We are using aws sdk for Marvel platform mw3xx in our project and it is using mbedtls as a 3rd party library. It is working fine with old AWS endpoints (using Verisign rootCA) But It was not working with new AWS endpoint (end point containing -ats). I debugged that the new endpoints cert len comes more than 4096 (which was less in old endpoint certs) So, I modified the MBEDTLS_SSL_MAX_CONTENT_LEN (to 16k) and MBEDTLS_SSL_IN_BUFFER_LEN (to 8k) macro in header files and it worked.
I am not getting the reason why I need to modify these macros to make it work for new AWS endpoint ?
Since the new certificates are bigger than the content length that you were able to receive, they were not sent fully, thus you were able to receive only partial certificates. Because of that, when verifying the new certificates, the calculated signature was not on the full hashed certificate, causing the verification to fail.
Note that you don’t need to modify MBEDTLS_SSL_MAX_CONTENT_LEN, only MBEDTLS_SSL_IN_BUFFER_LEN to fit the incoming certificates. If the handshake requires client certificate authentication, then I would recommend you update MBEDTLS_SSL_OUT_BUFFER_LEN to fit your client certificate chain.
Regards,
Mbed TLS Support
Ron
