Error connecting to iot.eclipse.org

Mbed TLS Crypto and SSL questions
1

Hello,
I’m trying to connect to iot.eclipse.org in TLS. I have already successfully connected to test.mosquitto.org using TLS.
Unfortunately, even if I took the server certificate using the command “openssl s_client -showcerts -connect iot.eclipse.org:8883” and put them into my firmware, I can’t connect to this broker.
Here attached the log:

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 0
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 1
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> write client hello
, at line 719 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, max version: [3:3]
, at line 757 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, current time: 0
, at line 695 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'client hello, random bytes' (32 bytes)
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0000:  00 00 00 00 3c 3e 67 c0 9f da f3 11 7c 21 27 44  ....<>g.....|!'D
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0010:  6c 98 e2 d6 87 6c 65 27 40 0c 0b ce 13 e8 43 ca  l....le'@.....C.
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, session id len.: 0
, at line 819 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'client hello, session id' (0 bytes)
, at line 820 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c02c
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c02b
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c030
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, got 4 ciphersuites
, at line 920 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, compress len.: 1
, at line 951 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, compress alg.: 0
, at line 953 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding signature_algorithms extension
, at line 178 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding supported_elliptic_curves extension
, at line 263 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding supported_point_formats extension
, at line 328 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, total extension length: 38
, at line 1025 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> write record
, at line 2701 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

output record: msgtype = 22, version = [3:1], msglen = 91
, at line 2838 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

message length: 96, out_left: 96
, at line 2435 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_send() returned 96 (-0xffffffa0)
, at line 2441 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2460 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write record
, at line 2850 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write client hello
, at line 1051 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 0 (-0x0000)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 3875 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29312 (-0x7280)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 1454 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 0 (-0x0000)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 3875 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29312 (-0x7280)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 1454 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 22, version = [3:3], msglen = 89
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 94
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 94
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 89 (-0xffffffa7)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

handshake message: msglen = 89, type = 2, hslen = 89
, at line 3089 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= read record
, at line 3754 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

dumping 'server hello, version' (2 bytes)
, at line 1527 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0000:  03 03                                            ..
, at line 1527 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, current time: 1545132704
, at line 1553 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'server hello, random bytes' (32 bytes)
, at line 1560 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0000:  5c 18 da a0 5a 34 fd 82 d5 2b 2b 15 01 54 f9 d7  \...Z4...++..T..
, at line 1560 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0010:  66 2d 76 08 80 14 86 08 17 33 0e 2c 89 d6 85 28  f-v......3.,...(
, at line 1560 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, session id len.: 32
, at line 1640 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'server hello, session id' (32 bytes)
, at line 1641 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0000:  fe 8a e7 04 29 a4 3b 99 14 b5 c4 f9 68 3b 62 83  ....).;.....h;b.
, at line 1641 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0010:  31 35 d3 dd 9d 34 4c 84 7e 6c 76 95 f5 ab 61 f7  15...4L.~lv...a.
, at line 1641 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

no session has been resumed
, at line 1679 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, chosen ciphersuite: c030
, at line 1681 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, compress alg.: 0
, at line 1682 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, chosen ciphersuite: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
, at line 1698 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

server hello, total extension length: 13
, at line 1733 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

found renegotiation extension
, at line 1753 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

found supported_point_formats extension
, at line 1832 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= parse server hello
, at line 1922 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client state: 3
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse certificate
, at line 4320 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 22, version = [3:3], msglen = 2737
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 2742
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 2742
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 0 (-0x0000)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 3917 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29312 (-0x7280)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 4360 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 3
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse certificate
, at line 4320 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

.....

in_left: 5, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 22, version = [3:3], msglen = 2737
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 2742
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 2742
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 0 (-0x0000)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 3917 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29312 (-0x7280)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 4360 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_handshake() returned -29312 (-0x7280)
, at line 7160 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> free
, at line 7344 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= free
, at line 7409 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 0
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 1
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> write client hello
, at line 719 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, max version: [3:3]
, at line 757 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, current time: 0
, at line 695 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'client hello, random bytes' (32 bytes)
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0000:  00 00 00 00 3c 3e 67 c0 9f da f3 11 7c 21 27 44  ....<>g.....|!'D
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

0010:  6c 98 e2 d6 87 6c 65 27 40 0c 0b ce 13 e8 43 ca  l....le'@.....C.
, at line 766 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, session id len.: 0
, at line 819 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

dumping 'client hello, session id' (0 bytes)
, at line 820 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c02c
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c02b
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, add ciphersuite: c030
, at line 887 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, got 4 ciphersuites
, at line 920 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, compress len.: 1
, at line 951 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, compress alg.: 0
, at line 953 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding signature_algorithms extension
, at line 178 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding supported_elliptic_curves extension
, at line 263 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, adding supported_point_formats extension
, at line 328 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client hello, total extension length: 38
, at line 1025 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> write record
, at line 2701 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

output record: msgtype = 22, version = [3:1], msglen = 91
, at line 2838 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

message length: 96, out_left: 96
, at line 2435 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_send() returned 96 (-0xffffffa0)
, at line 2441 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2460 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write record
, at line 2850 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write client hello
, at line 1051 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 0, nb_want: 5
, at line 2390 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
, at line 2391 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 11, version = [0:10], msglen = 44288
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

unknown record type
, at line 3495 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> send alert message
, at line 4124 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

send alert level=2 message=10
, at line 4125 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> write record
, at line 2701 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

output record: msgtype = 21, version = [3:1], msglen = 2
, at line 2838 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

message length: 7, out_left: 7
, at line 2435 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_send() returned 7 (-0xfffffff9)
, at line 2441 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2460 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write record
, at line 2850 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= send alert message
, at line 4137 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29184 (-0x7200)
, at line 1454 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 11, version = [0:10], msglen = 44288
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

unknown record type
, at line 3495 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> send alert message
, at line 4124 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

send alert level=2 message=10
, at line 4125 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> write record
, at line 2701 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

output record: msgtype = 21, version = [3:1], msglen = 2
, at line 2838 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

message length: 7, out_left: 7
, at line 2435 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_send() returned 7 (-0xfffffff9)
, at line 2441 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2460 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write record
, at line 2850 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= send alert message
, at line 4137 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29184 (-0x7200)
, at line 1454 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> handshake
, at line 6557 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

client state: 2
, at line 3363 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2428 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> parse server hello
, at line 1447 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

