Arm Mbed OS support forum

Failed handshake - Error -0x50 after key exchange

Hello,

I got a project using MQTT with SSL mutual auth. with ECDSA key type and SHA-256.

I got a -0x50 error, find the debug logs below :

(7236) mbedtls: mbedtls\library\ssl_tls.c:8086
=> handshake

(7240) mbedtls: mbedtls\library\ssl_cli.c:3510
client state: 0

(7254) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(7268) mbedtls: mbedtls\library\ssl_tls.c:2767
<= flush output

(7282) mbedtls: mbedtls\library\ssl_cli.c:3510
client state: 1

(7297) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(7311) mbedtls: mbedtls\library\ssl_tls.c:2767
<= flush output

(7325) mbedtls: mbedtls\library\ssl_cli.c:774 => write client hello

(7345) mbedtls: mbedtls\library\ssl_tls.c:3184
=> write handshake message

(7357) mbedtls: mbedtls\library\ssl_tls.c:3343
=> write record

(7374) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(7383) mbedtls: mbedtls\library\ssl_tls.c:2774
message length: 220, out_left: 220

(7402) mbedtls: mbedtls\library\ssl_tls.c:2779
ssl->f_send() returned 220 (-0xffffff24)

(7416) mbedtls: mbedtls\library\ssl_tls.c:2807
<= flush output

(7430) mbedtls: mbedtls\library\ssl_tls.c:3476
<= write record

(7444) mbedtls: mbedtls\library\ssl_tls.c:3320
<= write handshake message

(7459) mbedtls: mbedtls\library\ssl_cli.c:1106
<= write client hello

(7474) mbedtls: mbedtls\library\ssl_cli.c:3510
client state: 2

(7488) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(7503) mbedtls: mbedtls\library\ssl_tls.c:2767
<= flush output

(7517) mbedtls: mbedtls\library\ssl_cli.c:1499
=> parse server hello

(7532) mbedtls: mbedtls\library\ssl_tls.c:4311
=> read record

(7546) mbedtls: mbedtls\library\ssl_tls.c:2536
=> fetch input

(7560) mbedtls: mbedtls\library\ssl_tls.c:2697
in_left: 0, nb_want: 5

(7575) mbedtls: mbedtls\library\ssl_tls.c:2721
in_left: 0, nb_want: 5

(7590) mbedtls: mbedtls\library\ssl_tls.c:2722
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

(7607) mbedtls: mbedtls\library\ssl_tls.c:2742
<= fetch input

(7622) mbedtls: mbedtls\library\ssl_tls.c:2536
=> fetch input

(7635) mbedtls: mbedtls\library\ssl_tls.c:2697
in_left: 5, nb_want: 92

(7650) mbedtls: mbedtls\library\ssl_tls.c:2721
in_left: 5, nb_want: 92

(7665) mbedtls: mbedtls\library\ssl_tls.c:2722
ssl->f_recv(_timeout)() returned 87 (-0xffffffa9)

(7682) mbedtls: mbedtls\library\ssl_tls.c:2742
<= fetch input

(7701) mbedtls: mbedtls\library\ssl_tls.c:4385
<= read record

(7713) mbedtls: mbedtls\library\ssl_cli.c:1789
server hello, total extension length: 11

(7727) mbedtls: mbedtls\library\ssl_cli.c:1978
<= parse server hello

(7741) mbedtls: mbedtls\library\ssl_cli.c:3510
client state: 3

(7756) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(7770) mbedtls: mbedtls\library\ssl_tls.c:2767
<= flush output

(7784) mbedtls: mbedtls\library\ssl_tls.c:5655
=> parse certificate

(7799) mbedtls: mbedtls\library\ssl_tls.c:4311
=> read record

(7813) mbedtls: mbedtls\library\ssl_tls.c:2536
=> fetch input

(7827) mbedtls: mbedtls\library\ssl_tls.c:2697
in_left: 0, nb_want: 5

(7842) mbedtls: mbedtls\library\ssl_tls.c:2721
in_left: 0, nb_want: 5

(7857) mbedtls: mbedtls\library\ssl_tls.c:2722
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

(7874) mbedtls: mbedtls\library\ssl_tls.c:2742
<= fetch input

(7888) mbedtls: mbedtls\library\ssl_tls.c:2536
=> fetch input

(7902) mbedtls: mbedtls\library\ssl_tls.c:2697
in_left: 5, nb_want: 993

(7917) mbedtls: mbedtls\library\ssl_tls.c:2721
in_left: 5, nb_want: 993

(7932) mbedtls: mbedtls\library\ssl_tls.c:2722
ssl->f_recv(_timeout)() returned 988 (-0xfffffc24)

