(ssl_tls12_server.c:1048, 3): client hello v3, handshake type: 1
mbedTLS(ssl_tls12_server.c:1056, 3): client hello v3, handshake len.: 508
mbedTLS(ssl_tls12_server.c:1158, 3): dumping 'client hello, version' (2 bytes)
mbedTLS(ssl_tls12_server.c:1158, 3): 0000:  03 03                                            ..
mbedTLS(ssl_tls12_server.c:1173, 3): dumping 'client hello, random bytes' (32 bytes)
mbedTLS(ssl_tls12_server.c:1173, 3): 0000:  4d b7 69 66 ba a0 a4 d2 96 09 e4 b3 d4 9e 17 05  M.if............
mbedTLS(ssl_tls12_server.c:1173, 3): 0010:  32 6d 28 25 2a 5d 7d 1f 0f ac 3c e0 05 b1 de 97  2m(%*]}...<.....
mbedTLS(ssl_tls12_server.c:1190, 3): dumping 'client hello, session id' (32 bytes)
mbedTLS(ssl_tls12_server.c:1190, 3): 0000:  a7 5e c7 2d e7 87 2b fd 93 9c 80 33 07 a5 bc c1  .^.-..+....3....
mbedTLS(ssl_tls12_server.c:1190, 3): 0010:  f3 60 88 ad d7 34 b1 d0 df 8b c7 a7 ac 5d 3b d2  .`...4.......];.
mbedTLS(ssl_tls12_server.c:1264, 3): dumping 'client hello, ciphersuitelist' (34 bytes)
mbedTLS(ssl_tls12_server.c:1264, 3): 0000:  13 01 13 03 13 02 c0 2b c0 2f cc a9 cc a8 c0 2c  .......+./.....,
mbedTLS(ssl_tls12_server.c:1264, 3): 0010:  c0 30 c0 0a c0 09 c0 13 c0 14 00 9c 00 9d 00 2f  .0............./
mbedTLS(ssl_tls12_server.c:1264, 3): 0020:  00 35                                            .5
mbedTLS(ssl_tls12_server.c:1286, 3): dumping 'client hello, compression' (1 bytes)
mbedTLS(ssl_tls12_server.c:1286, 3): 0000:  00                                               .
mbedTLS(ssl_tls12_server.c:1315, 3): dumping 'client hello extensions' (401 bytes)
mbedTLS(ssl_tls12_server.c:1315, 3): 0000:  00 17 00 00 ff 01 00 01 00 00 0a 00 0e 00 0c 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0010:  1d 00 17 00 18 00 19 01 00 01 01 00 0b 00 02 01  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0020:  00 00 23 00 00 00 10 00 0e 00 0c 02 68 32 08 68  ..#.........h2.h
mbedTLS(ssl_tls12_server.c:1315, 3): 0030:  74 74 70 2f 31 2e 31 00 05 00 05 01 00 00 00 00  ttp/1.1.........
mbedTLS(ssl_tls12_server.c:1315, 3): 0040:  00 22 00 0a 00 08 04 03 05 03 06 03 02 03 00 33  .".............3
mbedTLS(ssl_tls12_server.c:1315, 3): 0050:  00 6b 00 69 00 1d 00 20 01 08 07 b6 92 17 e8 c1  .k.i... ........
mbedTLS(ssl_tls12_server.c:1315, 3): 0060:  43 17 34 96 94 18 e0 23 9c 35 9f a4 a7 18 14 e1  C.4....#.5......
mbedTLS(ssl_tls12_server.c:1315, 3): 0070:  4e 37 d6 01 0a ec 7b 65 00 17 00 41 04 d0 a7 95  N7....{e...A....
mbedTLS(ssl_tls12_server.c:1315, 3): 0080:  fa 28 35 0d 4d 2b 85 6a 88 fd 7c 9d d2 92 af d5  .(5.M+.j..|.....
mbedTLS(ssl_tls12_server.c:1315, 3): 0090:  2d 74 8e 88 fd d1 61 a0 c8 d8 fe 26 58 65 3e 68  -t....a....&Xe>h
mbedTLS(ssl_tls12_server.c:1315, 3): 00a0:  0a 69 74 e1 32 8c f6 1e 63 e3 39 64 db 50 fe 6e  .it.2...c.9d.P.n
mbedTLS(ssl_tls12_server.c:1315, 3): 00b0:  fe ab b9 95 d7 3a 60 13 a6 19 fd 57 cf 00 2b 00  .....:`....W..+.