=> read record
, at line 3721 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> fetch input
, at line 2208 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

in_left: 5, nb_want: 5
, at line 2366 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= fetch input
, at line 2403 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

input record: msgtype = 11, version = [0:10], msglen = 44288
, at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

unknown record type
, at line 3495 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> send alert message
, at line 4124 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

send alert level=2 message=10
, at line 4125 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> write record
, at line 2701 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

output record: msgtype = 21, version = [3:1], msglen = 2
, at line 2838 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

=> flush output
, at line 2416 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

message length: 7, out_left: 7
, at line 2435 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

ssl->f_send() returned 7 (-0xfffffff9)
, at line 2441 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= flush output
, at line 2460 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= write record
, at line 2850 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

<= send alert message
, at line 4137 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)
, at line 3729 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

mbedtls_ssl_read_record() returned -29184 (-0x7200)
, at line 1454 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_cli.c

<= handshake
, at line 6567 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c
mqtt_connection_cb: Disconnected, reason: 256

What could be the reason?
Thank you,
Mattia Berton

2

Hi @MattiaBerton
Thank you for your query.
I have modified it for readability reasons.

I suggest you look at Debugging TLS sessions — Mbed TLS documentation for assistance in debugging.

Regarding your statement:

even if I took the server certificate using the command “openssl s_client -showcerts -connect iot.eclipse.org:8883” and put them into my firmware, I can’t connect to this broker.

This is not the correct approach. You should take the CA certificate(in your case it’s from “Let’s Encrypt”) and put it in your firmware, not the server certificate.

The log you attached show several issues:

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)

error -0x7280 is MBEDTLS_ERR_SSL_CONN_EOF which means that the server closed the connection,

You can use the sample program programs/util/strerror to understand the error codes

I believe the root cause for your failures are based on the following lines:

input record: msgtype = 11, version = [0:10], msglen = 44288 , at line 3487 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c 
unknown record type , at line 3495 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c
send alert message , at line 4124 in file ..\Middlewares\Third_Party\mbedTLS\library\ssl_tls.c

There is no version 0:10 and the message length of 44288 is invalid ( TLS limits handshake messages with 32KB)
I believe this message got corrupted some how, which causes the error. Please check you bio callbacks and verify you don’t have any memory leak.

For reference, I have used the sample program ssl_client2 with your broker, and manged to get a successful TLS handshake:

./ssl_client2 server_name=iot.eclipse.org server_port=8883 debug_level=3 ca_path=~/work/ca_certs/

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok
  . Connecting to tcp/iot.eclipse.org/8883... ok
  . Setting up the SSL/TLS structure...ssl_tls.c:0081: |3| set_timer to 0 ms
 ok
  . Performing the SSL/TLS handshake...ssl_tls.c:8084: |2| => handshake
ssl_cli.c:3510: |2| client state: 0
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:3510: |2| client state: 1
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:0774: |2| => write client hello
ssl_cli.c:0812: |3| client hello, max version: [3:3]
ssl_cli.c:0703: |3| client hello, current time: 1545139872
ssl_cli.c:0821: |3| dumping 'client hello, random bytes' (32 bytes)
ssl_cli.c:0821: |3| 0000:  5c 18 f6 a0 06 e1 4f e9 5a 40 a2 e3 5a 34 35 24  \.....O.Z@..Z45$
ssl_cli.c:0821: |3| 0010:  4c 9e fa 76 40 bf 61 e2 9a 4a 91 5c 49 c3 f2 bf  L..v@.a..J.\I...
ssl_cli.c:0874: |3| client hello, session id len.: 0
ssl_cli.c:0875: |3| dumping 'client hello, session id' (0 bytes)
ssl_cli.c:0922: |3| client hello, add ciphersuite: cca8
.
.
.
ssl_cli.c:0922: |3| client hello, add ciphersuite: 008b
ssl_cli.c:0934: |3| client hello, got 137 ciphersuites (excluding SCSVs)
ssl_cli.c:0943: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0992: |3| client hello, compress len.: 1
ssl_cli.c:0994: |3| client hello, compress alg.: 0
ssl_cli.c:0069: |3| client hello, adding server name extension: iot.eclipse.org
ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
ssl_cli.c:0518: |3| client hello, adding encrypt_then_mac extension
ssl_cli.c:0552: |3| client hello, adding extended_master_secret extension
ssl_cli.c:0585: |3| client hello, adding session ticket extension
ssl_cli.c:1071: |3| client hello, total extension length: 96
ssl_tls.c:3184: |2| => write handshake message
ssl_tls.c:3343: |2| => write record
ssl_tls.c:3423: |3| output record: msgtype = 22, version = [3:1], msglen = 417
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2774: |2| message length: 422, out_left: 422
ssl_tls.c:2779: |2| ssl->f_send() returned 422 (-0xfffffe5a)
ssl_tls.c:2807: |2| <= flush output
ssl_tls.c:3476: |2| <= write record
ssl_tls.c:3320: |2| <= write handshake message
ssl_cli.c:1106: |2| <= write client hello
ssl_cli.c:3510: |2| client state: 2
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:1499: |2| => parse server hello
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 61
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 66
ssl_tls.c:2721: |2| in_left: 5, nb_want: 66
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 61 (-0xffffffc3)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:3626: |3| handshake message: msglen = 61, type = 2, hslen = 61
ssl_tls.c:4385: |2| <= read record
ssl_cli.c:1579: |3| dumping 'server hello, version' (2 bytes)
ssl_cli.c:1579: |3| 0000:  03 03                                            ..
ssl_cli.c:1604: |3| server hello, current time: 1545139874
ssl_cli.c:1610: |3| dumping 'server hello, random bytes' (32 bytes)
ssl_cli.c:1610: |3| 0000:  5c 18 f6 a2 5a 8b 6c f3 d2 54 0a 03 de 17 4d 0c  \...Z.l..T....M.
ssl_cli.c:1610: |3| 0010:  4d 0a dc 66 e6 19 c7 1f 4d ec 0a c8 8e 32 09 a0  M..f....M....2..
ssl_cli.c:1690: |3| server hello, session id len.: 0
ssl_cli.c:1691: |3| dumping 'server hello, session id' (0 bytes)
ssl_cli.c:1729: |3| no session has been resumed
ssl_cli.c:1731: |3| server hello, chosen ciphersuite: c030
ssl_cli.c:1732: |3| server hello, compress alg.: 0
ssl_cli.c:1764: |3| server hello, chosen ciphersuite: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ssl_cli.c:1789: |2| server hello, total extension length: 17
ssl_cli.c:1809: |3| found renegotiation extension
ssl_cli.c:1888: |3| found supported_point_formats extension
ssl_cli.c:1874: |3| found session_ticket extension
ssl_cli.c:1978: |2| <= parse server hello
ssl_cli.c:3510: |2| client state: 3
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:5655: |2| => parse certificate
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 2737
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 2742
ssl_tls.c:2721: |2| in_left: 5, nb_want: 2742
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 1277 (-0xfffffb03)
ssl_tls.c:2721: |2| in_left: 1282, nb_want: 2742
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 1348 (-0xfffffabc)
