TLS Client Hello Failed with server which use ed25519-signed certificate

Question

Created Feb ’21

Replies 5

Boosts 0

Views 4.4k

Participants 2

My app implements httpclient with nsurlsession. when app tried to communicate with server which use an ed25519-signed certificate，it failed at tls client hello （handshake failed）.

Code Block captured in xcode2021-02-19 20:05:32.895350+0800 app[1915:295071] [boringssl] boringssl_context_handle_fatal_alert(1763) [C1:2][0x1229fea70] read alert, level: fatal, description: handshake failure
2021-02-19 20:05:32.915327+0800 app[1915:295071] [boringssl] boringssl_session_handshake_incomplete(90) [C1:2][0x1229fea70] SSL library error
2021-02-19 20:05:32.915660+0800 app[1915:295071] [boringssl] boringssl_session_handshake_error_print(41) [C1:2][0x1229fea70] Error: 4943533208:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-351.40.2/ssl/tls_record.cc:592:SSL alert number 40
2021-02-19 20:05:32.915925+0800 app[1915:295071] [boringssl] boringssl_session_handshake_error_print(41) [C1:2][0x1229fea70] Error: 4943533208:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-351.40.2/ssl/handshake.cc:604:
2021-02-19 20:05:32.916085+0800 app[1915:295071] [boringssl] nw_protocol_boringssl_handshake_negotiate_proceed(767) [C1:2][0x1229fea70] handshake failed at state 12288: not completed

it seems like there is no ed25519 in the signature algorithms extension section in the client hello message.

here shows captured signature algorithms in extension from ios 14.2

Code Block  ECDSA with SHA-256
RSASSA-PSS with SHA-256
RSASSA-PKCS1-v1_5 with SHA-256
ECDSA with SHA-384
ECDSA with SHA-1
RSASSA-PSS with SHA-384
RSASSA-PSS with SHA-384
RSASSA-PKCS1-v1_5 with SHA-384
RSASSA-PSS with SHA-512
RSASSA-PKCS1-v1_5 with SHA-512
RSASSA-PKCS1-v1_5 with SHA-1

how can I fix it ?
how can my app transport data with a server using a ed25519-signed certificate

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’21

The first thing I would do is take a packet trace if you think there is a handshake negotiation failure going on in client hello. "alert number 40," after the client hello could mean that a cipher suite was not agreed upon by the server, or that there was an issue with the server's certificate for specific Subject Name information. To find out what is happening here, the best thing to do is look at it over the wire with a packet trace.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

pengkang OP

Feb ’21

Hi Matt
After taking a packet trace, we found there is no ed25519 signature algorithms in client hello packet. It didn't pass the validation in TLS negotiation by our server which is using a ed25519-signed certifacate

how can I add ed25519 signature algorithms in client hello packet?

1, part of client hello packet from ios14.2

Code Block languageCipher Suites (27 suites)
    Cipher Suite: Reserved (GREASE) (0x8a8a)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
    Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Extension: signature_algorithms (len=24)
    Type: signature_algorithms (13)
    Length: 24
    Signature Hash Algorithms Length: 22
    Signature Hash Algorithms (11 algorithms)
        Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
        Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
        Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
        Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
        Signature Algorithm: ecdsa_sha1 (0x0203)
        Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
        Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
        Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
        Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
        Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
        Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Extension: supported_versions (len=11)
    Type: supported_versions (43)
    Length: 11
    Supported Versions length: 10
    Supported Version: Unknown (0xfafa)
    Supported Version: TLS 1.3 (0x0304)
    Supported Version: TLS 1.2 (0x0303)
    Supported Version: TLS 1.1 (0x0302)
    Supported Version: TLS 1.0 (0x0301)

2,Server response

Code Block languageTransport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

0

Answer 3

Systems Engineer OP

Apple

Feb ’21

After taking a packet trace, we found there is no ed25519 signature algorithms in client
hello packet. It didn't pass the validation in TLS negotiation by our server which is
using a ed25519-signed certifacate

Okay, you have now determined where the breakdown is. You will now need to align your server to negotiate the security requirements that the iOS device is presenting in the client hello. I would talk to your server side team for more information on how to align your certificate requirements with those presented from the iOS device.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

pengkang OP

Feb ’21

Hi Matt
Thanks for replying

is it possible to add ed25519 in the security requirements that the iOS device is presenting in the client hello?
our server url is in attachment,could you help us to diagnostics why it failed to negotiate with iOS device?
is there any solution to make security connections between iOS device and a server with ed25519-signed certificate?

url

0

Answer 5

Systems Engineer OP

Apple

Feb ’21

our server url is in attachment,could you help us to diagnostics why it failed to negotiate with iOS device?

It looks like you have already done this in the thread above.

is it possible to add ed25519 in the security requirements that the iOS device is presenting in the client hello?

You can open an enhancement request for this, but the shortest path to success here would be to support the negotiated security requirements sent to your server from the iOS device.

is there any solution to make security connections between iOS device and a server with ed25519-signed certificate?

If this is a self signed certificate my recommendation to you would be to get a leaf certificate issued from one of the CA's that already exists in the devices trust store. This will give you the most flexibility in configuring your server for communicating with an iOS device.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0