Connect to MQTT server

Hello guys!

I am trying to connect to the server through a tls connection, but I have problems during a handshake. I received certificates from my client, and I can connect, using them, to howsmyssl.com, de-api.ipgeolocation.io or, for example, to baidu.com, but not to the server of my client. )))))

I have prepared a simple example for my NodeMCU board. Here I am using ESP8266_RTOS_SDK-2.0.0 and built-in mbedtls 2.2.1.

In my case I have the next error message from mbedtls:

ssl_tls.c:2429 => flush output
ssl_tls.c:2448 message length: 1364, out_left: 1364
ssl_tls.c:2454 ssl->f_send() returned -78 (-0x004e)
ssl_tls.c:2857 mbedtls_ssl_flush_output() returned -78 (-0x004e)
ssl_tls.c:4179 mbedtls_ssl_write_record() returned -78 (-0x004e)
ssl_tls.c:6323 <= handshake
mbedtls_ssl_handshake returned -0x4e
Last error was: -0x4e - UNKNOWN ERROR CODE (004E)

I suppose this is a MBEDTLS ERR_NET SEND_FAILED error, but this does not make it easier. Who can give an advice what is it and why it happens for that server but it work for others?

Important an addition: customer’s server it is an mqtt broker. So I can connect to it using mosquitto_sub utility for example but it connection will be successfully only if I to add --insecure option to my command. For example:

mosquitto_sub -h 35.226.223.141 -p 8883 -i ‘alex’ --insecure -u ‘DC4F224C97A7’ -P “12345” --cafile “d:\temp\certs2048\cacerts.pem” --cert “d:\temp\certs2048\client.pem” --key “d:\temp\certs2048\client-key.pem” -t ‘DC4F224C97A7/d’ -d

It is source code of my example:

#include <string.h>
#include <stdlib.h>
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "ClientCertificates.h"
#include "esp_common.h"

#include "lwip/err.h"
#include "lwip/sockets.h"
#include "lwip/sys.h"
#include "lwip/netdb.h"
#include "lwip/dns.h"

#include "mbedtls/platform.h"
#include "mbedtls/net.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

/* Constants that aren't configurable in menuconfig */
// #define WEB_SERVER  "www.howsmyssl.com"
// #define WEB_PORT    "443"

// #define WEB_SERVER "de-api.ipgeolocation.io"
// #define WEB_PORT "443"

#define WEB_SERVER "35.226.223.141"
#define WEB_PORT "8883"

#define SSL_READ_TIMEOUT_MS     2000

/* Root cert for howsmyssl.com, taken from server_root_cert.pem

   The PEM file was extracted from the output of this command:
   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null

   The CA root cert is the last cert given in the chain of certs.

   To embed it in the app binary, the PEM file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/

static void my_debug(void *ctx, int level,
                     const char *file, int line,
                     const char *str)
{
    /* Shorten 'file' from the whole file path to just the filename

       This is a bit wasteful because the macros are compiled in with
       the full _FILE_ path in each case.
    */
    char *file_sep = rindex(file, '/');
    if(file_sep)
        file = file_sep + 1;

    printf("%s:%d %s", file, line, str);
}

void MBEDTLSEXAMPLE_run(void)
{
    char buf[512];
    int ret, flags, len;

    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    mbedtls_ssl_context ssl;
    mbedtls_x509_crt cacert;
    mbedtls_x509_crt client_cert;
    mbedtls_pk_context client_key;
    mbedtls_ssl_config conf;
    mbedtls_net_context server_fd;

    mbedtls_ssl_init(&ssl);
    mbedtls_x509_crt_init(&cacert);
    mbedtls_x509_crt_init(&client_cert);
    mbedtls_pk_init(&client_key);
    mbedtls_ctr_drbg_init(&ctr_drbg);
    printf("Seeding the random number generator\n");

    mbedtls_ssl_config_init(&conf);

    mbedtls_entropy_init(&entropy);
    if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0)
    {
        printf("mbedtls_ctr_drbg_seed returned %d\n", ret);
        return;
    }

    printf("Loading the CA root certificate...\n");

    ret = mbedtls_x509_crt_parse(&cacert, CLIENTCERTIFICATES_getCA(),
                                          CLIENTCERTIFICATES_getCALength() + 1);

    if(ret < 0)
    {
        printf("mbedtls_x509_crt_parse 1 returned -0x%x\n\n", -ret);
        return;
    }

    printf("Loading the client certificate...\n");

    ret = mbedtls_x509_crt_parse(&client_cert,
                                 CLIENTCERTIFICATES_getCert(),
                                 CLIENTCERTIFICATES_getCertLenght() + 1);
    if (ret < 0) {
        printf("mbedtls_x509_crt_parse 2 returned -0x%x\n\n", -ret);
        return;
    }

    printf("Loading the client private key...\n");

    ret = mbedtls_pk_parse_key(&client_key,
                               CLIENTCERTIFICATES_getKey(),
                               CLIENTCERTIFICATES_getKeyLength() + 1, NULL, 0);
    if (ret != 0) {
        printf("mbedtls_pk_parse_key returned -0x%x\n\n", -ret);
        return;
    }

    printf("Setting hostname for TLS session...\n");

    /* Hostname set here should match CN in server certificate */
    if((ret = mbedtls_ssl_set_hostname(&ssl, WEB_SERVER)) != 0)
    {
        printf("mbedtls_ssl_set_hostname returned -0x%x\n", -ret);
        return;
    }

    printf("Setting up the SSL/TLS structure...\n");

    if((ret = mbedtls_ssl_config_defaults(&conf,
                                          MBEDTLS_SSL_IS_CLIENT,
                                          MBEDTLS_SSL_TRANSPORT_STREAM,
                                          MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
    {
        printf("mbedtls_ssl_config_defaults returned %d\n", ret);
        goto exit;
    }


    /* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
       a warning if CA verification fails but it will continue to connect.

       You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
    */
    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
    mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
    mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
    mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); 
    mbedtls_debug_set_threshold(4);
    mbedtls_ssl_conf_read_timeout(&conf, SSL_READ_TIMEOUT_MS );

    ret = mbedtls_ssl_conf_own_cert(&conf, &client_cert, &client_key);
    if (ret != 0) {
         printf("mbedtls_ssl_conf_own_cert returned %d\n", ret);
         return;
    }

    if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
    {
        printf("mbedtls_ssl_setup returned -0x%x\n\n", -ret);
        goto exit;
    }

    mbedtls_net_init(&server_fd);

    printf("Connecting to %s:%s...", WEB_SERVER, WEB_PORT);

    if ((ret = mbedtls_net_connect(&server_fd, WEB_SERVER,
                                  WEB_PORT, MBEDTLS_NET_PROTO_TCP)) != 0)
    {
        printf("mbedtls_net_connect returned -%x\n", -ret);
        goto exit;
    }

    printf("Connected.\n");

    mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);

    printf("Performing the SSL/TLS handshake...\n");

    while ((ret = mbedtls_ssl_handshake(&ssl)) != 0)
    {
        if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
        {
            printf("mbedtls_ssl_handshake returned -0x%x\n", -ret);
            goto exit;
        }
    }

    printf("Verifying peer X.509 certificate...\n");

    if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0)
    {
        /* In real life, we probably want to close connection if ret != 0 */
        printf("Failed to verify peer certificate!\n");
        bzero(buf, sizeof(buf));
        mbedtls_x509_crt_verify_info(buf, sizeof(buf), "  ! ", flags);
        printf("verification info: %s\n", buf);
    }
    else {
        printf("Certificate verified.\n");
    }

    printf("Cipher suite is %s\n", mbedtls_ssl_get_ciphersuite(&ssl));

    mbedtls_ssl_close_notify(&ssl);
exit:
    mbedtls_ssl_session_reset(&ssl);
    mbedtls_net_free(&server_fd);

    if(ret != 0)
    {
        mbedtls_strerror(ret, buf, 100);
        printf("Last error was: -0x%x - %s\n", -ret, buf);
    }
}