(7950) mbedtls: mbedtls\library\ssl_tls.c:2742
<= fetch input

(7983) mbedtls: mbedtls\library\ssl_tls.c:4385
<= read record

(9854) mbedtls: mbedtls\library\ssl_tls.c:5863
<= parse certificate

(9858) mbedtls: mbedtls\library\ssl_cli.c:3510
client state: 4

(9872) mbedtls: mbedtls\library\ssl_tls.c:2755
=> flush output

(9887) mbedtls: mbedtls\library\ssl_tls.c:2767
<= flush output

(9901) mbedtls: mbedtls\library\ssl_cli.c:2336
=> parse server key exchange

(9916) mbedtls: mbedtls\library\ssl_tls.c:4311
=> read record

(9930) mbedtls: mbedtls\library\ssl_tls.c:2536
=> fetch input

(9945) mbedtls: mbedtls\library\ssl_tls.c:2697
in_left: 0, nb_want: 5

(9960) mbedtls: mbedtls\library\ssl_tls.c:2721
in_left: 0, nb_want: 5

(9974) mbedtls: mbedtls\library\ssl_tls.c:2722
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

(9991) mbedtls: mbedtls\library\ssl_tls.c:2742
<= fetch input

(10006) mbedtls: mbedtls\library\ssl_tls.c:2536 => fetch input

(10020) mbedtls: mbedtls\library\ssl_tls.c:2697 in_left: 5, nb_want: 220

(10035) mbedtls: mbedtls\library\ssl_tls.c:2721 in_left: 5, nb_want: 220

(10050) mbedtls: mbedtls\library\ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 215 (-0xffffff29)

(10067) mbedtls: mbedtls\library\ssl_tls.c:2742 <= fetch input

(10086) mbedtls: mbedtls\library\ssl_tls.c:4385 <= read record

(10100) mbedtls: mbedtls\library\ssl_cli.c:2044 ECDH curve: secp521r1

(10113) mbedtls: mbedtls\library\ssl_cli.c:2278 Server used SignatureAlgorithm 3

(10126) mbedtls: mbedtls\library\ssl_cli.c:2279 Server used HashAlgorithm 6

(11980) mbedtls: mbedtls\library\ssl_cli.c:2664 <= parse server key exchange

(11985) mbedtls: mbedtls\library\ssl_cli.c:3510 client state: 5

(11999) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(12013) mbedtls: mbedtls\library\ssl_tls.c:2767 <= flush output

(12028) mbedtls: mbedtls\library\ssl_cli.c:2697 => parse certificate request

(12043) mbedtls: mbedtls\library\ssl_tls.c:4311 => read record

(12058) mbedtls: mbedtls\library\ssl_tls.c:2536 => fetch input

(12072) mbedtls: mbedtls\library\ssl_tls.c:2697 in_left: 0, nb_want: 5

(12087) mbedtls: mbedtls\library\ssl_tls.c:2721 in_left: 0, nb_want: 5

(12102) mbedtls: mbedtls\library\ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

(12119) mbedtls: mbedtls\library\ssl_tls.c:2742 <= fetch input

(12134) mbedtls: mbedtls\library\ssl_tls.c:2536 => fetch input

(12147) mbedtls: mbedtls\library\ssl_tls.c:2697 in_left: 5, nb_want: 291

(12164) mbedtls: mbedtls\library\ssl_tls.c:2721 in_left: 5, nb_want: 291

(12178) mbedtls: mbedtls\library\ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 286 (-0xfffffee2)

(12195) mbedtls: mbedtls\library\ssl_tls.c:2742 <= fetch input

(12215) mbedtls: mbedtls\library\ssl_tls.c:4385 <= read record

(12224) mbedtls: mbedtls\library\ssl_cli.c:2846 <= parse certificate request

(12239) mbedtls: mbedtls\library\ssl_cli.c:3510 client state: 6

(12253) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(12267) mbedtls: mbedtls\library\ssl_tls.c:2767 <= flush output

(12282) mbedtls: mbedtls\library\ssl_cli.c:2856 => parse server hello done

(12297) mbedtls: mbedtls\library\ssl_tls.c:4311 => read record

(12311) mbedtls: mbedtls\library\ssl_tls.c:2536 => fetch input

(12325) mbedtls: mbedtls\library\ssl_tls.c:2697 in_left: 0, nb_want: 5

(12342) mbedtls: mbedtls\library\ssl_tls.c:2721 in_left: 0, nb_want: 5

(12356) mbedtls: mbedtls\library\ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