mbedTLS(ssl_tls12_server.c:1315, 3): 00c0:  05 04 03 04 03 03 00 0d 00 18 00 16 04 03 05 03  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00d0:  06 03 08 04 08 05 08 06 04 01 05 01 06 01 02 03  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 00e0:  02 01 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15  ...-........@...
mbedTLS(ssl_tls12_server.c:1315, 3): 00f0:  00 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0100:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0110:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0120:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0130:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0140:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0150:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0160:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0170:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0180:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0190:  00                                               .
mbedTLS(ssl_tls12_server.c:1441, 3): found extended master secret extension
mbedTLS(ssl_tls12_server.c:1348, 3): found renegotiation extension
mbedTLS(ssl_tls12_server.c:1375, 3): found supported elliptic curves extension
mbedTLS(ssl_tls12_server.c:1384, 3): found supported point formats extension
mbedTLS(ssl_tls12_server.c:1452, 3): found session ticket extension
mbedTLS(ssl_tls12_server.c:1463, 3): found alpn extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 5 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 34 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 51 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 43 (ignoring)
mbedTLS(ssl_tls12_server.c:1361, 3): found signature_algorithms extension
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 45 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 28 (ignoring)
mbedTLS(ssl_tls12_server.c:1485, 3): unknown extension found: 21 (ignoring)
mbedTLS(ssl_tls12_server.c:814, 3): trying ciphersuite: 0xc02b (TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256)
mbedTLS(ssl_tls12_server.c:723, 3): ciphersuite requires certificate
mbedTLS(ssl_tls12_server.c:732, 3): candidate certificate chain, certificate #1:
mbedTLS(ssl_tls12_server.c:732, 3): cert. version     : 3
mbedTLS(ssl_tls12_server.c:732, 3): serial number     : 33:36:37:35:33:35:36:32:39:31:32:37:30:39:33
mbedTLS(ssl_tls12_server.c:732, 3): issuer name       : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): subject name      : CN=pi.hole
mbedTLS(ssl_tls12_server.c:732, 3): issued  on        : 2001-01-01 00:00:00
mbedTLS(ssl_tls12_server.c:732, 3): expires on        : 2030-12-31 23:59:59
mbedTLS(ssl_tls12_server.c:732, 3): signed using      : ECDSA with SHA256
mbedTLS(ssl_tls12_server.c:732, 3): EC key size       : 521 bits
mbedTLS(ssl_tls12_server.c:732, 3): basic constraints : CA=false
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(X)' (519 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  6c 7e b1 4b c6 0c 25 c3 5d 1d ac 59 64 02 78 56