It is a log:

 ets Jan  8 2013,rst cause:2, boot mode:(3,7)

load 0x40100000, len 2304, room 16 
tail 0
chksum 0x39
load 0x3ffe8000, len 1400, room 8 
tail 0
chksum 0xd4
csum 0xd4

rBoot v1.4.2 - richardaburton@gmail.com
Flash Size:   32 Mbit
Flash Mode:   DIO
Flash Speed:  40 MHz
rBoot Option: Config chksum


RBOOT config
---------------------------------------------
magic        = E1
version      = 01
mode         = 00
current_rom  = 00
gpio_rom     = 00
count        = 02
unused       = 3FFFEFB6
roms[0]      = 00002000
roms[1]      = 00082000
chksum       = 05
calc chksum  = 05
---------------------------------------------

Booting rom 0.
!ЧяЬяА@Ђю?PЂю?ЂЂю?М$БрВa В !хяaыяА!пятяАБрВa В !ъяaЯяА!пятяАБрВa В !ъяaЯяА!пятяА<OS SDK ver: 2.0.0(e271380) compiled @ Mar 30 2018 18:54:06
phy ver: 1055_1, pp ver: 10.7

rf cal sector: 1019
tcpip_task_hdl : 40107a00, prio:10,stack:512
idle_task_hdl : 40107ab0,prio:0, stack:384
tim_task_hdl : 40107bf8, prio:2,stack:512
SDK version:2.0.0(e271380) 71640
mode : sta(dc:4f:22:4c:97:a7)
add if0
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 4
pm open phy_2,type:2 0 0
cnt 

connected with TP-Link_618C, channel 10
dhcp client start...
sta connected
ip:192.168.1.103,mask:255.255.255.0,gw:192.168.1.1
sta got ip ,create task and free heap size is 69376
mqtt client thread starts
f: mqtt_client_thread
Seeding the random number generator
Loading the CA root certificate...
Loading the client certificate...
Loading the client private key...
Setting hostname for TLS session...
Setting up the SSL/TLS structure...
Connecting to 35.226.223.141:8883...Connected.
Performing the SSL/TLS handshake...
ssl_tls.c:6313 => handshake
ssl_cli.c:3267 client state: 0
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:3267 client state: 1
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:712 => write client hello
ssl_cli.c:750 client hello, max version: [3:3]
ssl_cli.c:759 dumping 'client hello, random bytes' (32 bytes)
ssl_cli.c:759 0000:  31 04 57 ed 2b 89 11 52 56 8e ac 84 51 9f 5a e2  1.W.+..RV...Q.Z.
ssl_cli.c:759 0010:  c7 2a 38 d5 d3 ac a3 24 6d 53 87 9b 8d 16 10 c5  .*8....$mS......
ssl_cli.c:812 client hello, session id len.: 0
ssl_cli.c:813 dumping 'client hello, session id' (0 bytes)
ssl_cli.c:880 client hello, add ciphersuite: 003d
ssl_cli.c:880 client hello, add ciphersuite: 0035
ssl_cli.c:880 client hello, add ciphersuite: 003c
ssl_cli.c:880 client hello, add ciphersuite: 002f
ssl_cli.c:880 client hello, add ciphersuite: 00b7
ssl_cli.c:880 client hello, add ciphersuite: 0095
ssl_cli.c:880 client hello, add ciphersuite: 00b6
ssl_cli.c:880 client hello, add ciphersuite: 0094
ssl_cli.c:913 client hello, got 9 ciphersuites
ssl_cli.c:944 client hello, compress len.: 1
ssl_cli.c:946 client hello, compress alg.: 0
ssl_cli.c:72 client hello, adding server name extension: 35.226.223.141
ssl_cli.c:178 client hello, adding signature_algorithms extension
ssl_cli.c:1018 client hello, total extension length: 39
ssl_tls.c:2714 => write record
ssl_tls.c:2849 output record: msgtype = 22, version = [3:1], msglen = 102
ssl_tls.c:2429 => flush output
ssl_tls.c:2448 message length: 107, out_left: 107
ssl_tls.c:2454 ssl->f_send() returned 107 (-0xffffff95)
ssl_tls.c:2473 <= flush output
ssl_tls.c:2861 <= write record
ssl_cli.c:1044 <= write client hello
ssl_cli.c:3267 client state: 2
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:1396 => parse server hello
ssl_tls.c:3739 => read record
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 0, nb_want: 5
ssl_tls.c:2403 in_left: 0, nb_want: 5
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3495 input record: msgtype = 22, version = [3:3], msglen = 81
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 5, nb_want: 86
ssl_tls.c:2403 in_left: 5, nb_want: 86
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 81 (-0xffffffaf)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3100 handshake message: msglen = 81, type = 2, hslen = 81
ssl_tls.c:3976 <= read record
ssl_cli.c:1469 dumping 'server hello, version' (2 bytes)
ssl_cli.c:1469 0000:  03 03                                            ..
ssl_cli.c:1495 server hello, current time: 1541010821
ssl_cli.c:1502 dumping 'server hello, random bytes' (32 bytes)
ssl_cli.c:1502 0000:  5b d9 f5 85 f1 39 d2 d2 e3 6f d9 a4 e4 59 ff 4b  [....9...o...Y.K
ssl_cli.c:1502 0010:  9f f3 da b6 3b e1 94 f5 53 ef a8 51 51 e2 c5 8e  ....;...S..QQ...
ssl_cli.c:1572 server hello, session id len.: 32
ssl_cli.c:1573 dumping 'server hello, session id' (32 bytes)
ssl_cli.c:1573 0000:  2d 8f 8f 35 a1 cc 85 5e a1 4d 21 f5 dc 7d e3 1c  -..5...^.M!..}..
ssl_cli.c:1573 0010:  6c aa 7b 96 ee 27 88 81 e0 f7 8d 9d 67 ca d1 f7  l.{..'......g...
ssl_cli.c:1609 no session has been resumed
ssl_cli.c:1611 server hello, chosen ciphersuite: 003d
ssl_cli.c:1612 server hello, compress alg.: 0
ssl_cli.c:1626 server hello, chosen ciphersuite: TLS-RSA-WITH-AES-256-CBC-SHA256
ssl_cli.c:1657 server hello, total extension length: 5
ssl_cli.c:1675 found renegotiation extension
ssl_cli.c:1845 <= parse server hello
ssl_cli.c:3267 client state: 3
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_tls.c:4195 => parse certificate
ssl_tls.c:3739 => read record
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 0, nb_want: 5
ssl_tls.c:2403 in_left: 0, nb_want: 5
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3495 input record: msgtype = 22, version = [3:3], msglen = 3674
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 5, nb_want: 3679
ssl_tls.c:2403 in_left: 5, nb_want: 3679
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 3674 (-0xfffff1a6)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3100 handshake message: msglen = 3674, type = 11, hslen = 3674
ssl_tls.c:3976 <= read record
ssl_tls.c:4361 peer certificate #1:
ssl_tls.c:4361 cert. version     : 3
ssl_tls.c:4361 serial number     : 10:01
ssl_tls.c:4361 issuer name       : C=IL, ST=Israel, O=Dealor Ltd, OU=Dealor Ltd Certificate Authority, CN=Dealor Ltd Intermediate CA
ssl_tls.c:4361 subject name      : C=IL, ST=Israel, L=Modiin, O=Dealor Ltd, OU=Dealor Ltd vernemq server, CN=*.dealor-vernemq-headless.dev.svc.cluster.local
ssl_tls.c:4361 issued  on        : 2018-10-18 08:04:20
ssl_tls.c:4361 expires on        : 2019-10-28 08:04:20
ssl_tls.c:4361 signed using      : RSA with SHA-256
ssl_tls.c:4361 RSA key size      : 2048 bits
ssl_tls.c:4361 basic constraints : CA=false
ssl_tls.c:4361 cert. type        : SSL Server
ssl_tls.c:4361 key usage         : Digital Signature, Key Encipherment
ssl_tls.c:4361 ext key usage     : TLS Web Server Authentication
ssl_tls.c:4361 value of 'crt->rsa.N' (2048 bits) is:
ssl_tls.c:4361  ae c7 09 3b 92 5e 2f ff ce e8 d0 5f 44 2b 54 47
ssl_tls.c:4361  9b da f3 24 91 ce 79 3f 0f 7b a4 a1 12 6a 3f ca
ssl_tls.c:4361  56 93 b4 2a ec b5 f3 14 b4 53 26 c4 b4 87 65 cb
ssl_tls.c:4361  47 13 0a 0d 09 8f 53 7f 6c 4a 2d 34 89 b2 32 0f
ssl_tls.c:4361  a6 9a 24 1a be 15 44 7b d7 dc 0f 27 14 d1 c4 97
ssl_tls.c:4361  b6 84 94 81 ad ae bb e6 39 fb 02 95 f3 6a 17 31
ssl_tls.c:4361  2f c2 ae 66 12 27 c1 dd 4f 96 ee 5a c4 b7 96 58
ssl_tls.c:4361  d8 5e 7d 9c 77 c7 86 4e f8 67 dd 43 e8 54 c0 ba
ssl_tls.c:4361  13 13 4b b8 79 0f e1 4d f6 23 7b ac 5c 89 9b fa
ssl_tls.c:4361  7d 33 71 61 bb 13 f9 00 62 07 73 7d 4b 45 06 72
ssl_tls.c:4361  67 98 8d 92 cc 1c 4b b4 4c 24 f1 fd 79 e6 93 39
ssl_tls.c:4361  a9 b7 25 45 19 48 67 58 22 9a e0 54 4d 06 04 13
ssl_tls.c:4361  3c 3d 65 32 01 10 40 84 dc 2f 27 d0 fd 88 4f cf
ssl_tls.c:4361  7f 8a 67 45 7b b4 10 6a 6d 46 4d 4e 3e ec 78 06
ssl_tls.c:4361  f7 4f fb d1 e5 f1 6d 81 a2 b9 c5 da 96 ad 52 2a
ssl_tls.c:4361  c6 45 96 aa 73 4d 56 3b ee e6 b0 2a dd 65 44 07
ssl_tls.c:4361 value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:4361  01 00 01
ssl_tls.c:4361 peer certificate #2:
ssl_tls.c:4361 cert. version     : 3
ssl_tls.c:4361 serial number     : 10:01
ssl_tls.c:4361 issuer name       : C=IL, ST=Israel, L=Modiin, O=Dealor Ltd, CN=Dealor Ltd Root CA
ssl_tls.c:4361 subject name      : C=IL, ST=Israel, O=Dealor Ltd, OU=Dealor Ltd Certificate Authority, CN=Dealor Ltd Intermediate CA
ssl_tls.c:4361 issued  on        : 2018-10-18 07:23:52
ssl_tls.c:4361 expires on        : 2028-10-15 07:23:52
ssl_tls.c:4361 signed using      : RSA with SHA-256
ssl_tls.c:4361 RSA key size      : 4096 bits
ssl_tls.c:4361 basic constraints : CA=true, max_pathlen=0
ssl_tls.c:4361 key usage         : Digital Signature, Key Cert Sign, CRL Sign
ssl_tls.c:4361 value of 'crt->rsa.N' (4096 bits) is:
ssl_tls.c:4361  b1 1f 94 b4 6d 26 3c 2e c0 25 18 c5 a3 79 d4 ac
ssl_tls.c:4361  4c 1a 67 15 67 ea 6d 6f 39 17 39 a6 77 b0 36 d2
ssl_tls.c:4361  5d 43 ac 10 96 b5 61 49 5d ca dc da 1a d1 7c 2a
ssl_tls.c:4361  b6 da 0e 4a 4a 76 b2 55 af 48 16 87 d9 f6 38 be
ssl_tls.c:4361  f2 e8 20 ce c1 ab de 43 1c e9 a1 4f 48 1e b8 41
ssl_tls.c:4361  f3 d1 35 18 7a 04 3d bb 5d 5d ef c3 58 d8 2f dc
ssl_tls.c:4361  d3 6e 8f f9 1f 41 cd 39 63 c7 ca 2f 03 ac 21 7b
ssl_tls.c:4361  d9 fc 54 b8 5c c6 c0 8f 27 e0 b3 8a 78 f9 25 85
ssl_tls.c:4361  d2 6d 06 73 0d e4 67 c1 a8 99 4d ca cd 74 b1 06
ssl_tls.c:4361  d6 f6 34 5b ca e9 94 b0 b5 06 bf 22 6c 25 ab b0
ssl_tls.c:4361  6b a1 af 87 ce 6c 49 b9 ae 5b d4 cd 75 68 dc 58
ssl_tls.c:4361  dd 09 f9 20 a5 93 f7 93 e3 28 f8 ae 70 2e f3 23
ssl_tls.c:4361  12 04 20 33 58 10 db b6 0c 93 b0 10 44 3a 79 ca
ssl_tls.c:4361  dd a6 af 6e 90 a7 e9 80 11 9f d6 0e 78 a5 b1 cc
ssl_tls.c:4361  02 a3 9e a9 9e b0 17 87 b2 8f 6e f8 48 11 57 7a
ssl_tls.c:4361  76 05 c2 70 28 52 a1 69 da 1f 18 f5 c6 be ee fe
ssl_tls.c:4361  7c 6a d8 91 e5 d7 7b a4 22 b2 0c f0 36 12 f8 c1
ssl_tls.c:4361  d5 34 2e 0d bc d2 97 df ac 0b ae fc 1a ae 2f 0b
ssl_tls.c:4361  46 87 5a 4a 78 fd f9 88 e8 cc 2b f3 ee 2e 19 ca
ssl_tls.c:4361  7e 84 28 9c 79 e7 30 4b 29 a5 26 d5 09 a2 74 a5
ssl_tls.c:4361  7f be fe 01 82 be b4 03 7b 07 da 1e dd 42 a7 9d
ssl_tls.c:4361  52 1d b2 7e 84 e3 52 47 a8 38 84 f8 fb 74 f9 63
ssl_tls.c:4361  2d 8c f1 85 a6 d7 82 37 f7 9a 7a 22 4d 80 2f ab
ssl_tls.c:4361  5e 1c 64 3b 67 fb a7 c5 2e c7 61 01 a4 98 96 64
ssl_tls.c:4361  fb 4d 5b 3e ed 6d 49 16 d3 8c 7e e0 e1 93 4b 6f
ssl_tls.c:4361  75 d1 1f bf 8e 89 84 83 02 20 7f fc 2e bf eb da
ssl_tls.c:4361  66 d4 1c ea dd b4 59 f8 c1 10 85 c0 6b 62 d5 80
ssl_tls.c:4361  3e e7 6c c4 ee 35 e2 2f b8 9e 6d 90 6f 3f c8 8f
ssl_tls.c:4361  a5 41 7d fd e2 99 37 e6 18 c9 aa fc ee ab 7e 0b
ssl_tls.c:4361  02 b2 67 b0 82 41 d3 d6 c3 5e 45 6a c0 80 68 96
ssl_tls.c:4361  ea 03 50 1c ef 64 aa 6c 1e 77 5b 25 47 10 db c9
ssl_tls.c:4361  d4 48 79 ab 44 58 0f 51 16 61 81 1e 31 77 a1 49
ssl_tls.c:4361 value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:4361  01 00 01
ssl_tls.c:4361 peer certificate #3:
ssl_tls.c:4361 cert. version     : 3
ssl_tls.c:4361 serial number     : 88:7C:E8:8A:78:C7:57:38
ssl_tls.c:4361 issuer name       : C=IL, ST=Israel, L=Modiin, O=Dealor Ltd, CN=Dealor Ltd Root CA
ssl_tls.c:4361 subject name      : C=IL, ST=Israel, L=Modiin, O=Dealor Ltd, CN=Dealor Ltd Root CA
ssl_tls.c:4361 issued  on        : 2018-10-17 21:34:51
ssl_tls.c:4361 expires on        : 2038-10-12 21:34:51
ssl_tls.c:4361 signed using      : RSA with SHA-256
ssl_tls.c:4361 RSA key size      : 2048 bits
ssl_tls.c:4361 basic constraints : CA=true
ssl_tls.c:4361 key usage         : Digital Signature, Key Cert Sign, CRL Sign
ssl_tls.c:4361 value of 'crt->rsa.N' (2048 bits) is:
ssl_tls.c:4361  b0 e3 1a 61 98 44 71 5e 17 37 b0 d5 f9 9c c2 2f
ssl_tls.c:4361  4f 73 96 21 9d 63 80 1e 36 1d 8b 64 d8 6d 5b b6
ssl_tls.c:4361  b5 8e d2 f4 f9 8a 99 d0 cc fb 7f ca 1e d0 a6 a8
ssl_tls.c:4361  5e be fd de 85 9d 4b 11 c9 34 dc c5 0a 6d 4a 6c
ssl_tls.c:4361  c0 4c 69 b7 6b c1 c9 8c 80 d9 70 8d 08 a4 22 ba
ssl_tls.c:4361  66 b9 76 d0 e8 2a 04 0c dc c1 2a bc 1c 46 fe d9
ssl_tls.c:4361  53 c8 52 7e 58 b0 d8 0c 39 5e fe 98 7e 69 30 6d
ssl_tls.c:4361  f7 90 f7 c1 9e 24 4e 0d 1f ad 43 48 9d 13 81 95
ssl_tls.c:4361  a5 67 ac c8 72 03 59 45 64 d7 11 2b ae b7 b1 1f
ssl_tls.c:4361  db f1 b1 e6 b3 46 b6 06 d1 87 da 16 0b b5 e2 82
ssl_tls.c:4361  fb 22 be a8 5f b4 1c fc 3b a7 4c e7 d7 48 80 c5
ssl_tls.c:4361  2c 9f 41 78 c3 ec 00 13 ae 1f d1 d6 f0 73 3e c7
ssl_tls.c:4361  58 ab 9b e6 cf 96 fb 19 ae 52 16 52 ec a2 82 25
ssl_tls.c:4361  2f b6 b4 e3 15 cd b7 02 ee b6 06 78 9e 1d c4 2d
ssl_tls.c:4361  1a af 65 b9 73 cd b5 b1 d8 95 dc ca 25 0d 7c 26
ssl_tls.c:4361  04 30 d3 d7 ec 21 2f d4 ab 78 a2 48 f5 57 d8 79
ssl_tls.c:4361 value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:4361  01 00 01
ssl_tls.c:4462 <= parse certificate
ssl_cli.c:3267 client state: 4
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:2181 => parse server key exchange
ssl_cli.c:2186 <= skip parse server key exchange
ssl_cli.c:3267 client state: 5
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:2537 => parse certificate request
ssl_tls.c:3739 => read record
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 0, nb_want: 5
ssl_tls.c:2403 in_left: 0, nb_want: 5
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3495 input record: msgtype = 22, version = [3:3], msglen = 271
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 5, nb_want: 276
ssl_tls.c:2403 in_left: 5, nb_want: 276
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 271 (-0xfffffef1)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3100 handshake message: msglen = 271, type = 13, hslen = 271
ssl_tls.c:3976 <= read record
ssl_cli.c:2574 got a certificate request
ssl_cli.c:2666 <= parse certificate request
ssl_cli.c:3267 client state: 6
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:2679 => parse server hello done
ssl_tls.c:3739 => read record
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 0, nb_want: 5
ssl_tls.c:2403 in_left: 0, nb_want: 5
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3495 input record: msgtype = 22, version = [3:3], msglen = 4
ssl_tls.c:2221 => fetch input
ssl_tls.c:2379 in_left: 5, nb_want: 9
ssl_tls.c:2403 in_left: 5, nb_want: 9
ssl_tls.c:2404 ssl->f_recv(_timeout)() returned 4 (-0xfffffffc)
ssl_tls.c:2416 <= fetch input
ssl_tls.c:3100 handshake message: msglen = 4, type = 14, hslen = 4
ssl_tls.c:3976 <= read record
ssl_cli.c:2711 <= parse server hello done
ssl_cli.c:3267 client state: 7
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_tls.c:4079 => write certificate
ssl_tls.c:4131 own certificate #1:
ssl_tls.c:4131 cert. version     : 3
ssl_tls.c:4131 serial number     : 10:03
ssl_tls.c:4131 issuer name       : C=IL, ST=Israel, O=Dealor Ltd, OU=Dealor Ltd Certificate Authority, CN=Dealor Ltd Intermediate CA
ssl_tls.c:4131 subject name      : C=IL, ST=Israel, L=Modiin, O=Dealor LTD, OU=Dealor LTD device, CN=dealor-client-1y
ssl_tls.c:4131 issued  on        : 2018-10-24 10:22:41
ssl_tls.c:4131 expires on        : 2020-03-07 10:22:41
ssl_tls.c:4131 signed using      : RSA with SHA-256
ssl_tls.c:4131 RSA key size      : 2048 bits
ssl_tls.c:4131 basic constraints : CA=false
ssl_tls.c:4131 cert. type        : SSL Client, Email
ssl_tls.c:4131 key usage         : Digital Signature, Non Repudiation, Key Encipherment
ssl_tls.c:4131 ext key usage     : TLS Web Client Authentication, E-mail Protection
ssl_tls.c:4131 value of 'crt->rsa.N' (2048 bits) is:
ssl_tls.c:4131  c3 27 02 f6 b6 a9 2b 5c 3a 01 be e2 74 1d e3 5c
ssl_tls.c:4131  5e 96 ae 50 a4 e8 e3 49 68 5a 23 a5 5c 4c 30 3d
ssl_tls.c:4131  cf b4 f2 27 a0 d8 05 2f e4 5c 1e fb 0c 76 90 f2
ssl_tls.c:4131  ef a1 4f 99 53 86 1a 60 71 cc ab f5 6d 26 e1 99
ssl_tls.c:4131  c3 ef 8d 70 be 49 89 65 16 b4 17 01 c2 25 20 c7
ssl_tls.c:4131  cd 81 eb 0a 9f 9b 76 ea d1 99 2a 95 6d 4f 8a 94
ssl_tls.c:4131  16 91 32 d6 d4 d5 07 3f 08 2b e3 fb e6 45 cb 84
ssl_tls.c:4131  13 68 fc 22 ad 0e 50 40 7a 71 2e 2e ed af f2 1e
ssl_tls.c:4131  97 15 5a 8d bc 59 0e b3 85 b2 a7 ab af 6a 52 7d
ssl_tls.c:4131  58 e8 1d fc 49 b9 f7 c2 a5 d8 ee c9 a1 44 90 f1
ssl_tls.c:4131  a6 6a 3e 0d 98 5f b1 1b 7c 0e c2 b8 73 c3 e5 01
ssl_tls.c:4131  f1 e7 4d 84 42 58 b0 74 b2 1c 04 ac 31 08 b5 14
ssl_tls.c:4131  b4 06 cb 33 88 48 48 67 9e b3 d6 f8 44 67 9e db
ssl_tls.c:4131  11 29 3f 83 0d 2d 0e ed 71 35 45 be 16 f6 01 63
ssl_tls.c:4131  d1 ac 1f cc 6c 66 a0 3a 7f 2d cc e1 e1 e8 12 ad
ssl_tls.c:4131  f1 a8 d4 c6 97 64 eb 35 b7 2e 40 f8 95 10 b1 61
ssl_tls.c:4131 value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:4131  01 00 01
ssl_tls.c:2714 => write record
ssl_tls.c:2849 output record: msgtype = 22, version = [3:3], msglen = 1359
ssl_tls.c:2429 => flush output
ssl_tls.c:2448 message length: 1364, out_left: 1364
ssl_tls.c:2454 ssl->f_send() returned 1364 (-0xfffffaac)
ssl_tls.c:2473 <= flush output
ssl_tls.c:2861 <= write record
ssl_tls.c:4183 <= write certificate
ssl_cli.c:3267 client state: 8
ssl_tls.c:2429 => flush output
ssl_tls.c:2441 <= flush output
ssl_cli.c:2722 => write client key exchange
ssl_tls.c:2714 => write record
ssl_tls.c:2849 output record: msgtype = 22, version = [3:3], msglen = 262
ssl_tls.c:2429 => flush output
ssl_tls.c:2448 message length: 267, out_left: 267
ssl_tls.c:2454 ssl->f_send() returned -78 (-0x004e)
ssl_tls.c:2857 mbedtls_ssl_flush_output() returned -78 (-0x004e)
ssl_cli.c:2965 mbedtls_ssl_write_record() returned -78 (-0x004e)
ssl_tls.c:6323 <= handshake
mbedtls_ssl_handshake returned -0x4e
Last error was: -0x4e - UNKNOWN ERROR CODE (004E)

Also I wanna add that yesterday I took the ssl_client1.c example from mbedtls-2.13.0 library and built it using of Visual Studio 2017. So I have the same situation but I have another error code -0x7780. Where can be error? In certificates?

/*
 *  SSL client demonstration program
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_time            time
#define mbedtls_time_t          time_t
#define mbedtls_fprintf         fprintf
#define mbedtls_printf          printf
#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
#endif /* MBEDTLS_PLATFORM_C */

#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) ||  \
    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
    !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
    !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main( void )
{
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
           "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
           "not defined.\n");
    return( 0 );
}
#else

#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

#include <string.h>

#define SERVER_NAME "35.226.223.141"
#define SERVER_PORT "8883"

//#define SERVER_NAME  "www.howsmyssl.com"
//#define SERVER_PORT  "443"

#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"

#define DEBUG_LEVEL 4


static const char* m_CA = "-----BEGIN CERTIFICATE-----\r\n"
"MIIExzCCA6+gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCSUwx\r\n"
"DzANBgNVBAgMBklzcmFlbDEPMA0GA1UEBwwGTW9kaWluMRMwEQYDVQQKDApEZWFs\r\n"
"b3IgTHRkMRswGQYDVQQDDBJEZWFsb3IgTHRkIFJvb3QgQ0EwHhcNMTgxMDE4MDcy\r\n"
"MzUyWhcNMjgxMDE1MDcyMzUyWjCBgzELMAkGA1UEBhMCSUwxDzANBgNVBAgMBklz\r\n"
"cmFlbDETMBEGA1UECgwKRGVhbG9yIEx0ZDEpMCcGA1UECwwgRGVhbG9yIEx0ZCBD\r\n"
"ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIzAhBgNVBAMMGkRlYWxvciBMdGQgSW50ZXJt\r\n"
"ZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsR+UtG0m\r\n"
"PC7AJRjFo3nUrEwaZxVn6m1vORc5pnewNtJdQ6wQlrVhSV3K3Noa0XwqttoOSkp2\r\n"
"slWvSBaH2fY4vvLoIM7Bq95DHOmhT0geuEHz0TUYegQ9u11d78NY2C/c026P+R9B\r\n"
"zTljx8ovA6whe9n8VLhcxsCPJ+Czinj5JYXSbQZzDeRnwaiZTcrNdLEG1vY0W8rp\r\n"
"lLC1Br8ibCWrsGuhr4fObEm5rlvUzXVo3FjdCfkgpZP3k+Mo+K5wLvMjEgQgM1gQ\r\n"
"27YMk7AQRDp5yt2mr26Qp+mAEZ/WDnilscwCo56pnrAXh7KPbvhIEVd6dgXCcChS\r\n"
"oWnaHxj1xr7u/nxq2JHl13ukIrIM8DYS+MHVNC4NvNKX36wLrvwari8LRodaSnj9\r\n"
"+YjozCvz7i4Zyn6EKJx55zBLKaUm1QmidKV/vv4Bgr60A3sH2h7dQqedUh2yfoTj\r\n"
"UkeoOIT4+3T5Yy2M8YWm14I395p6Ik2AL6teHGQ7Z/unxS7HYQGkmJZk+01bPu1t\r\n"
"SRbTjH7g4ZNLb3XRH7+OiYSDAiB//C6/69pm1Bzq3bRZ+MEQhcBrYtWAPudsxO41\r\n"
"4i+4nm2Qbz/Ij6VBff3imTfmGMmq/O6rfgsCsmewgkHT1sNeRWrAgGiW6gNQHO9k\r\n"
"qmwed1slRxDbydRIeatEWA9RFmGBHjF3oUkCAwEAAaNmMGQwHQYDVR0OBBYEFH/K\r\n"
"VRWC+honIEgG2dLeZwTE46j7MB8GA1UdIwQYMBaAFNcG1n2+FevnmVRys1V/H7QY\r\n"
"MpaXMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3\r\n"
"DQEBCwUAA4IBAQBhqCwNtSp0tck2dNtCgpACZG/cDGWC35cpUmwiXvnGT83SQAp5\r\n"
"u0Ef+ABfw6GiB/Mrxjy3uH022wwftLzz96Dh/qjEVL6C8EMKUTzGQASQkiWE1o3t\r\n"
"aap1e2SYLgGbXuIvgf/qED/PSQaTlyvOZ4iT3R1uCoecjAiyJZwrp69dNrLCetb1\r\n"
"5R7kDwASX8v02Pn0F47LvJQ6TDJ8XUyLbQdUcR4cMBenCcB5qkbefuaipEOER+QB\r\n"
"u3uhZtByDv/ZkD3zMY2iPXBBUPe5H0hJ+T2JWAIBIRqRnOzJk/2E+j0GHPBOhQG2\r\n"
"RKTtnUiHP05EKo+EeT2vpCZm4ylOfhpZMT/K\r\n"
"-----END CERTIFICATE-----\r\n"
"-----BEGIN CERTIFICATE-----\r\n"
"MIIDqDCCApCgAwIBAgIJAIh86Ip4x1c4MA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV\r\n"
"BAYTAklMMQ8wDQYDVQQIDAZJc3JhZWwxDzANBgNVBAcMBk1vZGlpbjETMBEGA1UE\r\n"
"CgwKRGVhbG9yIEx0ZDEbMBkGA1UEAwwSRGVhbG9yIEx0ZCBSb290IENBMB4XDTE4\r\n"
"MTAxNzIxMzQ1MVoXDTM4MTAxMjIxMzQ1MVowYTELMAkGA1UEBhMCSUwxDzANBgNV\r\n"
"BAgMBklzcmFlbDEPMA0GA1UEBwwGTW9kaWluMRMwEQYDVQQKDApEZWFsb3IgTHRk\r\n"
"MRswGQYDVQQDDBJEZWFsb3IgTHRkIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA\r\n"
"A4IBDwAwggEKAoIBAQCw4xphmERxXhc3sNX5nMIvT3OWIZ1jgB42HYtk2G1btrWO\r\n"
"0vT5ipnQzPt/yh7Qpqhevv3ehZ1LEck03MUKbUpswExpt2vByYyA2XCNCKQiuma5\r\n"
"dtDoKgQM3MEqvBxG/tlTyFJ+WLDYDDle/ph+aTBt95D3wZ4kTg0frUNInROBlaVn\r\n"
"rMhyA1lFZNcRK663sR/b8bHms0a2BtGH2hYLteKC+yK+qF+0HPw7p0zn10iAxSyf\r\n"
"QXjD7AATrh/R1vBzPsdYq5vmz5b7Ga5SFlLsooIlL7a04xXNtwLutgZ4nh3ELRqv\r\n"
"ZblzzbWx2JXcyiUNfCYEMNPX7CEv1Kt4okj1V9h5AgMBAAGjYzBhMB0GA1UdDgQW\r\n"
"BBTXBtZ9vhXr55lUcrNVfx+0GDKWlzAfBgNVHSMEGDAWgBTXBtZ9vhXr55lUcrNV\r\n"
"fx+0GDKWlzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG\r\n"
"9w0BAQsFAAOCAQEAQk34R2jGrqUgzL3NFwHZqFohMS6WWFcj7/BN19kjzBIuO4Hp\r\n"
"AQBPHKA28NHUiMuGrTIUWl5zexn9xGH7+3hh7kGrRb4OPnmmNlGQJuvlYD7zcbED\r\n"
"TdficBlX5OMwjkmH5vmN1kAmJmEjRwVmCpczUa1tn78Tp04iJoKU5oFh5ooHlhM/\r\n"
"7GF63MHBmumtI5Uj4vhi8iDrmogBPraknkVXA0i08Ne0/ZOGKql6g0//bI2lke0y\r\n"
"Tg8ViW3+0K7EiuWDd/GV6kQrLR1tGoj9JlooWzrWhA5Xkwgt/HcnE0N+nMXwrx+M\r\n"
"eSLQi24IXkSDqkYB/hyq0nJYTETshNY962us2A==\r\n"
"-----END CERTIFICATE-----\r\n";

static const char* m_Crt = "-----BEGIN CERTIFICATE-----\r\n"
"MIIFQTCCAymgAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwgYMxCzAJBgNVBAYTAklM\r\n"
"MQ8wDQYDVQQIDAZJc3JhZWwxEzARBgNVBAoMCkRlYWxvciBMdGQxKTAnBgNVBAsM\r\n"
"IERlYWxvciBMdGQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSMwIQYDVQQDDBpEZWFs\r\n"
"b3IgTHRkIEludGVybWVkaWF0ZSBDQTAeFw0xODEwMjQxMDIyNDFaFw0yMDAzMDcx\r\n"
"MDIyNDFaMHsxCzAJBgNVBAYTAklMMQ8wDQYDVQQIDAZJc3JhZWwxDzANBgNVBAcM\r\n"
"Bk1vZGlpbjETMBEGA1UECgwKRGVhbG9yIExURDEaMBgGA1UECwwRRGVhbG9yIExU\r\n"
"RCBkZXZpY2UxGTAXBgNVBAMMEGRlYWxvci1jbGllbnQtMXkwggEiMA0GCSqGSIb3\r\n"
"DQEBAQUAA4IBDwAwggEKAoIBAQDDJwL2tqkrXDoBvuJ0HeNcXpauUKTo40loWiOl\r\n"
"XEwwPc+08ieg2AUv5Fwe+wx2kPLvoU+ZU4YaYHHMq/VtJuGZw++NcL5JiWUWtBcB\r\n"
"wiUgx82B6wqfm3bq0ZkqlW1PipQWkTLW1NUHPwgr4/vmRcuEE2j8Iq0OUEB6cS4u\r\n"
"7a/yHpcVWo28WQ6zhbKnq69qUn1Y6B38Sbn3wqXY7smhRJDxpmo+DZhfsRt8DsK4\r\n"
"c8PlAfHnTYRCWLB0shwErDEItRS0BssziEhIZ56z1vhEZ57bESk/gw0tDu1xNUW+\r\n"
"FvYBY9GsH8xsZqA6fy3M4eHoEq3xqNTGl2TrNbcuQPiVELFhAgMBAAGjgcUwgcIw\r\n"
"CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYWJE9w\r\n"
"ZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVPDx\r\n"
"7n6XEUENqkkY7v426A9DWo0wHwYDVR0jBBgwFoAUf8pVFYL6GicgSAbZ0t5nBMTj\r\n"
"qPswDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD\r\n"
"BDANBgkqhkiG9w0BAQsFAAOCAgEAoL5gUHm21V6G43tdHTMrb12/umUuGczDsj09\r\n"
"o+NzH4k1ktL+P5IHsUOr1jWcAETpxlB8fuDUSh5n/onkBEtwS3kN8CdWkESoblyv\r\n"
"MfrsqtJm2I495R3Rj5Kvopv3aHDNphCvFy46VyLh6F4ZxGJR98xU/F9c+5507bhZ\r\n"
"KEQeZJ7udSsZgofq+rUciefdyCi+MxTnwONplMvFouD4pehdAVDmJvw5QHzFNyMJ\r\n"
"Icw+0cw6wlhxJKOEy22eQviaTKrRuU5jaKqB9m7JEqCJdCQ1UTLnU8CTiS6H8Wwb\r\n"
"mMsawvzWqLdp8AdmXzcP0SM2r7XU+lAraDTerCEF0CueN+YNaYwh+Y4T8dUhNyQA\r\n"
"JFPcGRdQh0WL2pSKpdYD63oOMOcIzlPkCKrkLFtTjnsL5JYRY7goCFVo0czSpE2a\r\n"
"rIa2kBvm4QewwSk3f+co9jAmOeY60ue1kpue78dPGsYUYRfaYs8kREWKxieLgUiD\r\n"
"cysVkmXuutzaAzr/v2mr4RdkbxwpV98FPGF/meH1ytWca4m9kO0Qq6YeHRrTyDiY\r\n"
"Myo6mLNfx0ehcDGU5brKEGgXy7UsBVd0oSH0XcurQGzxf6ddmL0+HHoKgX6dlAIb\r\n"
"XOyameFFENM/PoRtYkaeOvBg3GbS6h22tMv74rTpHqdLXxhSkEIK4h2rAqTkLTfw\r\n"
"FzxouHk=\r\n"
"-----END CERTIFICATE-----\r\n";

static const char* m_Key = "-----BEGIN RSA PRIVATE KEY-----\r\n"
"MIIEogIBAAKCAQEAwycC9rapK1w6Ab7idB3jXF6WrlCk6ONJaFojpVxMMD3PtPIn\r\n"
"oNgFL+RcHvsMdpDy76FPmVOGGmBxzKv1bSbhmcPvjXC+SYllFrQXAcIlIMfNgesK\r\n"
"n5t26tGZKpVtT4qUFpEy1tTVBz8IK+P75kXLhBNo/CKtDlBAenEuLu2v8h6XFVqN\r\n"
"vFkOs4Wyp6uvalJ9WOgd/Em598Kl2O7JoUSQ8aZqPg2YX7EbfA7CuHPD5QHx502E\r\n"
"QliwdLIcBKwxCLUUtAbLM4hISGees9b4RGee2xEpP4MNLQ7tcTVFvhb2AWPRrB/M\r\n"
"bGagOn8tzOHh6BKt8ajUxpdk6zW3LkD4lRCxYQIDAQABAoIBAHrGfV/X9UA5Sqk0\r\n"
"fWXOM+819xh91fJKpDFJnGl5Utl62cUeH/5aSZEi2y4GhYXGlYBa/SgaWyEXEiFR\r\n"
"AhwEvSQvF/PlPWIoVXfeHydVDGS+LzWQOOPHPB5pdTJMRjQnnBlCijiMN+XSKwLp\r\n"
"8N2jhXF3gLI34qZBqP8fW43crbflmst3U7Aj576HVpOMP/n+CkEaP8A7gJe3RQfF\r\n"
"JDypKMrMP5rsVNE4SUYmFYowjZ1/s2uaAHukByN420BJkeKZxcO4WsJ9Nl1dtqKf\r\n"
"aWnz0cEa/+xFb5VKeQepw40uRF8GefTRhelvju3A7HB11ynjwHYrfuDFXAj0dEid\r\n"
"MuCzc60CgYEA8dyil0d3UITyiMAU9JQALQ+zMU6mUkjwQm6cs1ugJwF1x7iwfbdC\r\n"
"2Q9jSqJsjtPxXD8CavYk5lCzVOmQeIXCZ/GPH1gjMihTYCgyC957ZJNM3wcx9MKJ\r\n"
"8k2kWMwa9eZOZ8y65JzqP3ZnhR1u0crq/HjeWrIr/LNKR2Fs4KbzJUMCgYEAzo9j\r\n"
"XxYeGbxpMmrzthxW5O7O1QgejDCjh/xQ7p3sptxFgblwNFJ633hgqntugZ251YU9\r\n"
"yuZcRFXT+zwvL0S7AN5rVmE43Hc27v0OW1yYc9f9NPisUVdW+iUIXxcjwkghXBGA\r\n"
"3a8aeTVkyoi0PYV6VPDXNgjYO2gd0hSoEB60UosCgYAZe46h88StdiR7pglPL5zJ\r\n"
"IqNVqZy6hLbTuQXHm/rGwU+giGQICtv/NLDYdz6K2efPOVBO5rpCjfQnGSjAmg8+\r\n"
"lmPnAIlMypTmR7XmLD3B/gcWZJKt4CVaozWSqYaZq/dM1nRGjAXeQ+JqUwyPDBsw\r\n"
"GKgM1ELwMA++b5RiIxTxMwKBgEYSLkubXSqt16Ha1kH46yFOQavSzUoRVehTl8Da\r\n"
"oeUY5BtVpNKbCEO2ulQa+ynNL7VXNdcWvkYQN5EKoZcPYcCxswfigz+G0YPRJIWp\r\n"
"q63gn2zQzuPpFQBWf7iCSQcnIOnyphyNwhVMH5z1Mu+L0CvwZ5FU/sVoVHVnvHt7\r\n"
"bwBxAoGAe+nbWH9+D7qv9Q//SARsVvtkpZBhKfdTWjG9FcoJEC7U1gn1MklxXbp7\r\n"
"xuYbPxr+/RsY1ubjXPsoDE0kui1+4ls4XyRU535KmcGJA3auC+V1sVx9rplJHCi6\r\n"
"NyG0bZRKhh7fvyEAkgfVP7w1RzjBVM4DdZ/DGA5J0YCSM0y/ZVw=\r\n"
"-----END RSA PRIVATE KEY-----\r\n";

