TechQA.

The right way to use MbedTLS's TLS 1.3 client?

242 views Asked by At

On any x86_64 Linux. Current development branch a021d63bf7f5b33fc2e4b567a8db99de049318f2.

git clone --depth 1 https://github.com/Mbed-TLS/mbedtls
cd mbedtls
make -j$(nproc) CFLAGS=-DMBEDTLS_SSL_PROTO_TLS1_3=1

echo "========== curl www.google.com =========="
curl -vvvk --tlsv1.3 https://www.google.com > /dev/null

echo "========== mbedtls www.google.com =========="
programs/ssl/ssl_client2 server_name=www.google.com server_port=443 ca_path=/etc/ssl/certs/ force_version=tls13

The curl runs well, but mbedtls's programs/ssl/ssl_client2 seems unable to make request with TLS 1.3 to www.google.com . It runs normal if force_version=tls12.

========== mbedtls www.google.com ==========
build version: Mbed TLS 3.5.1 (build 50659584)

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok (key type: RSA)
  . Setting up the SSL/TLS structure... ok
  . Connecting to tcp/www.google.com/443... ok
  . Performing the SSL/TLS handshake... failed
  ! mbedtls_ssl_handshake returned -0x7200

Last error was: -0x7200 - SSL - An invalid SSL record was received

And here my testing on GitHub Actions.

So, how to use MbedTLS's TLS 1.3 client? Is this a bug or not? I see many bugs about tls 1.3 in MbedTLS's issues list.

c linux ssl tls1.3 mbedtls
Original Q&A
1

There are 1 answers

0
kkocdko On

Define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=1 is required.

make -j$(nproc) CFLAGS="-DMBEDTLS_SSL_PROTO_TLS1_3=1 -DMBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=1"

Related Questions in C

Related Questions in LINUX

Related Questions in SSL

Related Questions in TLS1.3

Related Questions in MBEDTLS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions