Mbed forum

Connect to MQTT server

mbed_tls

(Oleksandr Tymoshenko) #21

It is solved.


(Ron Eldor) #22

Hi Alex,
I am glad the issue is solved!
May I know what was the issue? Did you set the host name to iot-stg.dealor.co.il ?

For the benefit of the community, I will give answers to your questions:

Tell me please how can I check cipher suites supported by the device and the server?

You can use SSL Labs to test your server, and see the supported cipher suites, and used certiuficates. As you can see, the CA is “Let’s encrypt”, and you should be able to get the CA root certificate from their website
As for the list of supported ciphersuites in your Mbed TLS client. By default all ciphersuites that are supported by Mbed TLS are enabled. You can see the list in ssl_ciphersuites.c. You can enable only a small subset of the ciphersuites, by defining MBEDTLS_SSL_CIPHERSUITES in your configuration.

What does mean this? How can I use this when working with library?

When verifying the certificate, one of the checks that are done, is verifying the subject name ( or subject alternative name ) match the host name. This is not always the same as the server address, so if you try to connect the server with a name different than the server name stated in the subject ( or SAN extension ), the certificate verification would fail. To set the host name, you should call mbedtls_ssl_set_hostname()
Regards,
Mbed TLS Team member
Ron


(Oleksandr Tymoshenko) #23

The main reason why the device failed to connect to the server is missing the mbedtls_ssl_set_hostname call. So when I added it, my device connected to the server.

    /* Hostname set here should match CN in server certificate */
    if (wificlient->serverName) {
        printf("Setting hostname for TLS session...\n");
        if ((ret = mbedtls_ssl_set_hostname(&wificlient->ssl, wificlient->serverName)) != 0) {
            printf("mbedtls_ssl_set_hostname returned -0x%x\n", -ret);
            return false;
        }
    }

Also I have troubles with Espressif RTOS SDK examples - they don’t want to work even with mbedtls_ssl_set_hostname call. But that’s another story.

I wish you all good luck! ))))