char const* CLIENTCERTIFICATES_getCA(void)
{
	return m_CA;
}

int CLIENTCERTIFICATES_getCALength(void)
{
	return strlen(m_CA);
}

char const* CLIENTCERTIFICATES_getCert(void)
{
	return m_Crt;
}

int CLIENTCERTIFICATES_getCertLenght(void)
{
	return strlen(m_Crt);
}

char const* CLIENTCERTIFICATES_getKey(void)
{
	return m_Key;
}

int CLIENTCERTIFICATES_getKeyLength(void)
{
	return strlen(m_Key);
}

static void my_debug( void *ctx, int level,
                      const char *file, int line,
                      const char *str )
{
    ((void) level);

    mbedtls_fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str );
    fflush(  (FILE *) ctx  );
}

int main( void )
{
    int ret = 1, len;
    int exit_code = MBEDTLS_EXIT_FAILURE;
    mbedtls_net_context server_fd;
    uint32_t flags;
    unsigned char buf[1024];
    const char *pers = "ssl_client1";

    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
    mbedtls_x509_crt cacert;
	mbedtls_x509_crt client_cert;
	mbedtls_pk_context client_key;

#if defined(MBEDTLS_DEBUG_C)
    mbedtls_debug_set_threshold( DEBUG_LEVEL );
#endif

    /*
     * 0. Initialize the RNG and the session data
     */
    mbedtls_net_init( &server_fd );
    mbedtls_ssl_init( &ssl );
    mbedtls_ssl_config_init( &conf );
    mbedtls_x509_crt_init( &cacert );
	mbedtls_x509_crt_init(&client_cert);
	mbedtls_pk_init(&client_key);
	mbedtls_ctr_drbg_init( &ctr_drbg );

    mbedtls_printf( "\n  . Seeding the random number generator..." );
    fflush( stdout );

    mbedtls_entropy_init( &entropy );
    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
                               (const unsigned char *) pers,
                               strlen( pers ) ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );
        goto exit;
    }

    mbedtls_printf( " ok\n" );

    /*
     * 0. Initialize certificates
     */
    mbedtls_printf( "  . Loading the CA root certificate ..." );
    fflush( stdout );

    ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) CLIENTCERTIFICATES_getCA(),
                          CLIENTCERTIFICATES_getCALength() + 1 );
    if( ret < 0 )
    {
        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
        goto exit;
    }

    mbedtls_printf( " ok (%d skipped)\n", ret );

	printf("Loading the client certificate...\n");

	ret = mbedtls_x509_crt_parse(&client_cert,
		CLIENTCERTIFICATES_getCert(),
		CLIENTCERTIFICATES_getCertLenght() + 1);
	if (ret < 0) {
		printf("mbedtls_x509_crt_parse 2 returned -0x%x\n\n", -ret);
		return;
	}

	printf("Loading the client private key...\n");

	ret = mbedtls_pk_parse_key(&client_key,
		CLIENTCERTIFICATES_getKey(),
		CLIENTCERTIFICATES_getKeyLength() + 1, NULL, 0);
	if (ret != 0) {
		printf("mbedtls_pk_parse_key returned -0x%x\n\n", -ret);
		return;
	}

    /*
     * 1. Start the connection
     */
    mbedtls_printf( "  . Connecting to tcp/%s/%s...", SERVER_NAME, SERVER_PORT );
    fflush( stdout );

    if( ( ret = mbedtls_net_connect( &server_fd, SERVER_NAME,
                                         SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_net_connect returned %d\n\n", ret );
        goto exit;
    }

    mbedtls_printf( " ok\n" );

    /*
     * 2. Setup stuff
     */
    mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
    fflush( stdout );

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
                    MBEDTLS_SSL_TRANSPORT_STREAM,
                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
    }

    mbedtls_printf( " ok\n" );

    /* OPTIONAL is not optimal for security,
     * but makes interop easier in this simplified example */
    mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
    mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
    mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
    mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );

    if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned %d\n\n", ret );
        goto exit;
    }

    if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
        goto exit;
    }

    mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );

    /*
     * 4. Handshake
     */
    mbedtls_printf( "  . Performing the SSL/TLS handshake..." );
    fflush( stdout );

    while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
    {
        if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
            goto exit;
        }
    }

    mbedtls_printf( " ok\n" );

    /*
     * 5. Verify the server certificate
     */
    mbedtls_printf( "  . Verifying peer X.509 certificate..." );

    /* In real life, we probably want to bail out when ret != 0 */
    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
    {
        char vrfy_buf[512];

        mbedtls_printf( " failed\n" );

        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
    }
    else
        mbedtls_printf( " ok\n" );

    /*
     * 3. Write the GET request
     */
    mbedtls_printf( "  > Write to server:" );
    fflush( stdout );

    len = sprintf( (char *) buf, GET_REQUEST );

    while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 )
    {
        if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
            goto exit;
        }
    }

    len = ret;
    mbedtls_printf( " %d bytes written\n\n%s", len, (char *) buf );

    /*
     * 7. Read the HTTP response
     */
    mbedtls_printf( "  < Read from server:" );
    fflush( stdout );

    do
    {
        len = sizeof( buf ) - 1;
        memset( buf, 0, sizeof( buf ) );
        ret = mbedtls_ssl_read( &ssl, buf, len );

        if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
            continue;

        if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
            break;

        if( ret < 0 )
        {
            mbedtls_printf( "failed\n  ! mbedtls_ssl_read returned %d\n\n", ret );
            break;
        }

        if( ret == 0 )
        {
            mbedtls_printf( "\n\nEOF\n\n" );
            break;
        }

        len = ret;
        mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf );
    }
    while( 1 );

    mbedtls_ssl_close_notify( &ssl );

    exit_code = MBEDTLS_EXIT_SUCCESS;

exit:

#ifdef MBEDTLS_ERROR_C
    if( exit_code != MBEDTLS_EXIT_SUCCESS )
    {
        char error_buf[100];
        mbedtls_strerror( ret, error_buf, 100 );
        mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf );
    }
#endif

    mbedtls_net_free( &server_fd );

    mbedtls_x509_crt_free( &cacert );
    mbedtls_ssl_free( &ssl );
    mbedtls_ssl_config_free( &conf );
    mbedtls_ctr_drbg_free( &ctr_drbg );
    mbedtls_entropy_free( &entropy );

#if defined(_WIN32)
    mbedtls_printf( "  + Press Enter to exit this program.\n" );
    fflush( stdout ); getchar();
#endif

    return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
          MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
          MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C &&
          MBEDTLS_X509_CRT_PARSE_C */

Hi @OleksansrTymoshenko
Thank you for your interest in Mbed TLS!

Mbed TLS has a utility program, in programs/utils named strerror which writes the error code in string format, for you to understand wht the error was.
So:

./strerror -0x4e
Last error was: -0x004e - NET - Sending information through the socket failed

./strerror -0x7780
Last error was: -0x7780 - SSL - A fatal alert message was received from our peer

MBEDTLS ERR_NET SEND_FAILED is returned in the default Mbed TLS release in mbedtls_net_send(), when the system call to write() fails. I would have suggested you use a different bio callbacks, that will suit your platform, but since your connection to other server is working, it’s not a matter of the network send function. Since the error is received when you try to send the “client key exchange message”, after you sent your client certificate, I am assuming that the server didn’t accept your certificate, and closed its connection. To confirm, I suggest you print the error code that the write() function returned in mbedtls_net_send(). Have you registered your client root CA certificate with the MQTT server? The reson the connection succeeds with the other server is probably because these servers do not request a client certificate. Have you tried not calling mbedtls_ssl_conf_own_cert(), and undefining MBEDTLS_CERTS_C (you should have it undefined anyway, is it is a definition for test certificates with the Mbed TLS server \ client )?

