How to use correct ciphersuite

Mbed TLS Crypto and SSL questions
1

Hi,

While doing handshake I got the following error.
Even using 131 ciphersuite it’s getting 0x7788.
So I wonder it’s the ciphersuite configuration issue or not.
if It’s ciphersuites error, how can I know what kind of ciphersuite should I use for specific server?

ssl_tls.c:6345: |2| => handshake
ssl_cli.c:3281: |2| client state: 0
ssl_tls.c:2418: |2| => flush output
ssl_tls.c:2430: |2| <= flush output
MBEDTLS_SSL_SRV_Cssl_cli.c:3281: |2| client state: 1
ssl_tls.c:2418: |2| => flush output
ssl_tls.c:2430: |2| <= flush output
ssl_cli.c:0719: |2| => write client hello
ssl_cli.c:0757: |3| client hello, max version: [3:3]
ssl_cli.c:0695: |3| client hello, current time: 1528965592
ssl_cli.c:0766: |3| dumping ‘client hello, random bytes’ (32 bytes)
ssl_cli.c:0766: |3| 0000: 5b 22 29 d8 61 ba 8e 55 38 b9 8a d3 0d 73 c2 9d [“).a…U8…s…
ssl_cli.c:0766: |3| 0010: ef 85 ab a6 a4 19 e7 c1 48 77 61 a9 62 22 3c 97 …Hwa.b”<.
ssl_cli.c:0819: |3| client hello, session id len.: 0
ssl_cli.c:0820: |3| dumping ‘client hello, session id’ (0 bytes)
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c030
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ad
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c024
ssl_cli.c:0887: |3| client hello, add ciphersuite: c028
ssl_cli.c:0887: |3| client hello, add ciphersuite: 006b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c014
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0039
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0af
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a3
ssl_cli.c:0887: |3| client hello, add ciphersuite: c087
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c073
ssl_cli.c:0887: |3| client hello, add ciphersuite: c077
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00c4
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0088
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02f
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ac
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c023
ssl_cli.c:0887: |3| client hello, add ciphersuite: c027
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0067
ssl_cli.c:0887: |3| client hello, add ciphersuite: c009
ssl_cli.c:0887: |3| client hello, add ciphersuite: c013
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0033
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ae
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a2
ssl_cli.c:0887: |3| client hello, add ciphersuite: c086
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c072
ssl_cli.c:0887: |3| client hello, add ciphersuite: c076
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00be
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0045
ssl_cli.c:0887: |3| client hello, add ciphersuite: c008
ssl_cli.c:0887: |3| client hello, add ciphersuite: c012
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0016
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ab
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a7
ssl_cli.c:0887: |3| client hello, add ciphersuite: c038
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b3
ssl_cli.c:0887: |3| client hello, add ciphersuite: c036
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0091
ssl_cli.c:0887: |3| client hello, add ciphersuite: c091
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c097
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ab
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00aa
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a6
ssl_cli.c:0887: |3| client hello, add ciphersuite: c037
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b2
ssl_cli.c:0887: |3| client hello, add ciphersuite: c035
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0090
ssl_cli.c:0887: |3| client hello, add ciphersuite: c090
ssl_cli.c:0887: |3| client hello, add ciphersuite: c096
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0aa
ssl_cli.c:0887: |3| client hello, add ciphersuite: c034
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008f
