ARMmbed

Certification verification failed only on target board

In my application I’m using only DER formats (I undefined MBEDTLS_PEM_PARSE_C and MBEDTLS_PEM_WRITE_C). I also changed mbedtls_x509_crt_parse() to use mbedtls_x509_crt_parse_der_nocopy() instead of mbedtls_x509_crt_parse_der(). This is the only configuration that doesn’t run out of memory.

I can build the same code with mingw compiler in a Windows computer and it works well. I can connect to the server (actually AWS) without problems.

What is strange is the behaviour on the target (ARM Cortex-M3). The handshake stops with MBEDTLS_ERR_X509_CERT_VERIFY_FAILED error.

Considering they are the same code (except for the board dependent functions, mainly Ethernet driver), what could be the problem with the target board?

Hi @pozzugno
Considering both applications use same code and configuration, I would guess you are running out of memory on your board, causing the verification process to fail.

  • Do you know the size of the certificate chain?
  • Are the certificates signed with RSA or ECDSA?
  • Do you have MBEDTLS_ECP_RESTARTABLE defined?

Regards,
Mbed TLS Team member
Ron

I don’t think. mbedTLS is configured with MBEDTLS_MEMORY_BUFFER_ALLOC_C and the memory buffer size is identical in mingw and target board.

I see 2056 bytes in the Server Hello message (Certificates Length in Wireshark, Server Hello message). They are really two certificates, one is 916 bytes length and the other is 1134 bytes length.

The single Root CA I imported in mbedTLS is signed with RSA-2048.
In the certificate chain sent by the server I see one certificate signed with ecdsa-with-SHA256 and one is signed with sha256WithRSAEncryption.

No

I finally found the problem. The system time of the target board wasn’t correctly configured, so the time was in 2000 year. During certification validation the validity period of the certificate was checked and failed.

Now I enabled SNTP to get a correct system time and now the certificate validation is ok.

In mingw the system time was correct because it read the time of Windows OS.