diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 305ac0050..e9250fcd3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1750,6 +1750,15 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); + ret = mbedtls_ssl_tls13_compute_application_transform( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( ret ); + } + #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) mbedtls_ssl_handshake_set_state( ssl, @@ -1825,6 +1834,14 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); + ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + return ( ret ); + } + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); return( 0 ); } @@ -1844,11 +1861,6 @@ static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl ) */ static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); - mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application ); - - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) ); - mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application ); mbedtls_ssl_tls13_handshake_wrapup( ssl ); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f5e38abf5..e69fd7b62 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1120,80 +1120,6 @@ static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl, return( 0 ); } -#if defined(MBEDTLS_SSL_CLI_C) -static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_ssl_key_set traffic_keys; - mbedtls_ssl_transform *transform_application = NULL; - - ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls13_key_schedule_stage_application", ret ); - goto cleanup; - } - - ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls13_generate_application_keys", ret ); - goto cleanup; - } - - transform_application = - mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); - if( transform_application == NULL ) - { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto cleanup; - } - - ret = mbedtls_ssl_tls13_populate_transform( - transform_application, - ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, - &traffic_keys, - ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); - goto cleanup; - } - - ssl->transform_application = transform_application; - -cleanup: - - mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); - if( ret != 0 ) - { - mbedtls_free( transform_application ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - return( ret ); -} -#endif /* MBEDTLS_SSL_CLI_C */ - -static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl ) -{ - -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - return( ssl_tls13_postprocess_server_finished_message( ssl ) ); - } -#else - ((void) ssl); -#endif /* MBEDTLS_SSL_CLI_C */ - - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); -} - int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1211,7 +1137,6 @@ int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) ); mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) ); cleanup: @@ -1248,14 +1173,6 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl ) -{ - // TODO: Add back resumption keys calculation after MVP. - ((void) ssl); - - return( 0 ); -} - static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, @@ -1296,7 +1213,6 @@ int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ) mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED, buf, msg_len ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len ) ); cleanup: @@ -1310,6 +1226,12 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); + mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application ); + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) ); + mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application ); + /* * Free the previous session and switch to the current one. */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index f3437a320..91cc4d9fc 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1473,9 +1473,6 @@ int mbedtls_ssl_tls13_generate_application_keys( handshake->tls13_master_secrets.app, transcript, transcript_len, app_secrets ); - /* Erase master secrets */ - mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, - sizeof( ssl->handshake->tls13_master_secrets ) ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, @@ -1598,4 +1595,67 @@ cleanup: return( ret ); } +int mbedtls_ssl_tls13_generate_resumption_master_secret( + mbedtls_ssl_context *ssl ) +{ + /* Erase master secrets */ + mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, + sizeof( ssl->handshake->tls13_master_secrets ) ); + return( 0 ); +} + +int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_application = NULL; + + ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_key_schedule_stage_application", ret ); + goto cleanup; + } + + ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_application_keys", ret ); + goto cleanup; + } + + transform_application = + mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_application == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } + + ret = mbedtls_ssl_tls13_populate_transform( + transform_application, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; + } + + ssl->transform_application = transform_application; + +cleanup: + + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) + { + mbedtls_free( transform_application ); + } + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 676ebae8d..693b6c4df 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -610,6 +610,19 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl ) int mbedtls_ssl_tls13_generate_application_keys( mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys ); +/** + * \brief Compute TLS 1.3 resumption master secret. + * + * \param ssl The SSL context to operate on. This must be in + * key schedule stage \c Application, see + * mbedtls_ssl_tls13_key_schedule_stage_application(). + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls13_generate_resumption_master_secret( + mbedtls_ssl_context *ssl ); + /** * \brief Calculate the verify_data value for the client or server TLS 1.3 * Finished message. @@ -649,6 +662,17 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, */ int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl ); +/** + * \brief Compute TLS 1.3 application transform + * + * \param ssl The SSL context to operate on. The early secret must have been + * computed. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 2aa62bf5c..8c8eb2ab6 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1476,6 +1476,67 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* + * Handler for MBEDTLS_SSL_SERVER_FINISHED + */ +static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ssl_tls13_write_finished_message( ssl ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_compute_application_transform( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( ret ); + } + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_CLIENT_FINISHED + */ +static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Switch to handshake traffic keys for inbound traffic" ) ); + mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); + + ret = mbedtls_ssl_tls13_process_finished_message( ssl ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + } + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); + return( 0 ); +} + +/* + * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP + */ +static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) +{ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); + + mbedtls_ssl_tls13_handshake_wrapup( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + return( 0 ); +} + /* * TLS 1.3 State Machine -- server side */ @@ -1540,6 +1601,18 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) break; #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + case MBEDTLS_SSL_SERVER_FINISHED: + ret = ssl_tls13_write_server_finished( ssl ); + break; + + case MBEDTLS_SSL_CLIENT_FINISHED: + ret = ssl_tls13_process_client_finished( ssl ); + break; + + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: + ret = ssl_tls13_handshake_wrapup( ssl ); + break; + default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 470ae660e..6eaa53477 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -81,7 +81,7 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " - O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" + O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false @@ -11224,31 +11224,34 @@ run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \ -c "Protocol is TLSv1.3" \ -c "HTTP/1.0 200 OK" +requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_openssl_tls1_3 run_test "TLS 1.3: Server side check - openssl" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ - "$O_NEXT_CLI -msg -debug -tls1_3" \ - 1 \ + "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \ + 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ - -s "SSL - The requested feature is not available" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" +# Skip this test before openssl exit code issue fixed +# On fail, openssl return different exit code on OpenCI and internal CI for +# this test. +skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_tls1_3 run_test "TLS 1.3: Server side check - openssl with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ - "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ + "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \ 1 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ @@ -11258,7 +11261,6 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "=> write certificate request" \ - -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11270,16 +11272,16 @@ requires_config_enabled MBEDTLS_SSL_SRV_C run_test "TLS 1.3: Server side check - gnutls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ - 1 \ + 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ - -s "SSL - The requested feature is not available" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ + -c "HTTP/1.0 200 OK" requires_gnutls_tls1_3 requires_gnutls_next_no_ticket @@ -11298,7 +11300,6 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ -s "=> write certificate request" \ - -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11309,16 +11310,17 @@ requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3: Server side check - mbedtls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 force_version=tls13" \ - 1 \ + 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -s "=> write certificate request" \ - -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "SSL - The requested feature is not available" \ - -s "=> parse client hello" \ - -s "<= parse client hello" + -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ + -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \ + -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \ + -c "HTTP/1.0 200 OK" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C @@ -11331,12 +11333,9 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ - -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \ - -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \ + -s "=> write certificate request" \ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ - -s "SSL - The requested feature is not available" \ -s "=> parse client hello" \ -s "<= parse client hello" @@ -11348,14 +11347,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS 1.3: server: HRR check - mbedtls" \ "$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \ "$P_CLI debug_level=4 force_version=tls13 curves=secp256r1,secp384r1" \ - 1 \ + 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \ -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "selected_group: secp384r1" \ - -s "SSL - The requested feature is not available" \ -s "=> write hello retry request" \ -s "<= write hello retry request"