Can't use ECP_RESTARTABLE

Mbed TLS
1

I’m using lwip and mbedTLS to make a TLS connection to AWS IoT Core. It works.

Now I’m trying to enable MBEDTLS_ECP_RESTARTABLE, because the handshake is very slow on the target (Cortex-M3), and I want to give other tasks the possibility to execute. Unfortunately I can’t.

When restartable option isn’t enabled, I see the client blocks for a long time (around 5-10 seconds) and after I see some TLS messages output: Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message. After that, the server replies with Change Chiper Spec and Encrypted Handshake Message and the handshake ends with success.

When I enable restartable, something different happens. During long calculations, Certificate message and Client Key Exchange messages are sent. After some seconds (I suppose after all calculations end) only the TLS message Ceritifcate Verify is sent. Then the handshake stalls and after many seconds the server closes the connection.

Do you argue what could be the problem? It seems the client doesn’t send Change Cipher Spec and Encrypted Handshake Message with the last message.

I’m able to compile the same source code in mingw and here it works even when restartable is enabled. Of course, in mingw the calculations is very short.

2

Hi @pozzugno
Thank you for your question.

I assume you read Nonblocking ECC — Mbed TLS documentation . Have you tried calling mbedtls_ecp_set_max_ops() with different values?

3

Hi @roneld01,
thank you for your prompt reply. Yes I read that page.

I finally found the problem. On the target board, I have very limited RAM so one lwip malloc fails. It is strange, because the allocated memory is the same with and without restartable option. Most probably, the sequence of allocations changes and this leads to allocation failure.

I increased the heap size a little, and now restartable works well on target too. It’s not an issue related to mbedTLS.

4

Hi @pozzugno
I’m trying to get a porting of lwip and mbedTls to connect to AWS but still with no success.
First I found the MBEDTLS_SSL_SERVER_CERTIFICATE step failed dues to time checking error, so I commented the time check for now and set the child_is_trusted = 1 .
Now I’m stuck with MBEDTLS_SSL_SERVER_KEY_EXCHANGE, it fails with
mbedtls_pk_verify() returned -17040 (-0x4290)
any Ideas?
I’m using stm32F446NG Dico, and CubeMx for code generation.