mbedTLS(ssl_tls12_server.c:732, 3):  ac 02 b4 fb a1 13 6c 48 87 5c ca 8c 65 d5 2f 78
mbedTLS(ssl_tls12_server.c:732, 3):  99 af 13 df 0e 1e c5 bb 55 5a e9 99 83 9e c9 54
mbedTLS(ssl_tls12_server.c:732, 3):  30 a4 38 46 92 10 2b d6 a5 2e b3 24 1e c7 b6 12
mbedTLS(ssl_tls12_server.c:732, 3):  9d
mbedTLS(ssl_tls12_server.c:732, 3): value of 'crt->eckey.Q(Y)' (521 bits) is:
mbedTLS(ssl_tls12_server.c:732, 3):  01 e2 68 b4 9a c8 f2 c5 9e 40 f2 1d 7b 81 a8 09
mbedTLS(ssl_tls12_server.c:732, 3):  7c 25 f2 e6 b0 43 05 00 72 a3 8b c4 14 8a 97 47
mbedTLS(ssl_tls12_server.c:732, 3):  f5 59 e4 a8 8d 6d 37 6d e5 be a5 2e 60 88 3b 72
mbedTLS(ssl_tls12_server.c:732, 3):  da 2a 3f 5d 66 4f 90 e6 0c a1 6a 32 1e 7f eb 7e
mbedTLS(ssl_tls12_server.c:732, 3):  7a 04
mbedTLS(ssl_tls12_server.c:785, 3): selected certificate chain, certificate #1:
mbedTLS(ssl_tls12_server.c:785, 3): cert. version     : 3
mbedTLS(ssl_tls12_server.c:785, 3): serial number     : 33:36:37:35:33:35:36:32:39:31:32:37:30:39:33
mbedTLS(ssl_tls12_server.c:785, 3): issuer name       : CN=pi.hole
mbedTLS(ssl_tls12_server.c:785, 3): subject name      : CN=pi.hole
mbedTLS(ssl_tls12_server.c:785, 3): issued  on        : 2001-01-01 00:00:00
mbedTLS(ssl_tls12_server.c:785, 3): expires on        : 2030-12-31 23:59:59
mbedTLS(ssl_tls12_server.c:785, 3): signed using      : ECDSA with SHA256
mbedTLS(ssl_tls12_server.c:785, 3): EC key size       : 521 bits
mbedTLS(ssl_tls12_server.c:785, 3): basic constraints : CA=false
mbedTLS(ssl_tls12_server.c:785, 3): value of 'crt->eckey.Q(X)' (519 bits) is:
mbedTLS(ssl_tls12_server.c:785, 3):  6c 7e b1 4b c6 0c 25 c3 5d 1d ac 59 64 02 78 56
mbedTLS(ssl_tls12_server.c:785, 3):  ac 02 b4 fb a1 13 6c 48 87 5c ca 8c 65 d5 2f 78
mbedTLS(ssl_tls12_server.c:785, 3):  99 af 13 df 0e 1e c5 bb 55 5a e9 99 83 9e c9 54
mbedTLS(ssl_tls12_server.c:785, 3):  30 a4 38 46 92 10 2b d6 a5 2e b3 24 1e c7 b6 12
mbedTLS(ssl_tls12_server.c:785, 3):  9d
mbedTLS(ssl_tls12_server.c:785, 3): value of 'crt->eckey.Q(Y)' (521 bits) is:
mbedTLS(ssl_tls12_server.c:785, 3):  01 e2 68 b4 9a c8 f2 c5 9e 40 f2 1d 7b 81 a8 09
mbedTLS(ssl_tls12_server.c:785, 3):  7c 25 f2 e6 b0 43 05 00 72 a3 8b c4 14 8a 97 47
mbedTLS(ssl_tls12_server.c:785, 3):  f5 59 e4 a8 8d 6d 37 6d e5 be a5 2e 60 88 3b 72
mbedTLS(ssl_tls12_server.c:785, 3):  da 2a 3f 5d 66 4f 90 e6 0c a1 6a 32 1e 7f eb 7e
mbedTLS(ssl_tls12_server.c:785, 3):  7a 04
mbedTLS(ssl_tls12_server.c:1651, 2): selected ciphersuite: TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
mbedTLS(ssl_tls12_server.c:1671, 3): client hello v3, signature_algorithm ext: 4
mbedTLS(ssl_tls12_server.c:1679, 2): <= parse client hello
mbedTLS(ssl_msg.c:2124, 2): => flush output
mbedTLS(ssl_msg.c:2133, 2): <= flush output
mbedTLS(ssl_tls12_server.c:4228, 2): server state: 2
mbedTLS(ssl_tls12_server.c:2163, 2): => write server hello

