Arm Mbed and Pelion Device Management support forum

Handshake fails at client state: 9

We are trying to implement 2 way authentication using ECDSA with SHA384 client server certificates. The handshake happens to fail at client state :9 with error code MBEDTLS_ERR_PK_BAD_INPUT_DATA.

Our heap and max ssl content length cfgs:

CONFIG_MBEDTLS_HEAP_SIZE=56240
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096

From server logs, we can see that the server received client certificate correctly.

Please see debug logs below

WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0706: dumping ‘premaster secret’ (48 bytes)
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0706: 0000: 35 62 56 dd 4d d8 85 fc 61 88 9c a7 ab 9b 17 db 5bV.M…a…
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0706: 0010: d9 9e 32 56 97 9e 29 66 4a f3 94 d6 00 33 27 18 …2V…)fJ…3’.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0706: 0020: 4c ed 80 96 da 9b fd 52 83 fc 03 68 3e f3 40 f7 L…R…h>.@.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0795: ciphersuite = TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0796: dumping ‘master secret’ (48 bytes)
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0796: 0000: 89 25 85 4d ca ab c6 9a d2 7e 60 fc bd 94 f3 92 .%.M…~..... WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0796: 0010: 8f f5 b1 83 4a be ba b0 5e 13 a0 5e 0b 1e f0 3e ....J...^..^...> WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0796: 0020: 4e 9b 78 95 c3 4c fc 48 5c 62 bb 72 86 7b e6 a3 N.x..L.H\b.r.{.. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0797: dumping 'random bytes' (64 bytes) WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0797: 0000: d3 3e f4 fe 82 f0 d4 cd 11 e1 28 64 93 f4 a6 6a .>........(d...j WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0797: 0010: 7c 88 e1 05 66 95 e5 eb 44 4f 57 4e 47 52 44 01 |...f...DOWNGRD. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0797: 0020: 5e c7 f3 4a 73 d4 aa 87 95 45 41 9b 77 0b a1 01 ^..Js....EA.w... WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0797: 0030: 9d 45 2e fe 52 e7 a2 e6 95 93 53 83 e4 37 eb 46 .E..R.....S..7.F WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: dumping 'key block' (256 bytes) WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0000: a1 18 fa 81 55 1f b5 1b e1 8a fe 84 48 7e dc d1 ....U.......H~.. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0010: dd bc 6f f2 a7 05 91 3c f6 ad 5f 0c b0 9e 4e b3 ..o....<.._...N. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0020: 23 4b 8c 0e 64 4e be ff 82 9f ef 91 6a 21 e3 f3 #K..dN......j!.. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0030: 43 d7 32 ea d2 aa 9c bf b0 54 bd b3 87 a1 13 cc C.2......T...... WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0040: aa 2f ea 05 71 90 e8 20 5e ea e9 0b 26 49 e1 80 ./..q.. ^...&I.. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0050: 44 04 1b 7a b6 84 bf a0 29 5e 53 2b 21 3e 77 0f D..z....)^S+!>w. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0060: 5b 10 eb 1d 08 b4 4f 21 90 a7 e8 ec fe 68 0a d4 [.....O!.....h.. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0070: f9 3b a1 9d 88 c6 aa c2 0b 10 9d ec bd 0c 5d a4 .;............]. WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0080: 8a 1e 60 3a f5 fe 23 a8 3b 7f 61 69 59 5c f3 95 ..:…#.;.aiY…
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 0090: 1d 94 4d fd 9b c1 20 35 7a ae 4a a3 f4 99 52 e8 …M… 5z.J…R.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00a0: 74 a6 15 ee 2e 88 a6 7c 81 a8 7b aa 63 8d 44 f7 t…|…{.c.D.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00b0: 9a 17 25 2d de 8b 49 e9 5a eb dc 9c 0d a4 18 eb …%-…I.Z…
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00c0: 65 82 ae d5 96 ad 24 23 bd 32 98 de e8 9d 07 39 e…$#.2…9
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00d0: 77 12 c9 0a a9 17 83 2b c2 ff cb 08 0e 00 16 75 w…+…u
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00e0: b9 40 db 72 fb b4 71 ce bf 22 b3 b1 cd dd cd d2 .@.r…q…"…
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0798: 00f0: b7 6d 06 ec b0 1a c7 d1 2e ca 09 c0 c1 00 ab 26 .m…&
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:0921: keylen: 32, minlen: 24, ivlen: 12, maclen: 0
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1116: <= derive keys
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1226: => calc verify sha384
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1231: dumping ‘calculated verify result’ (48 bytes)
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1231: 0000: 92 49 e7 d7 60 03 37 34 d0 48 20 dd 55 90 7b c3 .I…`.74.H .U.{.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1231: 0010: 00 23 65 a6 9a 6e 56 36 33 65 27 bf 25 0e 53 ce .#e…nV63e’.%.S.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1231: 0020: 18 27 0e b2 6b 10 ed 38 06 0c e8 65 f2 f1 2a 05 .’…k…8…e…*.
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1232: <= calc verify
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_cli.c:3360: mbedtls_pk_sign() returned -16000 (-0x3e80)
WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:8094: <= handshake
[00:00:38.089,141] mto_tls: ssl handshake failed :-16000

Any help on this topic is highly appreciated.

Regards,
Manoj

Hi @manojt
As mentioned here, http://trustedfirmware.org/. Please post your queries there, if they are not related to Mbed OS or Pelion.

I am assuming your error is returning from here. Do you have MBEDTLS_SHA512_C configured?
Regards,
Mbed support,
Ron