As for MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE, you will need to look at the log to see when the server sends the alert message, and what is the alert message that is sent. The alert message codes are defined here

I suggest you follow the guidelines here to help you debug your issues.

I hope this will help you debug your issue.
Regards,
Mbed TLS Team member
Ron

Hello Ron!

Thank you very much for the answer. ))

Yes, I have tried it - no changes

I can connect to the server using of this certificates.
openssl s_client -CAfile cacerts.pem -cert client.pem -key client-key.pem -verify 1 -tls1_2 -host 35.226.223.141 -port 8883 -servername 35.226.223.141

Can we suppose that if openssl and musquitto_sub are connecting to the server it means that the certificates is ok? May be yes…

I catched the error code. This is -1.

Regards, Alex.

Hi Alex,

Yes, I have tried it - no changes

Is the error at the same phase?

I can connect to the server using of this certificates.

have you checked that openssl sends the client certificate? Add the -tlsextdebug and -debug parameters to your openssl command, to see if the client certificate is actually sent as the certificate extension

I catched the error code. This is -1.
Yes, this is the error that is returned on failure. But what is the errno? I am sorry for not being coherent enough in my answer.

Regards,
Ron

I added in my mbedtls_net_send function the next lines for tracing.

int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
{
    int ret;
    int fd = ((mbedtls_net_context *) ctx)->fd;

    if( fd < 0 ) {
        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
    }

    ret = (int) write( fd, buf, len );

    if( ret < 0 )
    {
        printf("TRACEPOINT %s %d ret=%d\n", __func__, __LINE__, ret);           // line 483

        if( net_would_block( ctx ) != 0 ) {
            printf("TRACEPOINT %s %d\n", __func__, __LINE__);
            return( MBEDTLS_ERR_SSL_WANT_WRITE );
        }

#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
    !defined(EFI32)
        if( WSAGetLastError() == WSAECONNRESET ) {
            printf("TRACEPOINT %s %d\n", __func__, __LINE__);
            return( MBEDTLS_ERR_NET_CONN_RESET );
        }
#else
        printf("TRACEPOINT %s %d errno=%d\n", __func__, __LINE__, errno);       // line 497

        if( errno == EPIPE || errno == ECONNRESET ) {
            printf("TRACEPOINT %s %d\n", __func__, __LINE__);
            return( MBEDTLS_ERR_NET_CONN_RESET );
        }

        if( errno == EINTR ) {
            printf("TRACEPOINT %s %d\n", __func__, __LINE__);
            return( MBEDTLS_ERR_SSL_WANT_WRITE );
        }
#endif
            printf("TRACEPOINT %s %d\n", __func__, __LINE__);                   // line 509
        return( MBEDTLS_ERR_NET_SEND_FAILED );
    }

    return( ret );
}

As result I have the following log:

ssl_tls.c:2448 message length: 267, out_left: 267
TRACEPOINT mbedtls_net_send 483 ret=-1
TRACEPOINT mbedtls_net_send 497 errno=0
TRACEPOINT mbedtls_net_send 509
ssl_tls.c:2454 ssl->f_send() returned -78 (-0x004e)
ssl_tls.c:2857 mbedtls_ssl_flush_output() returned -78 (-0x004e)
ssl_cli.c:2965 mbedtls_ssl_write_record() returned -78 (-0x004e)
ssl_tls.c:6323 <= handshake
mbedtls_ssl_handshake returned -0x4e
Last error was: -0x4e - UNKNOWN ERROR CODE (004E)

So, errno is equal to 0.

Tomorrow I will start a server on my PC and get traffic using of wireshark.

Hi @OleksansrTymoshenko
The errno you are printing is probably the errno from fcntl function that is called within net_would_block, and this is why it is 0.
It is important to understand if the handshake failures in all cases are at the same phase or not, and that the flow is same in all cases and servers.
please consider comparing logs in all cases.
Regards,
Mbed TLS Team member
Ron

Hello Ron! ))

Sorry but I am don’t understood about errno value. If this value is equal to 0 have it to be good, or not it?

Regards Alex.

Hi Alex,
When you print the errno, you get the error of the last system call used. Since the last system call in the place you printed the errno is fcntl , you get 0, which is success.
However, since write() returned -1, I would suggest to check the specific errno of that specific call. You should check the errno right after you check for ret < 0.
More information on errno can be found here.
Regards,
Ron

Oh, thanks! Now it is clearly! ))

I have added the following code:

    ret = (int) write( fd, buf, len );
    printf("TRACEPOINT %s %d ret = %d\n", __func__, __LINE__, ret);             // line 489

    printf("TRACEPOINT %s %d errno = %d\n", __func__, __LINE__, errno);         // line 491

and got this log:

TRACEPOINT mbedtls_net_send 489 ret = -1
TRACEPOINT mbedtls_net_send 491 errno = 0
TRACEPOINT mbedtls_net_send 495

So, errno is equal to 0 again.

Regards, Alex.

Hi Alex,
This is strange, because if write() returned -1, an errno should definitely be assigned.
From [write() manual]:

On success, the number of bytes written is returned (zero indicates nothing was written). On error, -1 is returned, and errno is set appropriately.

It is probably because the previous call to printf() assigned errno to 0.
Please check errno before doing any other system call. You can print it along the ret as well.
Regards,
Ron

It is really strange.
I added a buffer variable - catch_errno - and put into it a value of errno.
The errno value is equal to 0.
o_O

    ret = (int) write( fd, buf, len );
    int catch_errno = errno;
    printf("TRACEPOINT %s %d ret = %d\n", __func__, __LINE__, ret);             // line 490

    printf("TRACEPOINT %s %d errno = %d\n", __func__, __LINE__, catch_errno);         // line 492
TRACEPOINT mbedtls_net_send 481
TRACEPOINT mbedtls_net_send 490 ret = -1
TRACEPOINT mbedtls_net_send 492 errno = 0

Hi Alex,
This is strange. errno should be set in this case.
You should understand why write() has failed on your platform.

Have you checked the extensions and compared between all the scenarios and use cases?
Regards

Hi Ron! ))

I still can not connect to client server and I am completelly confused. So, let’s take a look on this from other side. I have another server - de-api.ipgeolocation.io - to which I can connect without any certificates or with the option “verify” that is equalt to SSL_VERIFY_NONE. But when I try to change this server on client server I have an error. I assume that in this case I have to setup the option verify to SSL_VERIFY_PEER and also I have to do something else. What? What information has to send my client to me about his server? Certificates? CA? Something else? I am really confused.

Regards, Alex.

Why does the client code need to know the CA? What kind of CA? Where should I take it?

Hi Alex,

I am not sure what you mean that you cannot connect to client server.
When you set the option to SSL_VERIFY_NONE , you ignore the result of the certificate verification, and this means that your connection might be not secure.

Why does the client code need to know the CA? What kind of CA? Where should I take it?

The CA is the Certificate Authority that signed the server device certificate. The client needs to have the CA root certificate, as the root of trust in the verification chain of the server certificate, otherwise, the certificate verification would fail, as no root of trust in the chain, and thus the whole chain is not trusted. You should read in the server what CA signed their certificate. You could also find it by the issuer name of the server’s device certificate, and then search their root CA in the CA’s site( just remember to use same root CA with subject name identical to the device certificate issuer name, and that the signing algorithm is same).

From your description, I am confused on your use case. Is your device a client or a server, and what is the remote side?

Regards
Ron

Hi Ron.

My device is a client. (I’m sorry I confused you - this is my poor level of English)

Tell me please how can I check cipher suites supported by the device and the server? I guess that here can be an trouble.

Regards, Alex.

Hello Ron! ))

These are lists of cipher suites for Server and Client.

// Server
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

// Client
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
TLS_RSA_PSK_WITH_AES_256_CBC_SHA
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
TLS_RSA_PSK_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

As can see no one is matched.
How can I add support of needed cipher suite to library?

Regards, Alex.

We added on the server missing cipher suites but that did not help.

When I try to connect using of openssl I can connect only if I use -servername option. For example:

openssl s_client -CAfile ca.pem -tls1_2 -host iot-stg.dealor.co.il -port 443 -servername iot-stg.dealor.co.il

What does mean this? How can I use this when working with library?

Regards, Alex.