[everything works... not showing more lines]
@DL6ER DL6ER changed the title mbedTLS 3.4.0 mbedTLS 3.4.0 failing with Chrome Jul 5, 2023
@DL6ER DL6ER changed the title mbedTLS 3.4.0 failing with Chrome mbedTLS 3.4.0 failing with Chrome (Ubuntu and Android) Jul 5, 2023
@DL6ER
Copy link
Author

DL6ER commented Jul 5, 2023

The used certificate is:

-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIBUc06BvhAAS6de4JASqeFxVnzFp7DJcq2pMybJ0JS3G3KNBDLXraI
m9s1fomUzgyMZc0Krx8sZTHzxc4sY6gGN6OgBwYFK4EEACOhgYkDgYYABABsfrFL
xgwlw10drFlkAnhWrAK0+6ETbEiHXMqMZdUveJmvE98OHsW7VVrpmYOeyVQwpDhG
khAr1qUusyQex7YSnQHiaLSayPLFnkDyHXuBqAl8JfLmsEMFAHKji8QUipdH9Vnk
qI1tN23lvqUuYIg7ctoqP11mT5DmDKFqMh5/6356BA==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIB+DCCAVmgAwIBAgIPMzY3NTM1NjI5MTI3MDkzMAwGCCqGSM49BAMCBQAwEjEQ
MA4GA1UEAwwHcGkuaG9sZTAeFw0wMTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTla
MBIxEDAOBgNVBAMMB3BpLmhvbGUwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABs
frFLxgwlw10drFlkAnhWrAK0+6ETbEiHXMqMZdUveJmvE98OHsW7VVrpmYOeyVQw
pDhGkhAr1qUusyQex7YSnQHiaLSayPLFnkDyHXuBqAl8JfLmsEMFAHKji8QUipdH
9VnkqI1tN23lvqUuYIg7ctoqP11mT5DmDKFqMh5/6356BKNNMEswCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUvtnBtkXbvds+zEbUzlYtktVIYf4wHwYDVR0jBBgwFoAUvtnB
tkXbvds+zEbUzlYtktVIYf4wDAYIKoZIzj0EAwIFAAOBigAwgYYCQUGYClVatX2f
Nsut5KNkBhTMLmBea4HC/nWtQtmJt0625jjffuj7+/B3iHwqI3m2ak4DsricCCBp
qUTW1SbGlK0iAkFbOqBdvb50NKjboMwp0KF+IWFnLYfFokZR/vIu6n5p1RHaOrIF
taAdh3tJPnOqCrniQ+XZ1h7FXfci0nKS9XofqQ==
-----END CERTIFICATE-----

@waleed-elmelegy-arm waleed-elmelegy-arm self-assigned this Jul 6, 2023
@yuhaoth
Copy link
Contributor

yuhaoth commented Jul 7, 2023

That's due to Chrome does no support secp521r1 and Firefox supports it. Your private key is secp521r1. Regenerate certificate with chrome supported private key can resolve that.

From Chrome's log, it supports x25519, secp256r1 and secp384r1 ( 001d 00 17 00 18)

mbedTLS(ssl_tls12_server.c:1315, 3): 0070:  03 04 03 03 00 0a 00 0a 00 08 ca ca 00 1d 00 17  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0080:  00 18 00 0d 00 14 00 12 04 03 08 04 04 01 05 03  ................

From Firefox's log, it supports x25519, secp256r1 ,secp384r1 and secp521r1 ( 001d 00 17 00 18 00 19)

mbedTLS(ssl_tls12_server.c:1315, 3): 0000:  00 17 00 00 ff 01 00 01 00 00 0a 00 0e 00 0c 00  ................
mbedTLS(ssl_tls12_server.c:1315, 3): 0010:  1d 00 17 00 18 00 19 01 00 01 01 00 0b 00 02 01  ................
m

@yuhaoth
Copy link
Contributor

yuhaoth commented Jul 7, 2023
edited
Loading

The issue can be reproduced by ../programs/ssl/ssl_server2 server_addr=0.0.0.0 server_port=443 allow_sha1=1 debug_level=5 crt_file=../test.crt key_file=../test.key ( test.{key,crt} are from @DL6ER 's comment. It should be executed in tests folder)

And resolved by ../programs/ssl/ssl_server2 server_addr=0.0.0.0 server_port=443 allow_sha1=1 debug_level=5 crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key ( crt_file and key_file exists in tests/data_files. It should be executed in tests folder)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waleed-elmelegy-arm waleed-elmelegy-arm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuhaoth @DL6ER @waleed-elmelegy-arm