Hi Jeff,
There is a specification document for the TLS 1.2 handshake (RFC 5246: https://tools.ietf.org/html/rfc5246) that I think might help finding out what is going on. There is a graph depicting the handshake on page 37 which I think can be particularly useful.
Regards, Janos
From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of "Thompson, Jeff via mbed-tls" mbed-tls@lists.trustedfirmware.org Reply to: "Thompson, Jeff" JeffThompson@invue.com Date: Monday, 29 June 2020 at 02:02 To: "mbed-tls@lists.trustedfirmware.org" mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] Choosing a cipher
Another baby step in discovering what's happening. The last message from the server tells the client to change ciphersuites. I don't even know what a ciohersuite actually is—something like RSA, AES, or DES?—never mind how to change mine, though I have seen the list; my, what a lot of conditionals it has. So, am I still dealing with a certificate issue? Where do I go from here? Get Outlook for Androidhttps://aka.ms/ghei36
________________________________ From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of Thompson, Jeff via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: Friday, June 26, 2020 12:52:27 PM To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] Choosing a cipher
A little progress. I figured out where—ssl_encrypt_buf() in ssl_tls.c—to output the name of the offending ciphersuite, which is included in all 3 of the preconfigure Google Cloud SSL policies.
So what’s going on here? Why should the mbedTLS client wait forever for 5 bytes it will never get, stalling the connection, instead timing out or otherwise detecting an error it could return?
I’m totally at a loss for what to do with this, other than looking for a commercially supported alternative, which I don’t think would be received very well by my manager.
Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com
[cid:image001.gif@01D64DFD.447A03C0]
From: Thompson, Jeff Sent: Friday, June 26, 2020 09:40 To: mbed-tls@lists.trustedfirmware.org Subject: Choosing a cipher
The TLS handshake between my device and ghs.googlehosted.com gets stalled when the server sends the device a Change Cipher Spec message—the device waits forever, wanting 5 more bytes. From what I Google’d, I need to change the cipher suite I’m using. How do I know which cipher the server doesn’t like (so I can avoid that in future), and which one I should be using—there are scores of these available in the config file, though some of them clearly should not be used, as they are commented that way..
Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com
[cid:image001.gif@01D64DFD.447A03C0]
mbed-tls@lists.trustedfirmware.org