[Bug]: Can't establish TLS connections to https://traxxas.com/

[fabiankeil]

Contact Details

GitHub or fk@fabiankeil.de

Version

5.7.2 and 5.7.0

Description

SourceForge user withoutname reported in Privoxy SF bug #1765 that Privoxy 3.0.35 can't establish TLS connections to https://traxxas.com/ when linked to wolfSSL 5.7.

It works with OpenSSL and MbedtTLS.

The issue is reproducible with the recently released wolfSSL 5.7.2 and with curl instead of Privoxy as well.

Reproduction steps

Build Privoxy or curl with wolfSSL support and try to access https://traxxas.com/.

Note that wolfSSL support for Privoxy is only available in git master.

The log output below has been created with curl configured with:
./configure --with-wolfssl --disable-shared --enable-debug --enable-maintainer-mode
and curl patched by adding:
wolfSSL_Debugging_ON();
before:
ret = wolfSSL_connect(backend->handle);
in curl's lib/vtls/wolfssl.c.

wolfSSL has been built using the FreeBSD port on ElectroBSD 13.3-STABLE with:
CONFIGURE_ARGS= --disable-dependency-tracking --enable-certgen --enable-debug --enable-des3 --enable-dh --enable-dsa --enable-dtls --enable-ecc --enable-fastmath --enable-fasthugemath --enable-ipv6 --enable-keygen --enable-opensslall --enable-opensslextra --enable-renegotiation-indication --enable-ripemd --enable-sessioncerts --enable-session-ticket --enable-sp --enable-sp-asm --enable-sp-math-all --enable-sha512 --enable-shared --enable-sni --enable-ssh --enable-static --enable-tls13 --enable-tls13-draft18
and:
CFLAGS+= -DWOLFSSL_ALT_NAMES -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB -DWOLFSSL_ALT_CERT_CHAINS -DHAVE_IO_TIMEOUT

Relevant log output

fk@t520 ~ $~/git/curl/src/curl -v --head --noproxy "*" https://traxxas.com/
* !!! WARNING !!!
* This is a debug build of libcurl, do not use in production.
* STATE: INIT => SETUP handle 0x828ea7808; line 1936
* STATE: SETUP => CONNECT handle 0x828ea7808; line 1952
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => RESOLVING handle 0x828ea7808; line 1978
* Host traxxas.com:443 was resolved.
* IPv6: (none)
* IPv4: 147.75.0.118
* STATE: RESOLVING => CONNECTING handle 0x828ea7808; line 2052
*   Trying 147.75.0.118:443...
* Connected to traxxas.com (147.75.0.118) port 443
* Did not find Session ID in cache for host https://traxxas.com:443
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
*  CApath: /etc/ssl/certs
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendTls13ClientHello
Adding signature algorithms extension
Adding supported versions extension
wolfSSL Entering EccMakeKey
wolfSSL Leaving EccMakeKey, return 0
growing output buffer
PSK Key Exchange Modes extension to write
Key Share extension to write
Supported Versions extension to write
Signature Algorithms extension to write
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
SNI extension to write
EMS extension to write
wolfSSL Entering BioSend
wolfSSL Entering wolfSSL_BIO_write
wolfSSL Entering wolfSSL_BIO_get_data
wolfSSL Entering wolfSSL_BIO_clear_retry_flags
Shrinking output buffer
wolfSSL Leaving SendTls13ClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
wolfSSL Entering BioReceive
wolfSSL Entering wolfSSL_BIO_read
wolfSSL Entering wolfSSL_BIO_get_data
wolfSSL Entering wolfSSL_BIO_clear_retry_flags
wolfSSL Entering wolfSSL_BIO_set_flags
wolfSSL error occurred, error = -323
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
wolfSSL Entering BioReceive
wolfSSL Entering wolfSSL_BIO_read
wolfSSL Entering wolfSSL_BIO_get_data
wolfSSL Entering wolfSSL_BIO_clear_retry_flags
wolfSSL Entering BioReceive
wolfSSL Entering wolfSSL_BIO_read
wolfSSL Entering wolfSSL_BIO_get_data
wolfSSL Entering wolfSSL_BIO_clear_retry_flags
received record layer msg
got ALERT!
Alert type: handshake_failure
wolfSSL error occurred, error = 40 line:20744 file:src/internal.c
wolfSSL error occurred, error = 313 line:9305 file:src/ssl.c
* SSL_connect failed with error -313: received alert fatal error
* multi_done[CONNECTING]: status: 35 prem: 1 done: 0
* multi_done, not reusing connection=0, forbid=0, close=0, premature=1, conn_multiplex=0
* The cache now contains 0 members
* Curl_disconnect(conn #0, aborted=1)
* closing connection #0
* [CCACHE] closing #0
curl: (35) SSL_connect failed with error -313: received alert fatal error

[kareem-wolfssl]

Hi @fabiankeil ,

Thanks for the in-depth report, I will work on reproducing and debugging this tomorrow.
One thing I did notice is you are not passing in --enable-tlsx to your ./configure line, this enables all supported TLS extensions. You are enabling some of them but not all of them. Missing TLS extensions can cause issues like what you're seeing, so it's worth trying to enable them.

[fabiankeil]

Thanks for the quick response and the tip, @kareem-wolfssl. I was unaware of `--enable-tlsx` and will use it in the future instead of `--enable-tls13-draft18`. It doesn't seem to make a noticeable difference for connections to https://traxxas.com/, though.

[kareem-wolfssl]

Thanks for the update. I was able to reproduce this here, I'm working on debugging this.