(12373) mbedtls: mbedtls\library\ssl_tls.c:2742 <= fetch input

(12387) mbedtls: mbedtls\library\ssl_tls.c:2536 => fetch input

(12401) mbedtls: mbedtls\library\ssl_tls.c:2697 in_left: 5, nb_want: 9

(12416) mbedtls: mbedtls\library\ssl_tls.c:2721 in_left: 5, nb_want: 9

(12431) mbedtls: mbedtls\library\ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 4 (-0xfffffffc)

(12448) mbedtls: mbedtls\library\ssl_tls.c:2742 <= fetch input

(12463) mbedtls: mbedtls\library\ssl_tls.c:4385 <= read record

(12477) mbedtls: mbedtls\library\ssl_cli.c:2886 <= parse server hello done

(12492) mbedtls: mbedtls\library\ssl_cli.c:3510 client state: 7

(12506) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(12520) mbedtls: mbedtls\library\ssl_tls.c:2767 <= flush output

(12535) mbedtls: mbedtls\library\ssl_tls.c:5329 => write certificate

(12553) mbedtls: mbedtls\library\ssl_tls.c:3184 => write handshake message

(12566) mbedtls: mbedtls\library\ssl_tls.c:3343 => write record

(12588) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(12593) mbedtls: mbedtls\library\ssl_tls.c:2774 message length: 500, out_left: 500

(12611) mbedtls: mbedtls\library\ssl_tls.c:2779 ssl->f_send() returned 500 (-0xfffffe0c)

(12626) mbedtls: mbedtls\library\ssl_tls.c:2807 <= flush output

(12640) mbedtls: mbedtls\library\ssl_tls.c:3476 <= write record

(12655) mbedtls: mbedtls\library\ssl_tls.c:3320 <= write handshake message

(12670) mbedtls: mbedtls\library\ssl_tls.c:5433 <= write certificate

(12685) mbedtls: mbedtls\library\ssl_cli.c:3510 client state: 8

(12699) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(12713) mbedtls: mbedtls\library\ssl_tls.c:2767 <= flush output

(12728) mbedtls: mbedtls\library\ssl_cli.c:2898 => write client key exchange

(16283) mbedtls: mbedtls\library\ssl_tls.c:3184 => write handshake message

(16289) mbedtls: mbedtls\library\ssl_tls.c:3343 => write record

(16305) mbedtls: mbedtls\library\ssl_tls.c:2755 => flush output

(16317) mbedtls: mbedtls\library\ssl_tls.c:2774 message length: 143, out_left: 143

(16333) mbedtls: mbedtls\library\ssl_tls.c:2779 ssl->f_send() returned -80 (-0x0050)

(16349) mbedtls: mbedtls\library\ssl_tls.c:3472 mbedtls_ssl_flush_output() returned -80 (-0x0050)

(16366) mbedtls: mbedtls\library\ssl_tls.c:3315 ssl_write_record() returned -80 (-0x0050)

(16383) mbedtls: mbedtls\library\ssl_cli.c:3168 mbedtls_ssl_write_handshake_msg() returned -80 (-0x0050)

(16400) mbedtls: mbedtls\library\ssl_tls.c:8096 <= handshake

(16414) esp-tls: mbedtls_ssl_handshake returned -0x50
(16420) esp-tls: Certificate verified.
(16429) esp-tls: Failed to open new connection
(16430) TRANS_SSL: Failed to open a new connection
(16436) MQTT_CLIENT: Error transport connect

As broker we use VerneMQ ( https://docs.vernemq.com/configuration/logging ), even in debug mode there are no interesting logs to help.

We are connecting with mosquitto in this following way :
mosquitto_sub -h <dns> -p <port> --cafile CA.crt -t "<topic>" -q 0 -i <clientid> -P <password> -u <username> -d --cert Middle/devices/PRIME256/cert.crt --key Middle/devices/PRIME256/key.pem --insecure
–insecure is used because the broker cert CN is not the actual broker DNS, so we had to add this code :
Capture

We instantly return before check CN to avoid problems.

Can this cause unwanted side effects ?

I tried with a broker certificate where CN is OK and without the return but I got the same error on f_rcv(_timeout).

I also tried to connect with openssl with a correct CN and I got no problems.

What am I missing ?