MbedTLS handshake fail return -0x50

mahendra_sondagar · May 2, 2019, 9:49am

Hey, there
I’m using mbedTLS for the TLS client
My https server is “os.mbed.com”, port “443”
by using Firefox i got the CA root certificate for the same that i have added in my TLS client code
Certificate parse working, but unfortunately I’m getting handshake error and code returning error -0x50
“Last error was: -0x50 - NET - Connection was reset by peer”

i have enable the debug and attaching the debug logs here


    Setting Up the debug Level: 4

IpAdress = 192.168.0.13

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Connecting to tcp/os.mbed.com/443... Connected ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake...ssl_tls.c:6754: |2| => handshake
ssl_cli.c:3384: |2| client state: 0
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:3384: |2| client state: 1
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:0770: |2| => write client hello
ssl_cli.c:0807: |3| client hello, max version: [3:3]
ssl_cli.c:0817: |3| dumping 'client hello, random bytes' (32 bytes)
ssl_cli.c:0817: |3| 0000:  e6 d8 0b 76 4c a1 c9 a3 2c 94 7e ad ab 09 b1 a7  ...vL...,.~.....
ssl_cli.c:0817: |3| 0010:  ae 31 4b 60 1c 3b 3b 6a 21 0a e6 d5 10 3d 85 d7  .1K`.;;j!....=..
ssl_cli.c:0870: |3| client hello, session id len.: 0
ssl_cli.c:0871: |3| dumping 'client hello, session id' (0 bytes)
ssl_cli.c:0917: |3| client hello, add ciphersuite: c02b
ssl_cli.c:0925: |3| client hello, got 1 ciphersuites (excluding SCSVs)
ssl_cli.c:0934: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0983: |3| client hello, compress len.: 1
ssl_cli.c:0984: |3| client hello, compress alg.: 0
ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
ssl_cli.c:1058: |3| client hello, total extension length: 38
ssl_tls.c:2764: |2| => write record
ssl_tls.c:2907: |3| output record: msgtype = 22, version = [3:3], msglen = 87
ssl_tls.c:2912: |4| dumping 'output record sent to network' (92 bytes)
ssl_tls.c:2912: |4| 0000:  16 03 03 00 57 01 00 00 53 03 03 e6 d8 0b 76 4c  ....W...S.....vL
ssl_tls.c:2912: |4| 0010:  a1 c9 a3 2c 94 7e ad ab 09 b1 a7 ae 31 4b 60 1c  ...,.~......1K`.
ssl_tls.c:2912: |4| 0020:  3b 3b 6a 21 0a e6 d5 10 3d 85 d7 00 00 04 c0 2b  ;;j!....=......+
ssl_tls.c:2912: |4| 0030:  00 ff 01 00 00 26 00 0d 00 12 00 10 06 03 06 01  .....&..........
ssl_tls.c:2912: |4| 0040:  05 03 05 01 04 03 04 01 03 03 03 01 00 0a 00 06  ................
ssl_tls.c:2912: |4| 0050:  00 04 00 18 00 17 00 0b 00 02 01 00              ............
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2489: |2| message length: 92, out_left: 92
ssl_tls.c:2496: |2| ssl->f_send() returned 92 (-0xffffffa4)
ssl_tls.c:2523: |2| <= flush output
ssl_tls.c:2922: |2| <= write record
ssl_cli.c:1085: |2| <= write client hello
ssl_cli.c:3384: |2| client state: 2
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:1478: |2| => parse server hello
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned -80 (-0x0050)
ssl_tls.c:3956: |1| mbedtls_ssl_fetch_input() returned -80 (-0x0050)
ssl_tls.c:3820: |1| mbedtls_ssl_read_record_layer() returned -80 (-0x0050)
ssl_cli.c:1485: |1| mbedtls_ssl_read_record() returned -80 (-0x0050)
ssl_tls.c:6764: |2| <= handshake
 failed
  **! mbedtls_ssl_handshake returned -0x50**

Last error was: -0x50 - NET - Connection was reset by peer

Completed 1 requests
Starting again!

I have noted one thing from the debug logs, as per the Firefox information for the “os.mbed.org” the shiphersuit is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, that i have already included in code as a…

#define MBEDTLS_SSL_CIPHERSUITES \

MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256

But unfortunately as per the debug that shows 0xc02b and that is for MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 shiphersuit

Can anyone help me here ?
Thanks

roneld01 · May 2, 2019, 12:17pm

Hi @mahendra_sondagar

As you mentioned, in the log(which I edited for better visibility) the only ciphersuite that is sent to the server is MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

I am guessing that you don’t have MBEDTLS_RSA_C defined, as the other two cipfersuites in your MBEDTLS_SSL_CIPHERSUITES definition have this algorithm.

The error is that the server disconnected right after the client sent the “Client Hello” message, so it’s reasonable the server doesn’t support this ciphersuite.

Regards,
Mbed TLS Team member
Ron

mahendra_sondagar · May 3, 2019, 7:45am

Hello @roneld01
Thanks for your feedback
yes MBEDTLS_RSA_C was missing that i have included now
Unfortunately, still I’m getting the error , but this time -0x7780
the shiphersuit is still remains 0xc02b, but that should be MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
here are the logs

Setting Up the debug Level: 4

IpAdress = 192.168.0.13

. Seeding the random number generator… ok
. Loading the CA root certificate … ok (0 skipped)
. Connecting to tcp/os.mbed.com/443… Connected ok
. Setting up the SSL/TLS structure… ok
. Performing the SSL/TLS handshake…ssl_tls.c:6754: |2| => handshake
ssl_cli.c:3384: |2| client state: 0
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:3384: |2| client state: 1
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:0770: |2| => write client hello
ssl_cli.c:0807: |3| client hello, max version: [3:3]
ssl_cli.c:0817: |3| dumping ‘client hello, random bytes’ (32 bytes)
ssl_cli.c:0817: |3| 0000: 18 d1 5c 0e c6 20 4d a4 c6 ce ed 3b e1 bc ad 1b ….. M…;…
ssl_cli.c:0817: |3| 0010: ec ab f6 8d 88 2d 0e 26 d0 c0 1b 82 31 8e 9b fa …-.&…1…
ssl_cli.c:0870: |3| client hello, session id len.: 0
ssl_cli.c:0871: |3| dumping ‘client hello, session id’ (0 bytes)
ssl_cli.c:0917: |3| client hello, add ciphersuite: c02b
ssl_cli.c:0925: |3| client hello, got 1 ciphersuites (excluding SCSVs)
ssl_cli.c:0934: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0983: |3| client hello, compress len.: 1
ssl_cli.c:0984: |3| client hello, compress alg.: 0
ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
ssl_cli.c:1058: |3| client hello, total extension length: 38
ssl_tls.c:2764: |2| => write record
ssl_tls.c:2907: |3| output record: msgtype = 22, version = [3:3], msglen = 87
ssl_tls.c:2912: |4| dumping ‘output record sent to network’ (92 bytes)
ssl_tls.c:2912: |4| 0000: 16 03 03 00 57 01 00 00 53 03 03 18 d1 5c 0e c6 …W…S…..
ssl_tls.c:2912: |4| 0010: 20 4d a4 c6 ce ed 3b e1 bc ad 1b ec ab f6 8d 88 M…;…
ssl_tls.c:2912: |4| 0020: 2d 0e 26 d0 c0 1b 82 31 8e 9b fa 00 00 04 c0 2b -.&…1…+
ssl_tls.c:2912: |4| 0030: 00 ff 01 00 00 26 00 0d 00 12 00 10 06 03 06 01 …&…
ssl_tls.c:2912: |4| 0040: 05 03 05 01 04 03 04 01 03 03 03 01 00 0a 00 06 …
ssl_tls.c:2912: |4| 0050: 00 04 00 18 00 17 00 0b 00 02 01 00 …
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2489: |2| message length: 92, out_left: 92
ssl_tls.c:2496: |2| ssl->f_send() returned 92 (-0xffffffa4)
ssl_tls.c:2523: |2| <= flush output
ssl_tls.c:2922: |2| <= write record
ssl_cli.c:1085: |2| <= write client hello
ssl_cli.c:3384: |2| client state: 2
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:1478: |2| => parse server hello
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3552: |4| dumping ‘input record header’ (5 bytes)
ssl_tls.c:3552: |4| 0000: 15 03 03 00 02 …
ssl_tls.c:3558: |3| input record: msgtype = 21, version = [3:3], msglen = 2
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 5, nb_want: 7
ssl_tls.c:2436: |2| in_left: 5, nb_want: 7
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3737: |4| dumping ‘input record from network’ (7 bytes)
ssl_tls.c:3737: |4| 0000: 15 03 03 00 02 02 28 …(
ssl_tls.c:4099: |2| got an alert message, type: [2:40]
ssl_tls.c:4107: |1| is a fatal alert message (msg 40)
ssl_tls.c:3831: |1| mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
ssl_cli.c:1485: |1| mbedtls_ssl_read_record() returned -30592 (-0x7780)
ssl_tls.c:6764: |2| <= handshake
failed
! mbedtls_ssl_handshake returned -0x7780

Last error was: -0x7780 - SSL - A fatal alert message was received from our peer

Completed 1 requests
Starting again!

Any help ?

Regards
Mahendra

acpie360 · May 3, 2019, 1:55pm

If you have MBEDTLS_SSL_SERVER_NAME_INDICATION defined in the config.h file, try calling mbedtls_ssl_set_hostname() to set the SNI extension in the Client Hello message. The server side may require the use of SNI.

mahendra_sondagar · May 4, 2019, 7:19am

Hello @acpie360
Thanks for your feedback
I’m using STM32F429Zi Nucleo board with Ethernet connectivity
in my code mbedtls_ssl_set_hostname() is already there , but unfortunately this now works for me
Here I’m attaching the ssl_client.c and mbedConfig.h file

please have a look and let me know if it’s required any changes!

/**

Portions COPYRIGHT 2016 STMicroelectronics
Copyright (C) 2006-2015, ARM Limited, All Rights Reserved

@file ssl_client.c
@author MCD Application Team
@brief SSL client application

@attention
© COPYRIGHT(c) 2017 STMicroelectronics
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,

 this list of conditions and the following disclaimer.

1. Redistributions in binary form must reproduce the above copyright notice,

 this list of conditions and the following disclaimer in the documentation

 and/or other materials provided with the distribution.

1. Neither the name of STMicroelectronics nor the names of its contributors

 may be used to endorse or promote products derived from this software

 without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/

#include <main.h>
#if !defined(MBEDTLS_CONFIG_FILE)
#include “mbedtls/config.h”
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_PLATFORM_C)
#include “mbedtls/platform.h”
#else
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_time time
#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf

#define mbedtls_exit exit
#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif

#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) ||
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) ||
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||
!defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) ||
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
#endif
#if 0
int main( void )
{

mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
       "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
       "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
       "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
       "not defined.\n");

return( 0 );

}
#else

#include <Certificate.h>
#include “mbedtls/net_sockets.h”
#include “mbedtls/debug.h”
#include “mbedtls/ssl.h”
#include “mbedtls/entropy.h”
#include “mbedtls/ctr_drbg.h”
#include “mbedtls/error.h”
#include “mbedtls/certs.h”
#include “mbedtls/memory_buffer_alloc.h”

#include “main.h”
#include “cmsis_os.h”

#include <string.h>

#define DEBUG_TH 4
#define DEBUG_LEVEL 1

static mbedtls_net_context server_fd;
static uint32_t flags;
static uint8_t buf[1024];
static const uint8_t *pers = (uint8_t *)(“ssl_client”);
static uint8_t vrfy_buf[512];
static void my_debug(void *ctx, int level, const char *file, int line,
const char *str);

static int ret;

mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;

/* use static allocation to keep the heap size as low as possible */
#ifdef MBEDTLS_MEMORY_BUFFER_ALLOC_C
uint8_t memory_buf[MAX_MEM_SIZE];
#endif

/* Constants that aren’t configurable in menuconfig */
#define SERVER_NAME “os.mbed.com”
#define SERVER_PORT “443”
#define WEB_URL “/media/uploads/mbed_official/hello.txt”

static const char *TAG = “example”;

static const char *REQUEST = “GET " WEB_URL " HTTP/1.0\r\n”
“Host: “SERVER_NAME”\r\n”
“User-Agent: esp-idf/1.0 esp32\r\n”
“\r\n”;

#define ca_root_cert
“-----BEGIN CERTIFICATE-----\r\n”
“MIIFxjCCBK6gAwIBAgIQCUgwJUwO3Ufjc6euF64akjANBgkqhkiG9w0BAQsFADBG\r\n”
“MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg\r\n”
“Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xOTAxMzEwMDAwMDBaFw0yMDAyMjkx\r\n”
“MjAwMDBaMBUxEzARBgNVBAMMCioubWJlZC5jb20wggEiMA0GCSqGSIb3DQEBAQUA\r\n”
“A4IBDwAwggEKAoIBAQDmUehgLJNj3ei+tnAWC80+twqP6GhmKRrGaJoKgeHFRVBy\r\n”
“WD6ht+4LigwZu/UaNOyiAqxvln/e2owWY3J9kADXZRrLDx7aGM6chwe+GmcOHCwP\r\n”
“iF6oA5pAUX552u+gkdVLGmV4jeNa2rkEKDWjSvvNe+Z4gvAAl/MoumYQ1UTILvjG\r\n”
“/SzNODBzUsmq2c/FgvfVMEvYzXaqJUzBTHd8BFN4PGgZZMW6RsafCTPVZrjqXb3J\r\n”
“18mfFm9wZg+ugwkRECHOPgCusnSHGwtQqDJox315lYWZoxuwdUkMlS5RMxXuIM//\r\n”
“m7RYDzkp1r7ysvhvrXWh5GX7riNjdXwKi8aevGchAgMBAAGjggLfMIIC2zAfBgNV\r\n”
“HSMEGDAWgBRZpGYGUqB7lZI8o5QHJ5Z0W/k90DAdBgNVHQ4EFgQU+Z3TFalkw27E\r\n”
“HHgxnxoIkRfEafswfQYDVR0RBHYwdIIKKi5tYmVkLmNvbYIIbWJlZC5jb22CCiou\r\n”
“bWJlZC5vcmeCCG1iZWQub3Jngg8qLmNvcmUubWJlZC5jb22CDWNvcmUubWJlZC5j\r\n”
“b22CEyouaW50ZXJuYWwubWJlZC5jb22CEWludGVybmFsLm1iZWQuY29tMA4GA1Ud\r\n”
“DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0f\r\n”
“BDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250cnVzdC5jb20vc2Nh\r\n”
“MWIuY3JsMCAGA1UdIAQZMBcwCwYJYIZIAYb9bAECMAgGBmeBDAECATB1BggrBgEF\r\n”
“BQcBAQRpMGcwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLnNjYTFiLmFtYXpvbnRy\r\n”
“dXN0LmNvbTA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5zY2ExYi5hbWF6b250cnVz\r\n”
“dC5jb20vc2NhMWIuY3J0MAwGA1UdEwEB/wQCMAAwggEFBgorBgEEAdZ5AgQCBIH2\r\n”
“BIHzAPEAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiky7wY\r\n”
“AAAEAwBIMEYCIQDh2gjZ1n2HHgzGGGoMS3pmByHP71kgSuQy/FZKlY9ZPAIhAMTR\r\n”
“HI2t4D0L/XOw0IBw8WnK9axMUUGf3PgexPVU1UXIAHYAh3W/51l8+IxDmV+9827/\r\n”
“Vo1HVjb/SrVgwbTq/16ggw8AAAFopMu88AAABAMARzBFAiEAydoy4XDNtfFUWEUj\r\n”
“ATRcJHBprUbTUkdMzYi7rXflcxECIAvzN8eHIyCpG/FwEf+gw+3l7m/W3vm9KQqR\r\n”
“E9iqj1gQMA0GCSqGSIb3DQEBCwUAA4IBAQCuZjRkQp/2mc1DkHK10JHOz+UUumBU\r\n”
“W03u9lmx4YfTD3LWxgBJnLgZXnSXRhvQUTqnXCaXsF/HwOoui5xlUx2ri8XQZj2A\r\n”
“EI/MGX9ptYNzB3X+4fiNWuirr/gYOXMGrJ+ak3twsl7lMJLHQtAqb4eO+CwYsaSU\r\n”
“dRIGiseGQDOkJoNyoqiNtlAh56hGFoNmJ/bN415o/gLC8cN6wFXFAe1PDWIWa3Ri\r\n”
“XMm8OH1GyRtsf98gM64FFLc/t7xcZ07fbMNe7nrlnBwN90DNzUbKkai417O/ZUfs\r\n”
“LPf4cXKyR/JCVcl7BPqAwnFgh4UQL/83IvcvxJ7cRpRvzwXyA2xyNQXN\r\n”
“-----END CERTIFICATE-----\r\n” \

const size_t ca_root_cert_Len= sizeof(ca_root_cert);

void SSL_Client(void const *argument)
{

/*

1. Initialize the RNG and the session data
  */

#ifdef MBEDTLS_MEMORY_BUFFER_ALLOC_C
mbedtls_memory_buffer_alloc_init(memory_buf, sizeof(memory_buf));
#endif
int ret = 1, len;
int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
uint32_t flags;
unsigned char buf[1024];
const char *pers = “ssl_client1”;

mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;

#if defined(MBEDTLS_DEBUG_C)
printf(“Setting Up the debug Level: %d\r\n”, DEBUG_TH);
mbedtls_debug_set_threshold( DEBUG_TH );
#endif

/*
 * 0. Initialize the RNG and the session data
 */
mbedtls_net_init( &server_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &cacert );
mbedtls_ctr_drbg_init( &ctr_drbg );

mbedtls_printf( "\n  . Seeding the random number generator..." );
fflush( stdout );

mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
                           (const unsigned char *) pers,
                           strlen( pers ) ) ) != 0 )
{
    mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );
    goto exit;
}

mbedtls_printf( " ok\n" );

/*
 * 0. Initialize certificates
 */
	
mbedtls_printf( "  . Loading the CA root certificate ..." );
fflush( stdout );

ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) ca_root_cert, ca_root_cert_Len);        
if( ret < 0 )
{
    mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
    goto exit;
}

mbedtls_printf( " ok (%d skipped)\n", ret );
	
	while(1){

/*
 * 1. Start the connection
 */
mbedtls_printf( "  . Connecting to tcp/%s/%s...", SERVER_NAME, SERVER_PORT );
fflush( stdout );

if( ( ret = mbedtls_net_connect( &server_fd, SERVER_NAME,SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 )                      
{
    mbedtls_printf( " failed\n  ! mbedtls_net_connect returned %d\n\n", ret );
    goto exit;
}

mbedtls_printf( " Connected ok\n" );

/*
 * 2. Setup stuff
 */
mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
fflush( stdout );

if( ( ret = mbedtls_ssl_config_defaults( &conf,
                MBEDTLS_SSL_IS_CLIENT,
                MBEDTLS_SSL_TRANSPORT_STREAM,
                MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
    mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
    goto exit;
}

mbedtls_printf( " ok\n" );