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09d
ssl_cli.c:0887: |3| client hello, add ciphersuite: 003d
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0035
ssl_cli.c:0887: |3| client hello, add ciphersuite: c032
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c026
ssl_cli.c:0887: |3| client hello, add ciphersuite: c005
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a1
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07b
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00c0
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0084
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c079
ssl_cli.c:0887: |3| client hello, add ciphersuite: c089
ssl_cli.c:0887: |3| client hello, add ciphersuite: c075
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09c
ssl_cli.c:0887: |3| client hello, add ciphersuite: 003c
ssl_cli.c:0887: |3| client hello, add ciphersuite: 002f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c031
ssl_cli.c:0887: |3| client hello, add ciphersuite: c029
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c025
ssl_cli.c:0887: |3| client hello, add ciphersuite: c004
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a0
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07a
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ba
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0041
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c078
ssl_cli.c:0887: |3| client hello, add ciphersuite: c088
ssl_cli.c:0887: |3| client hello, add ciphersuite: c074
ssl_cli.c:0887: |3| client hello, add ciphersuite: 000a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c003
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ad
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b7
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0095
ssl_cli.c:0887: |3| client hello, add ciphersuite: c093
ssl_cli.c:0887: |3| client hello, add ciphersuite: c099
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ac
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b6
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0094
ssl_cli.c:0887: |3| client hello, add ciphersuite: c092
ssl_cli.c:0887: |3| client hello, add ciphersuite: c098
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0093
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00a9
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a5
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00af
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c095
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a9
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00a8
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a4
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ae
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c094
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a8
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008b
ssl_cli.c:0920: |3| client hello, got 131 ciphersuites
ssl_cli.c:0951: |3| client hello, compress len.: 1
ssl_cli.c:0953: |3| client hello, compress alg.: 0
ssl_cli.c:0074: |3| client hello, adding server name extension: mbed TLS Server 1
ssl_cli.c:0180: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0265: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0328: |3| client hello, adding supported_point_formats extension
ssl_cli.c:0510: |3| client hello, adding encrypt_then_mac extension
ssl_cli.c:0544: |3| client hello, adding extended_master_secret extension
ssl_cli.c:0577: |3| client hello, adding session ticket extension
ssl_cli.c:1025: |3| client hello, total extension length: 98
ssl_tls.c:2703: |2| => write record
ssl_tls.c:2840: |3| output record: msgtype = 22, version = [3:1], msglen = 405
ssl_tls.c:2843: |4| dumping ‘output record sent to network’ (410 bytes)
ssl_tls.c:2843: |4| 0000: 16 03 01 01 95 01 00 01 91 03 03 5b 22 29 d8 61 …[“).a
ssl_tls.c:2843: |4| 0010: ba 8e 55 38 b9 8a d3 0d 73 c2 9d ef 85 ab a6 a4 …U8…s…
ssl_tls.c:2843: |4| 0020: 19 e7 c1 48 77 61 a9 62 22 3c 97 00 01 06 c0 2c …Hwa.b”<…,
ssl_tls.c:2843: |4| 0030: c0 30 00 9f c0 ad c0 9f c0 24 c0 28 00 6b c0 0a .0…$.(.k…
ssl_tls.c:2843: |4| 0040: c0 14 00 39 c0 af c0 a3 c0 87 c0 8b c0 7d c0 73 …9…}.s
ssl_tls.c:2843: |4| 0050: c0 77 00 c4 00 88 c0 2b c0 2f 00 9e c0 ac c0 9e .w…+./…
ssl_tls.c:2843: |4| 0060: c0 23 c0 27 00 67 c0 09 c0 13 00 33 c0 ae c0 a2 .#.'.g…3…
ssl_tls.c:2843: |4| 0070: c0 86 c0 8a c0 7c c0 72 c0 76 00 be 00 45 c0 08 …|.r.v…E…
ssl_tls.c:2843: |4| 0080: c0 12 00 16 00 ab c0 a7 c0 38 00 b3 c0 36 00 91 …8…6…
ssl_tls.c:2843: |4| 0090: c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 c0 37 00 b2 …7…
ssl_tls.c:2843: |4| 00a0: c0 35 00 90 c0 90 c0 96 c0 9a c0 aa c0 34 00 8f .5…4…
ssl_tls.c:2843: |4| 00b0: 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e …=.5.2.*…
ssl_tls.c:2843: |4| 00c0: c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79 .&…{…y
ssl_tls.c:2843: |4| 00d0: c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29 …u…<./.1.)
ssl_tls.c:2843: |4| 00e0: c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41 …-.%…z…A
ssl_tls.c:2843: |4| 00f0: c0 8c c0 78 c0 88 c0 74 00 0a c0 0d c0 03 00 ad …x…t…
ssl_tls.c:2843: |4| 0100: 00 b7 00 95 c0 93 c0 99 00 ac 00 b6 00 94 c0 92 …
ssl_tls.c:2843: |4| 0110: c0 98 00 93 00 a9 c0 a5 00 af 00 8d c0 8f c0 95 …
ssl_tls.c:2843: |4| 0120: c0 a9 00 a8 c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 …
ssl_tls.c:2843: |4| 0130: 00 8b 00 ff 01 00 00 62 00 00 00 16 00 14 00 00 …b…
ssl_tls.c:2843: |4| 0140: 11 6d 62 65 64 20 54 4c 53 20 53 65 72 76 65 72 .mbed TLS Server
ssl_tls.c:2843: |4| 0150: 20 31 00 0d 00 16 00 14 06 03 06 01 05 03 05 01 1…
ssl_tls.c:2843: |4| 0160: 04 03 04 01 03 03 03 01 02 03 02 01 00 0a 00 18 …
ssl_tls.c:2843: |4| 0170: 00 16 00 19 00 1c 00 18 00 1b 00 17 00 16 00 1a …
ssl_tls.c:2843: |4| 0180: 00 15 00 14 00 13 00 12 00 0b 00 02 01 00 00 16 …
ssl_tls.c:2843: |4| 0190: 00 00 00 17 00 00 00 23 00 00 …#…
ssl_tls.c:2418: |2| => flush output
ssl_tls.c:2437: |2| message length: 410, out_left: 410
ssl_tls.c:2443: |2| ssl->f_send() returned 410 (-0xfffffe66)
ssl_tls.c:2462: |2| <= flush output
ssl_tls.c:2852: |2| <= write record
ssl_cli.c:1051: |2| <= write client hello
ssl_write_client_hello 0MBEDTLS_SSL_SRV_Cssl_cli.c:3281: |2| client state: 2
ssl_tls.c:2418: |2| => flush output
ssl_tls.c:2430: |2| <= flush output
ssl_cli.c:1412: |2| => parse server hello
ssl_tls.c:3730: |2| => read record
ssl_tls.c:2210: |2| => fetch input
ssl_tls.c:2368: |2| in_left: 0, nb_want: 5
ssl_tls.c:2392: |2| in_left: 0, nb_want: 5
ssl_tls.c:2393: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2405: |2| <= fetch input
ssl_tls.c:3481: |4| dumping ‘input record header’ (5 bytes)
ssl_tls.c:3481: |4| 0000: 15 03 03 00 02 …
ssl_tls.c:3490: |3| input record: msgtype = 21, version = [3:3], msglen = 2
ssl_tls.c:2210: |2| => fetch input
ssl_tls.c:2368: |2| in_left: 5, nb_want: 7
ssl_tls.c:2392: |2| in_left: 5, nb_want: 7
ssl_tls.c:2393: |2| ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
ssl_tls.c:2405: |2| <= fetch input
ssl_tls.c:3659: |4| dumping ‘input record from network’ (7 bytes)
ssl_tls.c:3659: |4| 0000: 15 03 03 00 02 02 28 …(
ssl_tls.c:3963: |2| got an alert message, type: [2:40]
ssl_tls.c:3971: |1| is a fatal alert message (msg 40)
ssl_tls.c:3746: |1| mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
ssl_cli.c:1418: |1| mbedtls_ssl_read_record() returned -30592 (-0x7780)
ssl_parse_server_hello -30592MBEDTLS_SSL_SRV_Cssl_tls.c:6355: |2| <= handshake

Thanks,
Soohwan.

3

HI Soohwan,
I apologize for delayed reply.

The error you are receiving is a fatal alert that the server has sent when received the client Hello message.
It is because the server can’t negotiate a TLS connection, according to the information given in the Client Hello message.
There could be numerous reasons, one of them is that the server couldn’t find a matching ciphersuite.

As for your question:

if It’s ciphersuites error, how can I know what kind of ciphersuite should I use for specific server?

You can try the ssl labs for testing this specific server, and you will see what ciphersuites it supports.

Regards,
Mbed TLS Team member
Ron