ssl_tls.c:2721: |2| in_left: 2630, nb_want: 2742
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 112 (-0xffffff90)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:3626: |3| handshake message: msglen = 2737, type = 11, hslen = 2737
ssl_tls.c:4385: |2| <= read record
ssl_tls.c:5606: |3| peer certificate #1:
ssl_tls.c:5606: |3| cert. version     : 3
ssl_tls.c:5606: |3| serial number     : 04:5B:4C:20:2F:B1:52:D1:9D:E7:7D:5F:FF:06:67:31:7B:E3
ssl_tls.c:5606: |3| issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
ssl_tls.c:5606: |3| subject name      : CN=iot.eclipse.org
ssl_tls.c:5606: |3| issued  on        : 2018-10-01 10:08:50
ssl_tls.c:5606: |3| expires on        : 2018-12-30 10:08:50
ssl_tls.c:5606: |3| signed using      : RSA with SHA-256
ssl_tls.c:5606: |3| RSA key size      : 2048 bits
ssl_tls.c:5606: |3| basic constraints : CA=false
ssl_tls.c:5606: |3| subject alt name  : iot.eclipse.org
ssl_tls.c:5606: |3| key usage         : Digital Signature, Key Encipherment
ssl_tls.c:5606: |3| ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication
ssl_tls.c:5606: |3| value of 'crt->rsa.N' (2048 bits) is:
ssl_tls.c:5606: |3|  c9 12 b7 f0 4a b3 7a b7 c5 ab cc d0 d9 d3 f1 77
ssl_tls.c:5606: |3|  a4 5d 0e cf d0 e6 8b 46 00 48 d3 3d 15 97 c3 b4
ssl_tls.c:5606: |3|  d9 9f d6 31 c2 f3 2a 91 c1 e5 bd cc 97 b2 6f a2
ssl_tls.c:5606: |3|  2d 04 df a7 5a 0c 14 75 ac 48 e5 49 b2 db fc 24
ssl_tls.c:5606: |3|  03 06 97 d1 8c d9 ac 73 b2 47 b3 f2 a0 04 11 58
ssl_tls.c:5606: |3|  88 57 3e 18 9c f0 46 77 51 31 40 13 f6 04 f8 a8
ssl_tls.c:5606: |3|  93 57 e0 6a 33 a2 50 ff 07 58 8f d4 0d 80 34 c7
ssl_tls.c:5606: |3|  05 50 9f ef 00 84 77 e7 e4 f1 37 9b 6d 03 93 fb
ssl_tls.c:5606: |3|  e2 d8 0b 93 61 c9 4e 39 0f 80 eb 6c a4 c0 9a 4d
ssl_tls.c:5606: |3|  0c 2b 5f b6 4e 6a f5 0f 1a dd 1a 68 0f cd e5 be
ssl_tls.c:5606: |3|  c3 ee 25 c9 15 9d a3 c6 f7 57 47 ec 15 c5 54 53
ssl_tls.c:5606: |3|  16 b1 3e db aa 78 ca 8e dd c9 0e 2d bf 67 ea ff
ssl_tls.c:5606: |3|  4c 25 e7 d3 ee 94 69 b9 59 06 7c f8 63 43 5f bc
ssl_tls.c:5606: |3|  9e 1f b5 70 cf 25 3a 35 0d 7d 8b 10 f4 44 17 a3
ssl_tls.c:5606: |3|  b0 d4 1a f0 13 c9 b6 c1 7a f5 7a 1f 73 63 30 8d
ssl_tls.c:5606: |3|  79 41 61 77 cf 00 04 cf d1 04 88 c3 a6 59 38 15
ssl_tls.c:5606: |3| value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:5606: |3|  01 00 01
ssl_tls.c:5606: |3| peer certificate #2:
ssl_tls.c:5606: |3| cert. version     : 3
ssl_tls.c:5606: |3| serial number     : 0A:01:41:42:00:00:01:53:85:73:6A:0B:85:EC:A7:08
ssl_tls.c:5606: |3| issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
ssl_tls.c:5606: |3| subject name      : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
ssl_tls.c:5606: |3| issued  on        : 2016-03-17 16:40:46
ssl_tls.c:5606: |3| expires on        : 2021-03-17 16:40:46
ssl_tls.c:5606: |3| signed using      : RSA with SHA-256
ssl_tls.c:5606: |3| RSA key size      : 2048 bits
ssl_tls.c:5606: |3| basic constraints : CA=true, max_pathlen=0
ssl_tls.c:5606: |3| key usage         : Digital Signature, Key Cert Sign, CRL Sign
ssl_tls.c:5606: |3| value of 'crt->rsa.N' (2048 bits) is:
ssl_tls.c:5606: |3|  9c d3 0c f0 5a e5 2e 47 b7 72 5d 37 83 b3 68 63
ssl_tls.c:5606: |3|  30 ea d7 35 26 19 25 e1 bd be 35 f1 70 92 2f b7
ssl_tls.c:5606: |3|  b8 4b 41 05 ab a9 9e 35 08 58 ec b1 2a c4 68 87
ssl_tls.c:5606: |3|  0b a3 e3 75 e4 e6 f3 a7 62 71 ba 79 81 60 1f d7
ssl_tls.c:5606: |3|  91 9a 9f f3 d0 78 67 71 c8 69 0e 95 91 cf fe e6
ssl_tls.c:5606: |3|  99 e9 60 3c 48 cc 7e ca 4d 77 12 24 9d 47 1b 5a
ssl_tls.c:5606: |3|  eb b9 ec 1e 37 00 1c 9c ac 7b a7 05 ea ce 4a eb
ssl_tls.c:5606: |3|  bd 41 e5 36 98 b9 cb fd 6d 3c 96 68 df 23 2a 42
ssl_tls.c:5606: |3|  90 0c 86 74 67 c8 7f a5 9a b8 52 61 14 13 3f 65
ssl_tls.c:5606: |3|  e9 82 87 cb db fa 0e 56 f6 86 89 f3 85 3f 97 86
ssl_tls.c:5606: |3|  af b0 dc 1a ef 6b 0d 95 16 7d c4 2b a0 65 b2 99
ssl_tls.c:5606: |3|  04 36 75 80 6b ac 4a f3 1b 90 49 78 2f a2 96 4f
ssl_tls.c:5606: |3|  2a 20 25 29 04 c6 74 c0 d0 31 cd 8f 31 38 95 16
ssl_tls.c:5606: |3|  ba a8 33 b8 43 f1 b1 1f c3 30 7f a2 79 31 13 3d
ssl_tls.c:5606: |3|  2d 36 f8 e3 fc f2 33 6a b9 39 31 c5 af c4 8d 0d
ssl_tls.c:5606: |3|  1d 64 16 33 aa fa 84 29 b6 d4 0b c0 d8 7d c3 93
ssl_tls.c:5606: |3| value of 'crt->rsa.E' (17 bits) is:
ssl_tls.c:5606: |3|  01 00 01

Verify requested for (Depth 1):
cert. version     : 3
serial number     : 0A:01:41:42:00:00:01:53:85:73:6A:0B:85:EC:A7:08
issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
subject name      : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
issued  on        : 2016-03-17 16:40:46
expires on        : 2021-03-17 16:40:46
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage         : Digital Signature, Key Cert Sign, CRL Sign
  This certificate has no flags

Verify requested for (Depth 0):
cert. version     : 3
serial number     : 04:5B:4C:20:2F:B1:52:D1:9D:E7:7D:5F:FF:06:67:31:7B:E3
issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
subject name      : CN=iot.eclipse.org
issued  on        : 2018-10-01 10:08:50
expires on        : 2018-12-30 10:08:50
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : iot.eclipse.org
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication
  This certificate has no flags
ssl_tls.c:5856: |3| Certificate verification flags clear
ssl_tls.c:5863: |2| <= parse certificate
ssl_cli.c:3510: |2| client state: 4
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:2336: |2| => parse server key exchange
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 333
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 338
ssl_tls.c:2721: |2| in_left: 5, nb_want: 338
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 333 (-0xfffffeb3)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:3626: |3| handshake message: msglen = 333, type = 12, hslen = 333
ssl_tls.c:4385: |2| <= read record
ssl_cli.c:2424: |3| dumping 'server key exchange' (329 bytes)
ssl_cli.c:2424: |3| 0000:  03 00 17 41 04 81 50 7b c7 ce c8 76 35 ef 7a 93  ...A..P{...v5.z.
ssl_cli.c:2424: |3| 0010:  74 f1 84 f4 6a 2c 82 1d 41 56 93 f2 83 b4 e8 04  t...j,..AV......
ssl_cli.c:2424: |3| 0020:  d3 7a 38 e2 c6 76 a5 eb 1a ce 38 a0 96 eb 1c a9  .z8..v....8.....
ssl_cli.c:2424: |3| 0030:  5a d6 e8 b5 45 d0 a6 6d f1 7d 24 dd 8c 52 f2 0f  Z...E..m.}$..R..
ssl_cli.c:2424: |3| 0040:  6e 81 04 31 bb 06 01 01 00 c2 d8 5f 56 d9 14 5e  n..1......._V..^
ssl_cli.c:2424: |3| 0050:  49 18 f7 0c b6 c3 3a 8b 0d c4 3a 21 bc 02 07 41  I.....:...:!...A
ssl_cli.c:2424: |3| 0060:  04 40 9d 13 e3 e6 fd 95 b3 3e a1 84 82 3b 28 ca  .@.......>...;(.
ssl_cli.c:2424: |3| 0070:  e6 95 85 06 2e d3 b4 1f c2 9b d5 b5 5f 54 0b b8  ............_T..
ssl_cli.c:2424: |3| 0080:  00 dd fb 91 5c fb 97 53 7f 8e cc bb d7 a2 1b 38  ....\..S.......8
ssl_cli.c:2424: |3| 0090:  68 e2 0d d8 eb 1c bc 74 d5 c9 d0 9d ad 28 3f ef  h......t.....(?.
ssl_cli.c:2424: |3| 00a0:  18 8e a4 01 04 5b 96 71 d4 08 c0 5e ca 02 99 2f  .....[.q...^.../
ssl_cli.c:2424: |3| 00b0:  74 29 d1 f8 23 04 2f 8a 86 75 40 cf 0c e5 4e 54  t)..#./..u@...NT
ssl_cli.c:2424: |3| 00c0:  53 e4 bd f7 aa c3 52 ea 70 f1 17 d6 fc e1 f0 ca  S.....R.p.......
ssl_cli.c:2424: |3| 00d0:  c5 99 c7 65 48 2f a3 7b 2c eb d6 f9 f6 24 98 a8  ...eH/.{,....$..
ssl_cli.c:2424: |3| 00e0:  75 d0 d0 ea b9 51 46 74 54 b4 63 3b 0d d0 73 2a  u....QFtT.c;..s*
ssl_cli.c:2424: |3| 00f0:  72 49 37 88 86 97 aa 23 46 05 ba 78 70 8b e4 f1  rI7....#F..xp...
ssl_cli.c:2424: |3| 0100:  db 21 11 ab ea d6 eb 74 19 7f 94 17 5e 79 75 0d  .!.....t....^yu.
ssl_cli.c:2424: |3| 0110:  ea 16 ef 9f 7b 7a 94 81 b2 9f 69 2f ac 13 4a e7  ....{z....i/..J.
ssl_cli.c:2424: |3| 0120:  1b 53 14 48 dc 4f 4a 8e ab bc b5 0d fc 28 cf fa  .S.H.OJ......(..
ssl_cli.c:2424: |3| 0130:  a0 c2 cc 19 d6 a3 18 2f 9d b4 d5 16 92 75 2e aa  ......./.....u..
ssl_cli.c:2424: |3| 0140:  17 c5 fd 4e 13 c9 95 85 c8                       ...N.....
ssl_cli.c:2044: |2| ECDH curve: secp256r1
ssl_cli.c:2055: |3| value of 'ECDH: Qp(X)' (256 bits) is:
ssl_cli.c:2055: |3|  81 50 7b c7 ce c8 76 35 ef 7a 93 74 f1 84 f4 6a
ssl_cli.c:2055: |3|  2c 82 1d 41 56 93 f2 83 b4 e8 04 d3 7a 38 e2 c6
ssl_cli.c:2055: |3| value of 'ECDH: Qp(Y)' (255 bits) is:
ssl_cli.c:2055: |3|  76 a5 eb 1a ce 38 a0 96 eb 1c a9 5a d6 e8 b5 45
ssl_cli.c:2055: |3|  d0 a6 6d f1 7d 24 dd 8c 52 f2 0f 6e 81 04 31 bb
ssl_cli.c:2278: |2| Server used SignatureAlgorithm 1
ssl_cli.c:2279: |2| Server used HashAlgorithm 6
ssl_cli.c:2580: |3| dumping 'signature' (256 bytes)
ssl_cli.c:2580: |3| 0000:  c2 d8 5f 56 d9 14 5e 49 18 f7 0c b6 c3 3a 8b 0d  .._V..^I.....:..
ssl_cli.c:2580: |3| 0010:  c4 3a 21 bc 02 07 41 04 40 9d 13 e3 e6 fd 95 b3  .:!...A.@.......
ssl_cli.c:2580: |3| 0020:  3e a1 84 82 3b 28 ca e6 95 85 06 2e d3 b4 1f c2  >...;(..........
ssl_cli.c:2580: |3| 0030:  9b d5 b5 5f 54 0b b8 00 dd fb 91 5c fb 97 53 7f  ..._T......\..S.
ssl_cli.c:2580: |3| 0040:  8e cc bb d7 a2 1b 38 68 e2 0d d8 eb 1c bc 74 d5  ......8h......t.
ssl_cli.c:2580: |3| 0050:  c9 d0 9d ad 28 3f ef 18 8e a4 01 04 5b 96 71 d4  ....(?......[.q.
ssl_cli.c:2580: |3| 0060:  08 c0 5e ca 02 99 2f 74 29 d1 f8 23 04 2f 8a 86  ..^.../t)..#./..
ssl_cli.c:2580: |3| 0070:  75 40 cf 0c e5 4e 54 53 e4 bd f7 aa c3 52 ea 70  u@...NTS.....R.p
ssl_cli.c:2580: |3| 0080:  f1 17 d6 fc e1 f0 ca c5 99 c7 65 48 2f a3 7b 2c  ..........eH/.{,
ssl_cli.c:2580: |3| 0090:  eb d6 f9 f6 24 98 a8 75 d0 d0 ea b9 51 46 74 54  ....$..u....QFtT
ssl_cli.c:2580: |3| 00a0:  b4 63 3b 0d d0 73 2a 72 49 37 88 86 97 aa 23 46  .c;..s*rI7....#F
ssl_cli.c:2580: |3| 00b0:  05 ba 78 70 8b e4 f1 db 21 11 ab ea d6 eb 74 19  ..xp....!.....t.
ssl_cli.c:2580: |3| 00c0:  7f 94 17 5e 79 75 0d ea 16 ef 9f 7b 7a 94 81 b2  ...^yu.....{z...
ssl_cli.c:2580: |3| 00d0:  9f 69 2f ac 13 4a e7 1b 53 14 48 dc 4f 4a 8e ab  .i/..J..S.H.OJ..
ssl_cli.c:2580: |3| 00e0:  bc b5 0d fc 28 cf fa a0 c2 cc 19 d6 a3 18 2f 9d  ....(........./.
ssl_cli.c:2580: |3| 00f0:  b4 d5 16 92 75 2e aa 17 c5 fd 4e 13 c9 95 85 c8  ....u.....N.....
ssl_cli.c:2616: |3| dumping 'parameters hash' (64 bytes)
ssl_cli.c:2616: |3| 0000:  8d 53 fc 40 b0 7c 71 5a d0 9c 84 12 b3 3b 75 07  .S.@.|qZ.....;u.
ssl_cli.c:2616: |3| 0010:  1e 6c 9e 2d 72 58 c9 45 09 2b 2d 9a b6 59 58 0f  .l.-rX.E.+-..YX.
ssl_cli.c:2616: |3| 0020:  f1 33 88 5d 72 1c 88 e2 89 38 40 cb 22 93 5d a5  .3.]r....8@.".].
ssl_cli.c:2616: |3| 0030:  63 10 2d 85 62 a0 09 c5 db 9d 9d 24 63 2e d1 d9  c.-.b......$c...
ssl_cli.c:2664: |2| <= parse server key exchange
ssl_cli.c:3510: |2| client state: 5
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:2697: |2| => parse certificate request
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 4
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 9
ssl_tls.c:2721: |2| in_left: 5, nb_want: 9
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 4 (-0xfffffffc)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:3626: |3| handshake message: msglen = 4, type = 14, hslen = 4
ssl_tls.c:4385: |2| <= read record
ssl_cli.c:2724: |3| got no certificate request
ssl_cli.c:2846: |2| <= parse certificate request
ssl_cli.c:3510: |2| client state: 6
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:2856: |2| => parse server hello done
ssl_tls.c:4311: |2| => read record
ssl_tls.c:4381: |2| reuse previously read message
ssl_tls.c:4385: |2| <= read record
ssl_cli.c:2886: |2| <= parse server hello done
ssl_cli.c:3510: |2| client state: 7
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:5329: |2| => write certificate
ssl_tls.c:5346: |2| <= skip write certificate
ssl_cli.c:3510: |2| client state: 8
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:2898: |2| => write client key exchange
ssl_cli.c:2978: |3| value of 'ECDH: Q(X)' (256 bits) is:
ssl_cli.c:2978: |3|  a0 7e 33 ae b1 61 5b e3 ec 73 7f 7a 5d 9b 19 3a
ssl_cli.c:2978: |3|  45 22 69 33 8b d4 47 6c 3f 06 11 3f ee 0c 04 17
ssl_cli.c:2978: |3| value of 'ECDH: Q(Y)' (254 bits) is:
ssl_cli.c:2978: |3|  3d 5f 9a d5 9e fc d0 84 07 43 17 1f 31 0d 9b 9e
ssl_cli.c:2978: |3|  35 e4 8c 3a e8 76 8a 3f 04 87 4e c1 39 88 dd e5
ssl_cli.c:3006: |3| value of 'ECDH: z' (256 bits) is:
ssl_cli.c:3006: |3|  aa 35 c2 0e c6 c4 62 99 12 60 95 6f 03 a6 fe d5
ssl_cli.c:3006: |3|  4f 6a ca eb 1d 5e c4 fb cd ea a2 3e ee 74 98 d2
ssl_tls.c:3184: |2| => write handshake message
ssl_tls.c:3343: |2| => write record
ssl_tls.c:3423: |3| output record: msgtype = 22, version = [3:3], msglen = 70
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2774: |2| message length: 75, out_left: 75
ssl_tls.c:2779: |2| ssl->f_send() returned 75 (-0xffffffb5)
ssl_tls.c:2807: |2| <= flush output
ssl_tls.c:3476: |2| <= write record
ssl_tls.c:3320: |2| <= write handshake message
ssl_cli.c:3172: |2| <= write client key exchange
ssl_cli.c:3510: |2| client state: 9
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:3224: |2| => write certificate verify
ssl_tls.c:0628: |2| => derive keys
ssl_tls.c:0706: |3| dumping 'premaster secret' (32 bytes)
ssl_tls.c:0706: |3| 0000:  aa 35 c2 0e c6 c4 62 99 12 60 95 6f 03 a6 fe d5  .5....b..`.o....
ssl_tls.c:0706: |3| 0010:  4f 6a ca eb 1d 5e c4 fb cd ea a2 3e ee 74 98 d2  Oj...^.....>.t..
ssl_tls.c:0795: |3| ciphersuite = TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ssl_tls.c:0796: |3| dumping 'master secret' (48 bytes)
ssl_tls.c:0796: |3| 0000:  91 ea 60 06 82 f5 e8 64 92 e4 15 2a 6c e2 a2 82  ..`....d...*l...
ssl_tls.c:0796: |3| 0010:  24 c6 65 3e 5a 3e c1 2e 60 c2 56 5a 67 9a c0 0e  $.e>Z>..`.VZg...
ssl_tls.c:0796: |3| 0020:  9a 9f c0 01 f1 81 d6 74 77 a1 8a 0a 16 e9 95 49  .......tw......I
ssl_tls.c:0921: |3| keylen: 32, minlen: 24, ivlen: 12, maclen: 0
ssl_tls.c:1116: |2| <= derive keys
ssl_cli.c:3253: |2| <= skip write certificate verify
ssl_cli.c:3510: |2| client state: 10
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:5879: |2| => write change cipher spec
ssl_tls.c:3184: |2| => write handshake message
ssl_tls.c:3343: |2| => write record
ssl_tls.c:3423: |3| output record: msgtype = 20, version = [3:3], msglen = 1
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2774: |2| message length: 6, out_left: 6
ssl_tls.c:2779: |2| ssl->f_send() returned 6 (-0xfffffffa)
ssl_tls.c:2807: |2| <= flush output
ssl_tls.c:3476: |2| <= write record
ssl_tls.c:3320: |2| <= write handshake message
ssl_tls.c:5893: |2| <= write change cipher spec
ssl_cli.c:3510: |2| client state: 11
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:6398: |2| => write finished
ssl_tls.c:6272: |2| => calc  finished tls sha384
ssl_tls.c:6296: |3| dumping 'calc finished result' (12 bytes)
ssl_tls.c:6296: |3| 0000:  9b cb 11 4b 63 28 b1 aa 7a a9 89 59              ...Kc(..z..Y
ssl_tls.c:6302: |2| <= calc  finished
ssl_tls.c:6443: |3| switching to new transform spec for outbound data
ssl_tls.c:3184: |2| => write handshake message
ssl_tls.c:3343: |2| => write record
ssl_tls.c:1445: |2| => encrypt buf
ssl_tls.c:1618: |3| before encrypt: msglen = 24, including 0 bytes of padding
ssl_tls.c:1781: |2| <= encrypt buf
ssl_tls.c:3423: |3| output record: msgtype = 22, version = [3:3], msglen = 40
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2774: |2| message length: 45, out_left: 45
ssl_tls.c:2779: |2| ssl->f_send() returned 45 (-0xffffffd3)
ssl_tls.c:2807: |2| <= flush output
ssl_tls.c:3476: |2| <= write record
ssl_tls.c:3320: |2| <= write handshake message
ssl_tls.c:6507: |2| <= write finished
ssl_cli.c:3510: |2| client state: 12
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:3403: |2| => parse new session ticket
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 202
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 207
ssl_tls.c:2721: |2| in_left: 5, nb_want: 207
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 202 (-0xffffff36)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:3626: |3| handshake message: msglen = 202, type = 4, hslen = 202
ssl_tls.c:4385: |2| <= read record
ssl_cli.c:3453: |3| ticket length: 192
ssl_cli.c:3491: |3| ticket in use, discarding session id
ssl_cli.c:3494: |2| <= parse new session ticket
ssl_cli.c:3510: |2| client state: 12
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:5902: |2| => parse change cipher spec
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 20, version = [3:3], msglen = 1
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 6
ssl_tls.c:2721: |2| in_left: 5, nb_want: 6
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 1 (-0xffffffff)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4385: |2| <= read record
ssl_tls.c:5925: |3| switching to new transform spec for inbound data
ssl_tls.c:5966: |2| <= parse change cipher spec
ssl_cli.c:3510: |2| client state: 13
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:6524: |2| => parse finished
ssl_tls.c:6272: |2| => calc  finished tls sha384
ssl_tls.c:6296: |3| dumping 'calc finished result' (12 bytes)
ssl_tls.c:6296: |3| 0000:  4f 0c c1 ef fd a6 9b 89 6c 7d 00 75              O.......l}.u
ssl_tls.c:6302: |2| <= calc  finished
ssl_tls.c:4311: |2| => read record
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 0, nb_want: 5
ssl_tls.c:2721: |2| in_left: 0, nb_want: 5
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:4056: |3| input record: msgtype = 22, version = [3:3], msglen = 40
ssl_tls.c:2536: |2| => fetch input
ssl_tls.c:2697: |2| in_left: 5, nb_want: 45
ssl_tls.c:2721: |2| in_left: 5, nb_want: 45
ssl_tls.c:2722: |2| ssl->f_recv(_timeout)() returned 40 (-0xffffffd8)
ssl_tls.c:2742: |2| <= fetch input
ssl_tls.c:1794: |2| => decrypt buf
ssl_tls.c:2376: |2| <= decrypt buf
ssl_tls.c:3626: |3| handshake message: msglen = 16, type = 20, hslen = 16
ssl_tls.c:4385: |2| <= read record
ssl_tls.c:6592: |2| <= parse finished
ssl_cli.c:3510: |2| client state: 14
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_cli.c:3621: |2| handshake: done
ssl_cli.c:3510: |2| client state: 15
ssl_tls.c:2755: |2| => flush output
ssl_tls.c:2767: |2| <= flush output
ssl_tls.c:6336: |3| => handshake wrapup
ssl_tls.c:6309: |3| => handshake wrapup: final free
ssl_tls.c:6329: |3| <= handshake wrapup: final free
ssl_tls.c:6391: |3| <= handshake wrapup
ssl_tls.c:8094: |2| <= handshake
 ok

So the issue is probably not in the server, but in your configuration and \ or integration.

Regards,
Mbed TLS Team member
Ron

3

Hello Ron,
thanks for the quick answer.
So, starting with the problems you noted:

  1. Certificate: should I take the CA as the concatenation of the two certificates? I used this:
    “-----BEGIN CERTIFICATE-----\r\n”
    “MIIFATCCA+mgAwIBAgISBC9SZX2gUAjJc1w00bxPBlvYMA0GCSqGSIb3DQEBCwUA\r\n”
    “MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\r\n”
    “ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDMwOTE1MzFaFw0x\r\n”
    “ODAyMDEwOTE1MzFaMBoxGDAWBgNVBAMTD2lvdC5lY2xpcHNlLm9yZzCCASIwDQYJ\r\n”
    “KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIBN2DDEwV17T9JnHRe7OL4Cz4tKxc8\r\n”
    “oB+wV+QFmXjObtYTlH9bbT+TidNHhHnnUKtVr/2hOyoEwNpjQsRmToesIWARfzyU\r\n”
    “1RlGLKT4bWcheVzda5IoYqEDTQqbh5hpqeXqdqkW1X7NzqSHo8hfPRL3N8m8zaMA\r\n”
    “tkeMzQ8nmedUBBPtK1Py2zadun1je4b53AwCBUYDrOo1vAm3Bg/Jz66AhNJ7zf7V\r\n”
    “rHyBFJ99v2WwTVsWzYFQ+kIJ6p8l7Nn+yODx0rdfghlH4083mkjk+qR6GQJkRiRi\r\n”
    “FxoZMHivZRP3AoDDrtyrEUDkJW+S9NctSVL+hkDackt2NaHGEdtHBZECAwEAAaOC\r\n”
    “Ag8wggILMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\r\n”
    “BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUq+M2vIxu+xP6g9VVpIEf+eCh\r\n”
    “nmUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE\r\n”
    “YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu\r\n”
    “b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu\r\n”
    “b3JnLzAaBgNVHREEEzARgg9pb3QuZWNsaXBzZS5vcmcwgf4GA1UdIASB9jCB8zAI\r\n”
    “BgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v\r\n”
    “Y3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp\r\n”
    “ZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll\r\n”
    “cyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv\r\n”
    “bGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5\r\n”
    “LzANBgkqhkiG9w0BAQsFAAOCAQEAXK7WWSZlNGC5aKehhgIpyA4PBzO3I64YQCIR\r\n”
    “NGoaeVRd4nniEMQ2bgdv7psvYRYsvM1m9fEscox0UuQEvOGGts76Hrr1lpVPdUDh\r\n”
    “JPduBX+8rtzgs3uA2PdwvoEAQsbb2ulcVBe10wF0W0bUky6ZHutDp/GK9pHiWWTu\r\n”
    “RFYkJ74rzuPVNvFJ1jS4ow7gIg3rY6mLpMwcSQo7t2sb54i63PggzepPenqJkXC9\r\n”
    “YwWJJs/zovrZjioMXKC/Lp+ROSK8L2Z+JzyQp0Yu/vyebHZ4WL0xlXBPrRvVx5J1\r\n”
    “3+ebwxdehisKt78Xo/HgCiwyloCQILimldCLR5LdpgPS4N0Ang==\r\n”
    “-----END CERTIFICATE-----\r\n”
    “-----BEGIN CERTIFICATE-----\r\n”
    “MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\r\n”
    “MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\r\n”
    “DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow\r\n”
    “SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT\r\n”
    “GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC\r\n”
    “AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF\r\n”
    “q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8\r\n”
    “SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0\r\n”
    “Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA\r\n”
    “a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj\r\n”
    “/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T\r\n”
    “AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG\r\n”
    “CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv\r\n”
    “bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k\r\n”
    “c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw\r\n”
    “VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC\r\n”
    “ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz\r\n”
    “MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu\r\n”
    “Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF\r\n”
    “AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo\r\n”
    “uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/\r\n”
    “wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu\r\n”
    “X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG\r\n”
    “PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6\r\n”
    “KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\r\n”
    “-----END CERTIFICATE-----\r\n”;

  2. I receive a lot of MBEDTLS_ERR_SSL_CONN_EOF error even when I am able to connect. Could it be related to the fact I’m not using socket but RAW API of LWIP? Or could depend on the RAM allocated? Or what else?

  3. Could the problem of UNKNOWN RECORD TYPE be related to the MBEDTLS_ERR_SSL_CONN_EOF? I see that sometimes I can’t connect because of socket error.

  4. How would you check for memory leak as suggested?

Thank you verymuch for your support, and forgive me for these simple questions, but I’m quite new to the TLS.
Mattia Berton

4

Hi Mattia,

Should I take the CA as the concatenation of the two certificates?

No, Only the CA certificate, which has basic constraint of is CA: true flag, and it’s subject name is equal to the issuer name of the server certificate. Usually it is self signed, so its issuer name is same

I receive a lot of MBEDTLS_ERR_SSL_CONN_EOF error even when I am able to connect. Could it be related to the fact I’m not using socket but RAW API of LWIP? Or could depend on the RAM allocated? Or what else?

Shouldn’t be entirely related.I suggest though you debug your bio callbacks, since hte issue might be located there

Could the problem of UNKNOWN RECORD TYPE be related to the MBEDTLS_ERR_SSL_CONN_EOF ? I see that sometimes I can’t connect because of socket error.

The problem of unknown record type is related to the corrupted message you get.

How would you check for memory leak as suggested?

You can use some external tools analyzing the code, you can use the Mbed TLS feature for the memory buffer allocator, described in this article and also enable MBEDTLS_MEMORY_BACKTRACE , or some code review of your bio callbacks and to your certificate allocations.

Regards,
Ron

5

Forgive me, but what part of the output of the command “openssl s_client -showcerts -connect iot.eclipse.org:8883” should I take?

Sometimes I receive an empty buffer, I need to investigate. I’ll keep you updated.
Thank you,
Mattia

6

HI Mattia,

Forgive me, but what part of the output of the command “openssl s_client -showcerts -connect iot.eclipse.org:8883” should I take?

The best way to get a CA root certificate is from the CA itself. In your case, the CA is Let’s Encrypt, and the issuer name is “Let’s Encrypt Authority X3” so you should find the CA root certificate here.
However, the server sends a CA certificate in the showcerts openssl command, which is the second one. You can identify it because it has the subject “Let’s Encrypt Authority X3” and Basic constraints: CA: TRUE.

Regards,
Ron