/* OPTIONAL is not optimal for security,
 * but makes interop easier in this simplified example */
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );

if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
    mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned %d\n\n", ret );
    goto exit;
}

if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{
    mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
    goto exit;
}

mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
/*
 * 4. Handshake
 */
mbedtls_printf( "  . Performing the SSL/TLS handshake..." );
fflush( stdout );

while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
    if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
        goto exit;
    }
}

mbedtls_printf( " ok\n" );

/*
 * 5. Verify the server certificate
 */
mbedtls_printf( "  . Verifying peer X.509 certificate..." );

/* In real life, we probably want to bail out when ret != 0 */
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
    char vrfy_buf[512];

    mbedtls_printf( " failed\n" );

    mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

    mbedtls_printf( "%s\n", vrfy_buf );
}
else
    mbedtls_printf( " ok\n" );

/*
 * 3. Write the GET request
 */
mbedtls_printf( "  > Write to server:" );
fflush( stdout );

len = sprintf( (char *) buf, REQUEST );

while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 )
{
    if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
        goto exit;
    }
}

len = ret;
mbedtls_printf( " %d bytes written\n\n%s", len, (char *) buf );

/*
 * 7. Read the HTTP response
 */
mbedtls_printf( "  < Read from server:" );
fflush( stdout );

do
{
    len = sizeof( buf ) - 1;
    memset( buf, 0, sizeof( buf ) );
    ret = mbedtls_ssl_read( &ssl, buf, len );

    if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
        continue;

    if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
        break;

    if( ret < 0 )
    {
        mbedtls_printf( "failed\n  ! mbedtls_ssl_read returned %d\n\n", ret );
        break;
    }

    if( ret == 0 )
    {
        mbedtls_printf( "\n\nEOF\n\n" );
        break;
    }

    len = ret;
    mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf );
}
while( 1 );

mbedtls_ssl_close_notify( &ssl );
exit_code = MBEDTLS_EXIT_SUCCESS;


exit:
    mbedtls_ssl_session_reset(&ssl);
    mbedtls_net_free(&server_fd);

    if(ret != 0)
    {
        mbedtls_strerror(ret, buf, 100);
        mbedtls_printf("Last error was: -0x%x - %s\r\n", -ret, buf);
    }

    putchar('\n'); // JSON output doesn't have a newline at end

    static int request_count;
    mbedtls_printf("Completed %d requests\r\n", ++request_count);
    mbedtls_printf("Starting again!\r\n");
			osDelay(2500);
		}
}

#if DEBUG_LEVEL > 0
/**
* Debug callback for mbed TLS
* Just prints on the USB serial port
*/

static void my_debug(void *ctx, int level, const char *file, int line,
                     const char *str)
{
    const char *p, *basename;
    (void) ctx;

    /* Extract basename from file */
    for(p = basename = file; *p != '\0'; p++) {
        if(*p == '/' || *p == '\\') {
            basename = p + 1;
        }
    }

    mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str);
}

#endif

#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_X509_CRT_PARSE_C */

mahendra_sondagar · May 4, 2019, 7:42am

Here is the mbedConfig.h file

#ifndef MBEDTLS_CONFIG_H
#define MBEDTLS_CONFIG_H

#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1
#endif

/**

\name SECTION: System support
This section sets system specific settings.
{
*/

#define MBEDTLS_HAVE_ASM

#define MBEDTLS_HAVE_TIME

#define MBEDTLS_HAVE_TIME_DATE

//#define MBEDTLS_PLATFORM_MEMORY

//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS

//#define MBEDTLS_PLATFORM_EXIT_ALT
//#define MBEDTLS_PLATFORM_TIME_ALT
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
//#define MBEDTLS_PLATFORM_PRINTF_ALT
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT

//#define MBEDTLS_DEPRECATED_WARNING

//#define MBEDTLS_DEPRECATED_REMOVED

/* } name SECTION: System support */

//#define MBEDTLS_TIMING_ALT

//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
//#define MBEDTLS_ARIA_ALT
//#define MBEDTLS_BLOWFISH_ALT
//#define MBEDTLS_CAMELLIA_ALT
//#define MBEDTLS_CCM_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_ECJPAKE_ALT
//#define MBEDTLS_GCM_ALT
//#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT
//#define MBEDTLS_MD5_ALT
//#define MBEDTLS_RIPEMD160_ALT
//#define MBEDTLS_RSA_ALT
//#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT
//#define MBEDTLS_XTEA_ALT

//#define MBEDTLS_ECP_ALT

//#define MBEDTLS_MD2_PROCESS_ALT
//#define MBEDTLS_MD4_PROCESS_ALT
//#define MBEDTLS_MD5_PROCESS_ALT
//#define MBEDTLS_RIPEMD160_PROCESS_ALT
//#define MBEDTLS_SHA1_PROCESS_ALT
//#define MBEDTLS_SHA256_PROCESS_ALT
//#define MBEDTLS_SHA512_PROCESS_ALT
//#define MBEDTLS_DES_SETKEY_ALT
//#define MBEDTLS_DES_CRYPT_ECB_ALT
//#define MBEDTLS_DES3_CRYPT_ECB_ALT
//#define MBEDTLS_AES_SETKEY_ENC_ALT
//#define MBEDTLS_AES_SETKEY_DEC_ALT
//#define MBEDTLS_AES_ENCRYPT_ALT
//#define MBEDTLS_AES_DECRYPT_ALT
//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
//#define MBEDTLS_ECDSA_VERIFY_ALT
//#define MBEDTLS_ECDSA_SIGN_ALT
//#define MBEDTLS_ECDSA_GENKEY_ALT

/* Required for all the functions in this section /
//#define MBEDTLS_ECP_INTERNAL_ALT
/ Support for Weierstrass curves with Jacobi representation /
//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
//#define MBEDTLS_ECP_ADD_MIXED_ALT
//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
/ Support for curves with Montgomery arithmetic */
//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT

//#define MBEDTLS_TEST_NULL_ENTROPY

//#define MBEDTLS_ENTROPY_HARDWARE_ALT

//#define MBEDTLS_AES_ROM_TABLES

//#define MBEDTLS_AES_FEWER_TABLES

//#define MBEDTLS_CAMELLIA_SMALL_MEMORY

/**

\def MBEDTLS_CIPHER_MODE_CBC
Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_CBC

/**

\def MBEDTLS_CIPHER_MODE_CFB
Enable Cipher Feedback mode (CFB) for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_CFB

/**

\def MBEDTLS_CIPHER_MODE_CTR
Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_CTR

/**

\def MBEDTLS_CIPHER_MODE_OFB
Enable Output Feedback mode (OFB) for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_OFB

/**

\def MBEDTLS_CIPHER_MODE_XTS
Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
*/
#define MBEDTLS_CIPHER_MODE_XTS

/**

\def MBEDTLS_CIPHER_NULL_CIPHER
Enable NULL cipher.
Warning: Only do so when you know what you are doing. This allows for
encryption or channels without any security!
Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
the following ciphersuites:
```
 MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
```

 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384

 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256

```
 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
```
```
 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
```
```
 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
```
```
 MBEDTLS_TLS_RSA_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_RSA_WITH_NULL_MD5
```
```
 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
```
```
 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
```
```
 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
```
```
 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
```
```
 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
```
```
 MBEDTLS_TLS_PSK_WITH_NULL_SHA
```
Uncomment this macro to enable the NULL cipher and ciphersuites
*/
//#define MBEDTLS_CIPHER_NULL_CIPHER

/**

\def MBEDTLS_CIPHER_PADDING_PKCS7
MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
specific padding modes in the cipher layer with cipher modes that support
padding (e.g. CBC)
If you disable all padding modes, only full blocks can be used with CBC.
Enable padding modes in the cipher layer.
*/
#define MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#define MBEDTLS_CIPHER_PADDING_ZEROS

//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES

#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES

/**

\def MBEDTLS_ECP_DP_SECP192R1_ENABLED
MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
module. By default all supported curves are enabled.
Comment macros to disable the curve and functions for it
*/
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
#define MBEDTLS_ECP_DP_CURVE448_ENABLED

#define MBEDTLS_ECP_NIST_OPTIM

#define MBEDTLS_ECDSA_DETERMINISTIC

/**

\def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Enable the PSK based ciphersuite modes in SSL / TLS.
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384

```
 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
```

 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256

```
 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
```

 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

```
 MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
```
```
 MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
```

*/
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
```
      MBEDTLS_X509_CRT_PARSE_C
```
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA

```
 MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
```

*/
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Enable the RSA-only based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
```
      MBEDTLS_X509_CRT_PARSE_C
```
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256

```
 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
```

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256

```
 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
```

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

```
 MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
```
```
 MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
```
```
 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
```

*/
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
```
      MBEDTLS_X509_CRT_PARSE_C
```
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

 MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

\warning Using DHE constitutes a security risk as it

        is not possible to validate custom DH parameters.

        If possible, it is recommended users should consider

        preferring other methods of key exchange.

```
        See dhm.h for more details.
```

*/
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
```
      MBEDTLS_X509_CRT_PARSE_C
```
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

 MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA

*/
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

*/
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA

 MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

*/
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

/**

\def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are
enabled as well):
```
 MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
```

 MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384

*/
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED

#define MBEDTLS_PK_PARSE_EC_EXTENDED

#define MBEDTLS_ERROR_STRERROR_DUMMY

/**

\def MBEDTLS_GENPRIME
Enable the prime-number generation code.
Requires: MBEDTLS_BIGNUM_C
*/
#define MBEDTLS_GENPRIME

/**

\def MBEDTLS_FS_IO
Enable functions that use the filesystem.
*/
#define MBEDTLS_FS_IO

//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES

/**

\def MBEDTLS_NO_PLATFORM_ENTROPY
Do not use built-in platform entropy functions.
This is useful if your platform does not support
standards like the /dev/urandom or Windows CryptoAPI.
Uncomment this macro to disable the built-in platform entropy functions.
*/
//#define MBEDTLS_NO_PLATFORM_ENTROPY

//#define MBEDTLS_ENTROPY_FORCE_SHA256

//#define MBEDTLS_ENTROPY_NV_SEED

//#define MBEDTLS_MEMORY_DEBUG

//#define MBEDTLS_MEMORY_BACKTRACE

#define MBEDTLS_PK_RSA_ALT_SUPPORT

#define MBEDTLS_PKCS1_V15

#define MBEDTLS_PKCS1_V21

//#define MBEDTLS_RSA_NO_CRT

#define MBEDTLS_SELF_TEST

//#define MBEDTLS_SHA256_SMALLER

#define MBEDTLS_SSL_ALL_ALERT_MESSAGES

//#define MBEDTLS_SSL_ASYNC_PRIVATE

//#define MBEDTLS_SSL_DEBUG_ALL

#define MBEDTLS_SSL_ENCRYPT_THEN_MAC

#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET

#define MBEDTLS_SSL_FALLBACK_SCSV

//#define MBEDTLS_SSL_HW_RECORD_ACCEL

#define MBEDTLS_SSL_CBC_RECORD_SPLITTING

#define MBEDTLS_SSL_RENEGOTIATION

//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO

/**

\def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
Pick the ciphersuite according to the client’s preferences rather than ours
in the SSL Server module (MBEDTLS_SSL_SRV_C).
Uncomment this macro to respect client’s ciphersuite order
*/
//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE

#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

#define MBEDTLS_SSL_PROTO_TLS1

#define MBEDTLS_SSL_PROTO_TLS1_1

#define MBEDTLS_SSL_PROTO_TLS1_2

#define MBEDTLS_SSL_PROTO_DTLS

#define MBEDTLS_SSL_ALPN

#define MBEDTLS_SSL_DTLS_ANTI_REPLAY

#define MBEDTLS_SSL_DTLS_HELLO_VERIFY

#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE

#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT

#define MBEDTLS_SSL_SESSION_TICKETS

#define MBEDTLS_SSL_EXPORT_KEYS

#define MBEDTLS_SSL_SERVER_NAME_INDICATION

#define MBEDTLS_SSL_TRUNCATED_HMAC

//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT

//#define MBEDTLS_THREADING_ALT

//#define MBEDTLS_THREADING_PTHREAD

#define MBEDTLS_VERSION_FEATURES

//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3

#define MBEDTLS_X509_CHECK_KEY_USAGE

#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE

/**

\def MBEDTLS_X509_RSASSA_PSS_SUPPORT
Enable parsing and verification of X.509 certificates, CRLs and CSRS
signed with RSASSA-PSS (aka PKCS#1 v2.1).
Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT

/**

\def MBEDTLS_AESNI_C
Enable AES-NI support on x86-64.
Module: library/aesni.c
Caller: library/aes.c
Requires: MBEDTLS_HAVE_ASM
This modules adds support for the AES-NI instructions on x86-64
*/
#define MBEDTLS_AESNI_C

#define MBEDTLS_AES_C

#define MBEDTLS_ARC4_C

#define MBEDTLS_ASN1_PARSE_C

#define MBEDTLS_ASN1_WRITE_C

/**

\def MBEDTLS_BASE64_C
Enable the Base64 module.
Module: library/base64.c
Caller: library/pem.c
This module is required for PEM support (required by X.509).
*/
#define MBEDTLS_BASE64_C

#define MBEDTLS_BIGNUM_C

/**

\def MBEDTLS_BLOWFISH_C
Enable the Blowfish block cipher.
Module: library/blowfish.c
*/
#define MBEDTLS_BLOWFISH_C

#define MBEDTLS_CAMELLIA_C

/**

\def MBEDTLS_ARIA_C
Enable the ARIA block cipher.
Module: library/aria.c
Caller: library/cipher.c
This module enables the following ciphersuites (if other requisites are
enabled as well):

 MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384

 MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256

 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384

 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256

 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384

*/
//#define MBEDTLS_ARIA_C

/**

\def MBEDTLS_CCM_C
Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
Module: library/ccm.c
Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
This module enables the AES-CCM ciphersuites, if other requisites are
enabled as well.
*/
#define MBEDTLS_CCM_C

/**

\def MBEDTLS_CERTS_C
Enable the test certificates.
Module: library/certs.c
Caller:
This module is used for testing (ssl_client/server).
*/
#define MBEDTLS_CERTS_C

/**

\def MBEDTLS_CIPHER_C
Enable the generic cipher layer.
Module: library/cipher.c
Caller: library/ssl_tls.c
Uncomment to enable generic cipher wrappers.
*/
#define MBEDTLS_CIPHER_C

//#define MBEDTLS_CMAC_C

#define MBEDTLS_CTR_DRBG_C

#define MBEDTLS_DEBUG_C

#define MBEDTLS_DES_C

#define MBEDTLS_DHM_C

#define MBEDTLS_ECDH_C

#define MBEDTLS_ECDSA_C

//#define MBEDTLS_ECJPAKE_C

#define MBEDTLS_ECP_C

#define MBEDTLS_ENTROPY_C

#define MBEDTLS_ERROR_C

#define MBEDTLS_GCM_C

#define MBEDTLS_HKDF_C

#define MBEDTLS_HMAC_DRBG_C

#define MBEDTLS_MD_C

//#define MBEDTLS_MD2_C

//#define MBEDTLS_MD4_C

#define MBEDTLS_MD5_C

//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C

#define MBEDTLS_NET_C

#define MBEDTLS_OID_C

#define MBEDTLS_PADLOCK_C

#define MBEDTLS_PEM_PARSE_C

#define MBEDTLS_PEM_WRITE_C

#define MBEDTLS_PK_C

#define MBEDTLS_PK_PARSE_C

#define MBEDTLS_PK_WRITE_C

#define MBEDTLS_PKCS5_C

//#define MBEDTLS_PKCS11_C

#define MBEDTLS_PKCS12_C

#define MBEDTLS_PLATFORM_C

/**

\def MBEDTLS_RIPEMD160_C
Enable the RIPEMD-160 hash algorithm.
Module: library/ripemd160.c
Caller: library/md.c

*/
#define MBEDTLS_RIPEMD160_C

#define MBEDTLS_RSA_C

#define MBEDTLS_SHA1_C

#define MBEDTLS_SHA256_C

#define MBEDTLS_SHA512_C

#define MBEDTLS_SSL_CACHE_C

#define MBEDTLS_SSL_COOKIE_C

#define MBEDTLS_SSL_TICKET_C

#define MBEDTLS_SSL_CLI_C

#define MBEDTLS_SSL_SRV_C

#define MBEDTLS_SSL_TLS_C

#define MBEDTLS_TIMING_C

#define MBEDTLS_VERSION_C

#define MBEDTLS_X509_USE_C

#define MBEDTLS_X509_CRT_PARSE_C

#define MBEDTLS_X509_CRL_PARSE_C

#define MBEDTLS_X509_CSR_PARSE_C

#define MBEDTLS_X509_CREATE_C

#define MBEDTLS_X509_CRT_WRITE_C

#define MBEDTLS_X509_CSR_WRITE_C

#define MBEDTLS_XTEA_C

/* } name SECTION: mbed TLS modules */

/* MPI / BIGNUM options */
//#define MBEDTLS_MPI_WINDOW_SIZE 6 /< Maximum windows size used. */
//#define MBEDTLS_MPI_MAX_SIZE 1024 /< Maximum number of bytes for usable MPIs. */

/* CTR_DRBG options */
//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /< Interval before reseed is performed by default */
//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /< Maximum number of additional input bytes */
//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /< Maximum number of requested bytes per call */
//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */

/* HMAC_DRBG options */
//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /< Interval before reseed is performed by default */
//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /< Maximum number of additional input bytes */
//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /< Maximum number of requested bytes per call */
//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /< Maximum size of (re)seed buffer */

/* ECP options */
//#define MBEDTLS_ECP_MAX_BITS 521 /< Maximum bit size of groups */
//#define MBEDTLS_ECP_WINDOW_SIZE 6 /< Maximum window size used */
//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */

/* Entropy options */
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /< Maximum number of sources supported */
//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /< Maximum amount requested from entropy sources */
//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */

/* Memory buffer allocator options */
//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */

/* Platform options */
//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don’t define if no header is needed. */
//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /< Default allocator to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_FREE free /< Default free to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT exit /< Default exit to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_TIME time /< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /< Default fprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /< Default printf to use, can be undefined /
/ Note: your snprintf must correclty zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /< Default snprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /< Default exit value to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /< Default exit value to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /< Default nv_seed_write function to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE “seedfile” /**< Seed file to read/write with default implementation */

/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled /
/ MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /< Default allocator macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_FREE_MACRO free /< Default free macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /< Default exit macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_TIME_MACRO time /< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /< Default printf macro to use, can be undefined /
/ Note: your snprintf must correclty zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /< Default nv_seed_write function to use, can be undefined */

/* SSL Cache options */
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /< 1 day */
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /< Maximum entries in cache */

/* SSL options */
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /< Lifetime of session tickets (if enabled) */
//#define MBEDTLS_PSK_MAX_LEN 32 /< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */

//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

/* X509 options */
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /< Maximum number of intermediate CAs in a verification chain. */
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /< Maximum length of a path/filename string in bytes including the null terminator character (‘\0’). */

#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE

//#define MBEDTLS_PLATFORM_ZEROIZE_ALT

/* } name SECTION: Customisation configuration options */

/* Target and application specific configurations */
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE “mbedtls/target_config.h”

#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
#endif

/*

Allow user to override any previous default.
Use two macro names for that, as:
- with yotta the prefix YOTTA_CFG_ is forced
- without yotta is looks weird to have a YOTTA prefix.
  */
  #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
  #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
  #elif defined(MBEDTLS_USER_CONFIG_FILE)
  #include MBEDTLS_USER_CONFIG_FILE
  #endif

#include “check_config.h”

#endif /* MBEDTLS_CONFIG_H */

acpie360 · May 4, 2019, 2:29pm

Sorry I was wrong about the SNI. I only started learning SSL/TLS stuff recently. However, shouldn’t you be using Amazon Root CA 1 as the root CA cert? The PEM formatted cert shown in your code is an end user cert.

roneld01 · May 5, 2019, 8:01am

Hi @mahendra_sondagar
As you can see from the code:

#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B /**< TLS 1.2 */

You should check why the ciphersuite that is being sent is different than what you think is being sent.

The error is that you are receiving is a fatal alert sent by the server, after the client sent the Clienthello message. This means that the server cannot negotiate a handshake using the requested parameters in the message. Most likely the ciphersuite is unsupported.

How are you setting mbedConfig.h as the Mbed TLS configuration file?
Are you setting it as a compilation definition MBEDTLS_CONFIG_H? (Not recommended as it can affect other modules in Mbed OS using Mbed TLS)
Are you using it as (MBEDTLS_USER_CONFIG_FILE. This is the recommended way, in this case you should only define \ undefine what you need in your application, in order not to have a conflict with existing config.h file, and not to affect other modules using Mbed TLS.
Regards,
Ron

mahendra_sondagar · May 18, 2019, 9:08am

Hello Guys…
I really need to Continue this thread, because i got the little success to add the ciphersuites as per my https server setup
I just created new https server at another PC having the same network(localhost).
the list time i was facing the problem of wrong ciphersuites is because of undefined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
at my new https server the required ciphersuites is MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (c030) an that I’m getting at my client

now the error code has been changed and that becomes -0x7200 (MBEDTLS_ERR_SSL_INVALID_RECORD)

i have ensure that the client has right CA certificate , MBEDTLS_SSL_MAX_CONTENT_LEN is 2048
MBEDTLS_MPI_MAX_SIZE is 384

here I’m attaching the logs from client

IpAdress = 192.168.0.16

. Seeding the random number generator… ok
. Loading the CA root certificate … ok (0 skipped)
. Connecting to tcp/192.168.1.146/4433… ok
. Setting up the SSL/TLS structure… ok
. Performing the SSL/TLS handshake…ssl_tls.c:6754: |2| => handshake
ssl_cli.c:3384: |2| client state: 0
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:3384: |2| client state: 1
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:0770: |2| => write client hello
ssl_cli.c:0807: |3| client hello, max version: [3:3]
ssl_cli.c:0817: |3| dumping ‘client hello, random bytes’ (32 bytes)
ssl_cli.c:0817: |3| 0000: 47 1d 4c 16 2f 74 0f 01 26 ea a8 72 67 92 e2 39 G.L./t…&…rg…9
ssl_cli.c:0817: |3| 0010: 7f 8b 67 e8 1f f8 be ee fa ce e7 53 7a d5 f8 ef …g…Sz…
ssl_cli.c:0870: |3| client hello, session id len.: 0
ssl_cli.c:0871: |3| dumping ‘client hello, session id’ (0 bytes)
ssl_cli.c:0917: |3| client hello, add ciphersuite: c030
ssl_cli.c:0925: |3| client hello, got 1 ciphersuites (excluding SCSVs)
ssl_cli.c:0934: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
ssl_cli.c:0983: |3| client hello, compress len.: 1
ssl_cli.c:0984: |3| client hello, compress alg.: 0
ssl_cli.c:0186: |3| client hello, adding signature_algorithms extension
ssl_cli.c:0271: |3| client hello, adding supported_elliptic_curves extension
ssl_cli.c:0336: |3| client hello, adding supported_point_formats extension
ssl_cli.c:1058: |3| client hello, total extension length: 38
ssl_tls.c:2764: |2| => write record
ssl_tls.c:2907: |3| output record: msgtype = 22, version = [3:3], msglen = 87
ssl_tls.c:2912: |4| dumping ‘output record sent to network’ (92 bytes)
ssl_tls.c:2912: |4| 0000: 16 03 03 00 57 01 00 00 53 03 03 47 1d 4c 16 2f …W…S…G.L./
ssl_tls.c:2912: |4| 0010: 74 0f 01 26 ea a8 72 67 92 e2 39 7f 8b 67 e8 1f t…&…rg…9…g…
ssl_tls.c:2912: |4| 0020: f8 be ee fa ce e7 53 7a d5 f8 ef 00 00 04 c0 30 …Sz…0
ssl_tls.c:2912: |4| 0030: 00 ff 01 00 00 26 00 0d 00 12 00 10 06 03 06 01 …&…
ssl_tls.c:2912: |4| 0040: 05 03 05 01 04 03 04 01 03 03 03 01 00 0a 00 06 …
ssl_tls.c:2912: |4| 0050: 00 04 00 18 00 17 00 0b 00 02 01 00 …
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2489: |2| message length: 92, out_left: 92
ssl_tls.c:2496: |2| ssl->f_send() returned 92 (-0xffffffa4)
ssl_tls.c:2523: |2| <= flush output
ssl_tls.c:2922: |2| <= write record
ssl_cli.c:1085: |2| <= write client hello
ssl_cli.c:3384: |2| client state: 2
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:1478: |2| => parse server hello
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3552: |4| dumping ‘input record header’ (5 bytes)
ssl_tls.c:3552: |4| 0000: 16 03 03 00 57 …W
ssl_tls.c:3558: |3| input record: msgtype = 22, version = [3:3], msglen = 87
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 5, nb_want: 92
ssl_tls.c:2436: |2| in_left: 5, nb_want: 92
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 87 (-0xffffffa9)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3737: |4| dumping ‘input record from network’ (92 bytes)
ssl_tls.c:3737: |4| 0000: 16 03 03 00 57 02 00 00 53 03 03 5c df bc de 81 …W…S….…
ssl_tls.c:3737: |4| 0010: 03 bb 3f 1f e8 c6 26 f8 f2 78 4f c6 33 af af 4d …?..&…xO.3…M
ssl_tls.c:3737: |4| 0020: 3a 14 16 91 b7 07 3e 98 33 9a da 20 e1 c1 aa dc :…>.3… …
ssl_tls.c:3737: |4| 0030: 5f 31 55 44 e9 a1 50 b8 a5 7e 08 6d 65 e6 75 ea _1UD…P…~.me.u.
ssl_tls.c:3737: |4| 0040: aa 10 a5 e0 59 c3 31 4c 08 b0 d9 f8 c0 30 00 00 …Y.1L…0…
ssl_tls.c:3737: |4| 0050: 0b ff 01 00 01 00 00 0b 00 02 01 00 …
ssl_tls.c:3159: |3| handshake message: msglen = 87, type = 2, hslen = 87
ssl_tls.c:3846: |2| <= read record
ssl_cli.c:1558: |3| dumping ‘server hello, version’ (2 bytes)
ssl_cli.c:1558: |3| 0000: 03 03 …
ssl_cli.c:1579: |3| server hello, current time: 1558166750
ssl_cli.c:1589: |3| dumping ‘server hello, random bytes’ (32 bytes)
ssl_cli.c:1589: |3| 0000: 5c df bc de 81 03 bb 3f 1f e8 c6 26 f8 f2 78 4f .…?..&…xO
ssl_cli.c:1589: |3| 0010: c6 33 af af 4d 3a 14 16 91 b7 07 3e 98 33 9a da .3…M:…>.3…
ssl_cli.c:1669: |3| server hello, session id len.: 32
ssl_cli.c:1670: |3| dumping ‘server hello, session id’ (32 bytes)
ssl_cli.c:1670: |3| 0000: e1 c1 aa dc 5f 31 55 44 e9 a1 50 b8 a5 7e 08 6d …_1UD…P…~.m
ssl_cli.c:1670: |3| 0010: 65 e6 75 ea aa 10 a5 e0 59 c3 31 4c 08 b0 d9 f8 e.u…Y.1L…
ssl_cli.c:1707: |3| no session has been resumed
ssl_cli.c:1710: |3| server hello, chosen ciphersuite: c030
ssl_cli.c:1711: |3| server hello, compress alg.: 0
ssl_cli.c:1743: |3| server hello, chosen ciphersuite: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ssl_cli.c:1760: |2| server hello, total extension length: 11
ssl_cli.c:1780: |3| found renegotiation extension
ssl_cli.c:1859: |3| found supported_point_formats extension
ssl_cli.c:1271: |4| point format selected: 0
ssl_cli.c:1949: |2| <= parse server hello
ssl_cli.c:3384: |2| client state: 3
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_tls.c:4376: |2| => parse certificate
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3552: |4| dumping ‘input record header’ (5 bytes)
ssl_tls.c:3552: |4| 0000: 16 03 03 09 2c …,
ssl_tls.c:3558: |3| input record: msgtype = 22, version = [3:3], msglen = 2348
ssl_tls.c:3599: |1| bad message length
ssl_tls.c:3820: |1| mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)
ssl_tls.c:4416: |1| mbedtls_ssl_read_record() returned -29184 (-0x7200)
ssl_tls.c:6764: |2| <= handshake
failed
! mbedtls_ssl_handshake returned -0x7200

