Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

https connection to some servers fails during key exchange #96

Open
oleid opened this issue Dec 22, 2024 · 0 comments
Open

https connection to some servers fails during key exchange #96

oleid opened this issue Dec 22, 2024 · 0 comments

Comments

@oleid
Copy link

oleid commented Dec 22, 2024

When using embedded-tls connection to some http servers fails during key exchange, e.g. when querying

https://www.meteoblue.com/de/server/search/query3?query=Bonn

Apparently, this is the corresponding issue:

drogue-iot/embedded-tls#136

Log trace:

2024-12-22T22:42:18.574406Z DEBUG embedded_tls::write_buffer: start_record(Handshake(false))    
2024-12-22T22:42:18.577555Z TRACE embedded_tls::asynch: State ClientHello -> ServerHello    
2024-12-22T22:42:18.597960Z DEBUG embedded_tls::record_reader: advance: Handshake - content_length = 123 bytes    
2024-12-22T22:42:18.597984Z TRACE embedded_tls::handshake: handshake = ServerHello    
2024-12-22T22:42:18.597998Z TRACE embedded_tls::extensions::messages: Extension buffer: 79    
2024-12-22T22:42:18.598009Z DEBUG embedded_tls::extensions::messages: Read extension type KeyShare    
2024-12-22T22:42:18.598016Z TRACE embedded_tls::extensions::messages: Extension data length: 69    
2024-12-22T22:42:18.598024Z TRACE embedded_tls::extensions::messages: Extension buffer: 6    
2024-12-22T22:42:18.598032Z DEBUG embedded_tls::extensions::messages: Read extension type SupportedVersions    
2024-12-22T22:42:18.598040Z TRACE embedded_tls::extensions::messages: Extension data length: 2    
2024-12-22T22:42:18.598046Z TRACE embedded_tls::extensions::messages: Read 2 extensions    
2024-12-22T22:42:18.598053Z DEBUG embedded_tls::handshake::server_hello: server cipher_suite TlsAes128GcmSha256    
2024-12-22T22:42:18.598060Z DEBUG embedded_tls::handshake::server_hello: server extensions [KeyShare(KeyShareServerHello(KeyShareEntry { group: Secp256r1, opaque: [4, 57, 95, 189, 177, 102, 79, 239, 150, 229, 81, 54, 211, 118, 3, 183, 16, 44, 165, 82, 251, 225, 86, 25, 174, 80, 15, 115, 17, 141, 68, 156, 231, 225, 126, 192, 17, 13, 73, 224, 200, 183, 239, 66, 98, 253, 43, 109, 130, 97, 22, 97, 159, 154, 217, 231, 43, 98, 29, 15, 233, 48, 63, 254, 65] })), SupportedVersions(SupportedVersionsServerHello { selected_version: ProtocolVersion(772) })]    
2024-12-22T22:42:18.598150Z TRACE embedded_tls::connection: ********* ServerHello    
2024-12-22T22:42:18.601249Z TRACE embedded_tls::asynch: State ServerHello -> ServerVerify    
2024-12-22T22:42:18.601258Z DEBUG embedded_tls::record_reader: advance: ChangeCipherSpec - content_length = 1 bytes    
2024-12-22T22:42:18.601267Z TRACE embedded_tls::connection: Not decrypting: content_type = ChangeCipherSpec    
2024-12-22T22:42:18.601273Z TRACE embedded_tls::asynch: State ServerVerify -> ServerVerify    
2024-12-22T22:42:18.601279Z DEBUG embedded_tls::record_reader: advance: ApplicationData - content_length = 3094 bytes    
2024-12-22T22:42:18.602262Z TRACE embedded_tls::connection: Decrypting: content type = Handshake    
2024-12-22T22:42:18.602270Z TRACE embedded_tls::handshake: handshake = EncryptedExtensions    
2024-12-22T22:42:18.602298Z TRACE embedded_tls::extensions::messages: Extension buffer: 4    
2024-12-22T22:42:18.602310Z DEBUG embedded_tls::extensions::messages: Read extension type ServerName    
2024-12-22T22:42:18.602317Z TRACE embedded_tls::extensions::messages: Extension data length: 0    
2024-12-22T22:42:18.602325Z TRACE embedded_tls::extensions::messages: Read 1 extensions    
2024-12-22T22:42:18.602333Z TRACE embedded_tls::handshake: handshake = Certificate    
2024-12-22T22:42:18.602342Z TRACE embedded_tls::extensions::messages: Read 0 extensions    
2024-12-22T22:42:18.602350Z TRACE embedded_tls::extensions::messages: Read 0 extensions    
2024-12-22T22:42:18.602514Z DEBUG embedded_tls::connection: Certificate verified!    
2024-12-22T22:42:18.602522Z TRACE embedded_tls::asynch: State ServerVerify -> ServerVerify    
2024-12-22T22:42:18.602530Z DEBUG embedded_tls::record_reader: advance: ApplicationData - content_length = 19 bytes    
2024-12-22T22:42:18.602621Z TRACE embedded_tls::connection: Decrypting: content type = Alert    
2024-12-22T22:42:18.602628Z TRACE embedded_tls::connection: Alert: Alert { level: Fatal, description: HandshakeFailure }    
2024-12-22T22:42:18.602710Z TRACE runtime::resource::state_update: tx_dropped=true tx_dropped.op="override"
2024-12-22T22:42:18.602725Z TRACE runtime::resource::poll_op: op_name="poll_recv" is_ready=true
2024-12-22T22:42:18.602737Z TRACE runtime::resource::state_update: rx_dropped=true rx_dropped.op="override"
Error: Tls(InvalidRecord)

Injecting the line

                config = config.enable_rsa_signatures();

into the connect function of HttpClient in client.rs does the trick.

I'm not really sure why this has to be enabled manually in embedded-tls, however, if this is a common problem, it should be either configurable or enabled by default.

P.S.: Thanks for developing this great library :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oleid