Skip to content

https connection to some servers fails during key exchange #96

New issue
New issue
Open
Open
https connection to some servers fails during key exchange#96
@oleid

Description

@oleid
oleid
opened on Dec 22, 2024

When using embedded-tls connection to some http servers fails during key exchange, e.g. when querying

https://www.meteoblue.com/de/server/search/query3?query=Bonn

Apparently, this is the corresponding issue:

drogue-iot/embedded-tls#136

Log trace:

2024-12-22T22:42:18.574406Z DEBUG embedded_tls::write_buffer: start_record(Handshake(false))    
2024-12-22T22:42:18.577555Z TRACE embedded_tls::asynch: State ClientHello -> ServerHello    
2024-12-22T22:42:18.597960Z DEBUG embedded_tls::record_reader: advance: Handshake - content_length = 123 bytes    
2024-12-22T22:42:18.597984Z TRACE embedded_tls::handshake: handshake = ServerHello    
2024-12-22T22:42:18.597998Z TRACE embedded_tls::extensions::messages: Extension buffer: 79    
2024-12-22T22:42:18.598009Z DEBUG embedded_tls::extensions::messages: Read extension type KeyShare    
2024-12-22T22:42:18.598016Z TRACE embedded_tls::extensions::messages: Extension data length: 69    
2024-12-22T22:42:18.598024Z TRACE embedded_tls::extensions::messages: Extension buffer: 6    
2024-12-22T22:42:18.598032Z DEBUG embedded_tls::extensions::messages: Read extension type SupportedVersions    
2024-12-22T22:42:18.598040Z TRACE embedded_tls::extensions::messages: Extension data length: 2    
2024-12-22T22:42:18.598046Z TRACE embedded_tls::extensions::messages: Read 2 extensions    
2024-12-22T22:42:18.598053Z DEBUG embedded_tls::handshake::server_hello: server cipher_suite TlsAes128GcmSha256    
2024-12-22T22:42:18.598060Z DEBUG embedded_tls::handshake::server_hello: server extensions [KeyShare(KeyShareServerHello(KeyShareEntry { group: Secp256r1, opaque: [4, 57, 95, 189, 177, 102, 79, 239, 150, 229, 81, 54, 211, 118, 3, 183, 16, 44, 165, 82, 251, 225, 86, 25, 174, 80, 15, 115, 17, 141, 68, 156, 231, 225, 126, 192, 17, 13, 73, 224, 200, 183, 239, 66, 98, 253, 43, 109, 130, 97, 22, 97, 159, 154, 217, 231, 43, 98, 29, 15, 233, 48, 63, 254, 65] })), SupportedVersions(SupportedVersionsServerHello { selected_version: ProtocolVersion(772) })]    
2024-12-22T22:42:18.598150Z TRACE embedded_tls::connection: ********* ServerHello    
2024-12-22T22:42:18.601249Z TRACE embedded_tls::asynch: State ServerHello -> ServerVerify    
2024-12-22T22:42:18.601258Z DEBUG embedded_tls::record_reader: advance: ChangeCipherSpec - content_length = 1 bytes    
2024-12-22T22:42:18.601267Z TRACE embedded_tls::connection: Not decrypting: content_type = ChangeCipherSpec    
2024-12-22T22:42:18.601273Z TRACE embedded_tls::asynch: State ServerVerify -> ServerVerify    
2024-12-22T22:42:18.601279Z DEBUG embedded_tls::record_reader: advance: ApplicationData - content_length = 3094 bytes    
2024-12-22T22:42:18.602262Z TRACE embedded_tls::connection: Decrypting: content type = Handshake    
2024-12-22T22:42:18.602270Z TRACE embedded_tls::handshake: handshake = EncryptedExtensions    
2024-12-22T22:42:18.602298Z TRACE embedded_tls::extensions::messages: Extension buffer: 4    
2024-12-22T22:42:18.602310Z DEBUG embedded_tls::extensions::messages: Read extension type ServerName    
2024-12-22T22:42:18.602317Z TRACE embedded_tls::extensions::messages: Extension data length: 0    
2024-12-22T22:42:18.602325Z TRACE embedded_tls::extensions::messages: Read 1 extensions    
2024-12-22T22:42:18.602333Z TRACE embedded_tls::handshake: handshake = Certificate    
2024-12-22T22:42:18.602342Z TRACE embedded_tls::extensions::messages: Read 0 extensions    
2024-12-22T22:42:18.602350Z TRACE embedded_tls::extensions::messages: Read 0 extensions    
2024-12-22T22:42:18.602514Z DEBUG embedded_tls::connection: Certificate verified!    
2024-12-22T22:42:18.602522Z TRACE embedded_tls::asynch: State ServerVerify -> ServerVerify    
2024-12-22T22:42:18.602530Z DEBUG embedded_tls::record_reader: advance: ApplicationData - content_length = 19 bytes    
2024-12-22T22:42:18.602621Z TRACE embedded_tls::connection: Decrypting: content type = Alert    
2024-12-22T22:42:18.602628Z TRACE embedded_tls::connection: Alert: Alert { level: Fatal, description: HandshakeFailure }    
2024-12-22T22:42:18.602710Z TRACE runtime::resource::state_update: tx_dropped=true tx_dropped.op="override"
2024-12-22T22:42:18.602725Z TRACE runtime::resource::poll_op: op_name="poll_recv" is_ready=true
2024-12-22T22:42:18.602737Z TRACE runtime::resource::state_update: rx_dropped=true rx_dropped.op="override"
Error: Tls(InvalidRecord)

Injecting the line

                config = config.enable_rsa_signatures();

into the connect function of HttpClient in client.rs does the trick.

I'm not really sure why this has to be enabled manually in embedded-tls, however, if this is a common problem, it should be either configurable or enabled by default.

P.S.: Thanks for developing this great library :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions