TLS handshake error on Hotmail

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
renoc_4290386
Level 1
Level 1

Hi,

   During my tests SMTP, we used several email servers. In one of them we noticed that the TLS protocol simply hangs.

   This happens while using smtp.office365.com server. I debugged the code and discovered that I got stuck in function wiced_tcp_start_tls function, more specifically in the ssl_handshake_client_async call that is inside the wiced_generic_start_tls_with_ciphers (WICED\security\BESL\host\WICED\wiced_tls.c) function.

    I sniffed the communication with Wireshark and compared it to other TLS connections that worked without any flaw. See the comparisson below:

    OK connection (10.0.2.105 is our SMTP client):

#  Time           Source          Destination       Protocol   Len  Info

80 200.741399186  10.0.2.105      64.233.190.108    TLSv1.2    166  Client Hello

81 200.806354972  64.233.190.108  10.0.2.105        TCP        54   587 → 44159 [ACK] Seq=250 Ack=137 Win=60928 Len=0

82 200.807557616  64.233.190.108  10.0.2.105        TLSv1.2    1484 Server Hello

83 200.807665543  64.233.190.108  10.0.2.105        TLSv1.2    1362 Certificate, Server Key Exchange, Server Hello Done

84 200.812398331  10.0.2.105      64.233.190.108    TCP        60   44159 → 587 [ACK] Seq=137 Ack=1680 Win=7168 Len=0

85 200.963590875  10.0.2.105      64.233.190.108    TCP        60   44159 → 587 [ACK] Seq=137 Ack=2988 Win=7168 Len=0

86 201.027162462  10.0.2.105      64.233.190.108    TLSv1.2    129  Client Key Exchange

87 201.034224390  10.0.2.105      64.233.190.108    TLSv1.2    60   Change Cipher Spec

...... communication goes on.....

    Failed connection (10.0.2.105 is our SMTP client):

#  Time           Source       Destination  Protocol Len   Info

31 39.003257162   10.0.2.105   52.97.71.146 TLSv1.2  166   Client Hello

32 39.024934963   52.97.71.146 10.0.2.105   TCP      1514  587 → 63509 [ACK] Seq=344 Ack=137 Win=1048560 Len=1460 [TCP segment of a reassembled PDU]

33 39.027059613   10.0.2.105   52.97.71.146 TCP      60    63509 → 587 [ACK] Seq=137 Ack=1804 Win=7168 Len=0

34 39.046741405   52.97.71.146 10.0.2.105   TCP      1514  587 → 63509 [ACK] Seq=1804 Ack=137 Win=1048560 Len=1460 [TCP segment of a reassembled PDU]

35 39.046814461   52.97.71.146 10.0.2.105   TLSv1.2  1048  Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done

36 39.070273930   10.0.2.105   52.97.71.146 TCP      60    63509 → 587 [ACK] Seq=137 Ack=4258 Win=7168 Len=0

...... firmware hangs. No further message from client

     Notice that in second example the 'Server Hello' is sent in same message as certificate, key Exchange ... 'Server Hello Done'.

     Did anybody face the same problem? Is there any reported issue in TLS implementation for this case?

     My environment:

- BCM94343W_AVN

- WICED Version: 5.0.0

Thanks in advance,

Reynaldo

0 Likes
1 Solution
lock attach
Attachments are accessible only for community members.

Update:  I created an outlook.com account and then had my CYW943907AEVAL1F connect to:

(account)@outlook.com

SMTP Server Port Number : 587

TLS:  on

It makes it past the TLS handshake and continues on quite happily until the server realizes that I shouldn't have permission to send emails (an administrative thing).  Please see the log, attached.

Note that I am currently using WICED SDK 6.2 but with the mbedtls files from SDK 6.0 (per this: SDK6.2 Breaks TLS Compared to SDK6.0 (CYW943907AEVAL1F) )

View solution in original post

4 Replies
ChMa_3922746
Level 5
Level 5
10 likes received 10 likes given 5 likes given

You could try commenting out the following as  test:

mbedtls_eap_ssl_context_reinit( &tls_context->context );

Have you tried other mail servers?

Hi list_3922746! I tried gmail, na internal server (Exchange) and yahoo. All of them are working properly.

0 Likes

I see.  Your WICED version seems quite old.  Would you be able to build with a later version?  I know that some versions of mbedtls behave differently (e.g., a TLS memory leak in 6.2: SDK6.2 Breaks TLS Compared to SDK6.0 (CYW943907AEVAL1F) ).  I wouldn't mind testing with the hotmail server.  I'll see if I can duplicate that.

lock attach
Attachments are accessible only for community members.

Update:  I created an outlook.com account and then had my CYW943907AEVAL1F connect to:

(account)@outlook.com

SMTP Server Port Number : 587

TLS:  on

It makes it past the TLS handshake and continues on quite happily until the server realizes that I shouldn't have permission to send emails (an administrative thing).  Please see the log, attached.

Note that I am currently using WICED SDK 6.2 but with the mbedtls files from SDK 6.0 (per this: SDK6.2 Breaks TLS Compared to SDK6.0 (CYW943907AEVAL1F) )