Hi Jeff,

 

There is a specification document for the TLS 1.2 handshake (RFC 5246: https://tools.ietf.org/html/rfc5246) that I think might help finding out what is going on. There is a graph depicting the handshake on page 37 which I think can be particularly useful.

 

Regards,

Janos

 

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of "Thompson, Jeff via mbed-tls" <mbed-tls@lists.trustedfirmware.org>
Reply to: "Thompson, Jeff" <JeffThompson@invue.com>
Date: Monday, 29 June 2020 at 02:02
To: "mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.org>
Subject: Re: [mbed-tls] Choosing a cipher

 

Another baby step in discovering what's happening. The last message from the server tells the client to change ciphersuites. I don't even know what a ciohersuite actually is—something like RSA, AES,  or DES?—never mind how to change mine, though I have seen the list; my, what a lot of conditionals it has.

So, am I still dealing with a certificate issue? Where do I go from here?

Get Outlook for Android

 

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Thompson, Jeff via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: Friday, June 26, 2020 12:52:27 PM
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: Re: [mbed-tls] Choosing a cipher

 

A little progress. I figured out where—ssl_encrypt_buf() in ssl_tls.c—to output the name of the offending ciphersuite, which is included in all 3 of the preconfigure Google Cloud SSL policies.

 

So what’s going on here? Why should the mbedTLS client wait forever for 5 bytes it will never get, stalling the connection, instead timing out or otherwise detecting an error it could return?

 

I’m totally at a loss for what to do with this, other than looking for a commercially supported alternative, which I don’t think would be received very well by my manager.

 

Jeff Thompson  |  Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com

 

From: Thompson, Jeff
Sent: Friday, June 26, 2020 09:40
To: mbed-tls@lists.trustedfirmware.org
Subject: Choosing a cipher

 

The TLS handshake between my device and ghs.googlehosted.com gets stalled when the server sends the device a Change Cipher Spec message—the device waits forever, wanting 5 more bytes. From what I Google’d, I need to change the cipher suite I’m using. How do I know which cipher the server doesn’t like (so I can avoid that in future), and which one I should be using—there are scores of these available in the config file, though some of them clearly should not be used, as they are commented that way..

 

Jeff Thompson  |  Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com