ssl_tls.c:7542: |2| => free
ssl_tls.c:7607: |2| <= free

At server side I’m getting the error of “-SSL The connection indicate an EOF”
Guys, may i get any suggestions ?
Thanks…
SSL_Server

roneld01 · May 19, 2019, 8:43am

Hi @mahendra_sondagar
From your logs I see:

ssl_tls.c:3558: |3| input record: msgtype = 22, version = [3:3], msglen = 2348
ssl_tls.c:3599: |1| bad message length
ssl_tls.c:3820: |1| mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)
ssl_tls.c:4416: |1| mbedtls_ssl_read_record() returned -29184 (-0x7200)

and in your configuration: MBEDTLS_SSL_MAX_CONTENT_LEN is 2048

The reason for failure is that the server is sending you 2348 of data, while you are reading only ~2048 bytes because of your limitation.

Please try the following in your configuration:

#define MBEDTLS_SSL_IN_CONTENT_LEN 3072
#define MBEDTLS_SSL_OUT_CONTENT_LEN 2048

This doesn’t gurantee that you will pass all server authentications, if they send more than 3072 bytes of data, but it should help you pass your current situation.
Regards

mahendra_sondagar · May 20, 2019, 11:32am

Hello @roneld01
Thanks for the feedback
yes i have made the changes as per your suggestions

#define MBEDTLS_SSL_IN_CONTENT_LEN 3072
#define MBEDTLS_SSL_OUT_CONTENT_LEN 2048

and comment MBEDTLS_SSL_MAX_CONTENT_LEN
However now I’m facing the issue related to heap allocation failed!

IpAdress = 192.168.0.11

. Seeding the random number generator… ok
. Loading the CA root certificate … ok (0 skipped)
. Connecting to tcp/192.168.1.63/4433… ok
. Setting up the SSL/TLS structure… ok
ssl_tls.c:5675: |1| alloc(16429 bytes) failed
failed
! mbedtls_ssl_setup returned -32512

ssl_tls.c:7542: |2| => free
ssl_tls.c:7607: |2| <= free

i just need to know what will be the minimum RAM that is occupied by mbedTLS to run successfully
Regards,
Mahendra Sondagar

roneld01 · May 20, 2019, 1:56pm

Hi @mahendra_sondagar
The minimal RAM usage is very much dependent on your configuration.

I suggest you look at the following articles:

Note that we recently introduced features to reduce RAM usage when parsing X509 certificates, as mentioned in the second article I referenced.
These features, are not part of a released version, but if you are willing to use our latest version, you are welcome to try it.
Regards

Topic		Replies	Views
Mbedtls_ssl_handshake return error -0x2700 Generic mbed_client , mbed_tls , mbed_os	8	10653	February 3, 2020
Mbedtls_ssl_handshake failed Crypto and SSL questions mbed_client , mbed_tls , mbed_os	9	10538	April 22, 2019
Error 0x7780 during handshake Mbed TLS mbed_tls	7	7140	May 10, 2023
TLS handshake issue Generic mbed_client , mbed_tls	5	4750	October 7, 2018
Please help me find out why mbedtls_ssl_handshake（）failed! Mbed TLS mbed_client , mbed_tls	5	5798	April 12, 2020

MbedTLS handshake fail return -0x50

© COPYRIGHT(c) 2017 STMicroelectronics

Related Topics