TLDR: We use wolfssl 4.6 and when we tried to upgrade to 4.7 we discovered that it seems to be backward incompatible, i.e. nodes using 4.7 could not talk to nodes using 4.6 via TLS, hence no nodes can talk to each other, because SSL is required.
Details:
We use only TLS1.3 via wolfSSL_CTX_set_min_proto_version(tlsCtx, TLS1_3_VERSION)
TLS certificates are not being used
We use only 2 ciphersuites:
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLDR: We use wolfssl 4.6 and when we tried to upgrade to 4.7 we discovered that it seems to be backward incompatible, i.e. nodes using 4.7 could not talk to nodes using 4.6 via TLS, hence no nodes can talk to each other, because SSL is required.
Details:
* We use only TLS1.3 via `wolfSSL_CTX_set_min_proto_version(tlsCtx, TLS1_3_VERSION)`
* TLS certificates are not being used
* We use only 2 ciphersuites:
* TLS_CHACHA20_POLY1305_SHA256
* TLS_AES_256_GCM_SHA384
@jahway603 I updated the wolfssl branch so that it is the latest dev branch but using wolfssl 4.7.0 instead of 4.6.0 . If you are able to try that branch out and we can work together to see exactly what SSL errors happen when trying to connect to the rest of the network, that will give us more data for the bug report. We could also try a new version of wolfssl but I have no idea if stuff is backward compatible and our code might not even compile with the most recent wolfssl versions. I think if we can identify exactly what changed between 4.6.0 and 4.7.0 and point out exactly how wolfssl broke backcompat between those 2 versions, that will help wolfssl understand exactly what happened and hopefully suggest an upgrade path for us.
@jahway603 I updated the `wolfssl` branch so that it is the latest dev branch but using wolfssl 4.7.0 instead of 4.6.0 . If you are able to try that branch out and we can work together to see exactly what SSL errors happen when trying to connect to the rest of the network, that will give us more data for the bug report. We could also try a new version of wolfssl but I have no idea if stuff is backward compatible and our code might not even compile with the most recent wolfssl versions. I think if we can identify exactly what changed between 4.6.0 and 4.7.0 and point out exactly how wolfssl broke backcompat between those 2 versions, that will help wolfssl understand exactly what happened and hopefully suggest an upgrade path for us.
It seems that wolfSSL_X509_verify changed it's error code from returning WOLFSSL_SUCCESS (1) to WOLFSSL_ERROR_NONE (0) . Since wolfssl does not have any tests for this function my guess is that they did this on accident. Disabling our error checking makes our code work with 4.8.0 through 5.2.0 . 5.3.0 is not compatible with our code since they changed the names of many things.
Commit 809c0a4b38 disables the error check which allows our full node to correctly startup and then make connections to peers
We now use wolfssl 5.2.0 on the `wolfssl` branch.
It seems that `wolfSSL_X509_verify` changed it's error code from returning WOLFSSL_SUCCESS (1) to WOLFSSL_ERROR_NONE (0) . Since wolfssl does not have any tests for this function my guess is that they did this on accident. Disabling our error checking makes our code work with 4.8.0 through 5.2.0 . 5.3.0 is not compatible with our code since they changed the names of many things.
Commit 809c0a4b38d2ec251d61390d808968864a554530 disables the error check which allows our full node to correctly startup and then make connections to peers
duke
jahway603
TLDR: We use wolfssl 4.6 and when we tried to upgrade to 4.7 we discovered that it seems to be backward incompatible, i.e. nodes using 4.7 could not talk to nodes using 4.6 via TLS, hence no nodes can talk to each other, because SSL is required.
Details:
wolfSSL_CTX_set_min_proto_version(tlsCtx, TLS1_3_VERSION)@jahway603 I updated the
wolfsslbranch so that it is the latest dev branch but using wolfssl 4.7.0 instead of 4.6.0 . If you are able to try that branch out and we can work together to see exactly what SSL errors happen when trying to connect to the rest of the network, that will give us more data for the bug report. We could also try a new version of wolfssl but I have no idea if stuff is backward compatible and our code might not even compile with the most recent wolfssl versions. I think if we can identify exactly what changed between 4.6.0 and 4.7.0 and point out exactly how wolfssl broke backcompat between those 2 versions, that will help wolfssl understand exactly what happened and hopefully suggest an upgrade path for us.We now use wolfssl 5.2.0 on the
wolfsslbranch.It seems that
wolfSSL_X509_verifychanged it's error code from returning WOLFSSL_SUCCESS (1) to WOLFSSL_ERROR_NONE (0) . Since wolfssl does not have any tests for this function my guess is that they did this on accident. Disabling our error checking makes our code work with 4.8.0 through 5.2.0 . 5.3.0 is not compatible with our code since they changed the names of many things.Commit
809c0a4b38disables the error check which allows our full node to correctly startup and then make connections to peers@jahway603 I was able to do a fresh sync on the
wolfsslbranch with 5.2.0@duke I was also able to do a complete fresh sync on the
wolfsslbranch with 5.2.0.ok,
wolfsslbranch has been merged intodev, closing this