ssl->need_bytes issue

Question

ssl->need_bytes issue

noelgeorgi opened this issue 8 years ago · comments

@igrr i am still getting ssl->neeed bytes error. I changed the value of
ssl->max_plain_length to ssl->max_plain_length = 6000*4; which I think is the maximum value, i can give. Here is the dump:

~ld
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 2
**cnt **
chg_B1:-40
..
connected with TechnoMan, channel 6
ip:172.16.0.120,mask:255.255.255.0,gw:172.16.0.1
.IP: 172.16.0.120
Successfully opened ca file
loaded
IP: 172.16.0.120
Thu Mar 17 19:56:05 2016

Error: Invalid X509 ASN.1 file (X509 not ok)
pm open,type:2 0
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
ssl->need_bytes=37663 > 25019
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
ssl->need_bytes=61896 > 25019
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
ssl->need_bytes=52978 > 25019
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
IP: 172.16.0.120
Error: Invalid X509 ASN.1 file (X509 not ok)
ssl->need_bytes=26851 > 25019

Ivan Grokhotkov · Answer 1 · Fri Mar 18 2016 01:44:44 GMT+0800 (China Standard Time)

Looks like the other side is not talking over SSL. Per SSL spec, fragment size can not exceed 16 kilobytes, but your log shows that message header indicates size >16k (37663, 61896, 52978, 26851).

(so there is no point in setting max_plain_length above 16*1024 bytes)

Noel Georgi · Answer 2 · Fri Mar 18 2016 13:30:21 GMT+0800 (China Standard Time)

@igrr what about Error: Invalid X509 ASN.1 file (X509 not ok) and your library supports tlsv1.1 right?

Ivan Grokhotkov · Answer 3 · Fri Mar 18 2016 13:55:21 GMT+0800 (China Standard Time)

That one is open in #10

Noel Georgi · Answer 4 · Fri Mar 18 2016 17:15:39 GMT+0800 (China Standard Time)

@igrr this is the error i receive at the server side:
1458292496: OpenSSL Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Ivan Grokhotkov · Answer 5 · Fri Mar 18 2016 17:31:48 GMT+0800 (China Standard Time)

Could you please give me an URL of the server so I can try myself?

Noel Georgi · Answer 6 · Fri Mar 18 2016 17:34:23 GMT+0800 (China Standard Time)

it is an MQTT broker (mosquitto) running at frezbo.com on port 8883, I can succesfully connect to it using MQTTfx a client for linux, how do i PM you the login details and cert files. The problem is that i cannot connect to the broker without providing a CA file to the MQTTfx client, but the esp8266 connects even if i do not load the CA file with the above mentioned error and frequent disconnections.

Ivan Grokhotkov · Answer 7 · Fri Mar 18 2016 17:46:55 GMT+0800 (China Standard Time)

Okay, i don't think i need login details or correct cert files to establish a TLS connection. Obviously the server will kick me out later on, but your issue happens during handshake, to that would be enough.

Noel Georgi · Answer 8 · Sun Mar 20 2016 00:31:27 GMT+0800 (China Standard Time)

@igrr I changed the MQTT library i was using from PubSubClient to Adafruit's MQTT library and now there seems to be no issue till now. The funny fact is that loading or not loading the CA cert have no effect whatsoever.

Aknik · Answer 9 · Mon May 07 2018 02:08:55 GMT+0800 (China Standard Time)

Same error here :-((

webSocket.beginSSL("dcf77logs.de", 443,"/ajax/liveview");

[WSc] Disconnected!
please start sntp first !
Error: Invalid X509 ASN.1 file (X509 not ok)

Aknik · Answer 10 · Mon May 07 2018 02:10:39 GMT+0800 (China Standard Time)

With >>> webSocket.beginSSL("dcf77logs.de", 80,"/ajax/liveview");

please start sntp first !
ssl->need_bytes=20527 violates spec
[WSc] Disconnected!