mbedTLS SSL handshake ca certificate configuration

Mbed TLS Crypto and SSL questions
1

Hello,
I’m trying to make a secure connection between the server and the client.
The host name is :qa.iot1.homecloud.honeywell.com.cn
and client has 2 ca certificate:
HoneywellQAProductPKI.pem the ca certificate
SharedQACA.pem the middle ca certificate

and device certificate is ClientCert.pem.

I don’t know how to set certifcate chain,and now i only set the root ca cetficate by:ca_file=/system/etc/security/cacerts/HoneywellQAProductPKI.pem
When i set opt.auth_mode = MBEDTLS_SSL_VERIFY_OPTIONAL,the error is :
Last error was: -0x4E00 - ECP - The signature is not valid,in tls handshake “BEDTLS_SSL_SERVER_KEY_EXCHANGE”.

when i set opt.auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED,the error is:
Unable to verify the server’s certificate. Either it is invalid, or you didn’t set ca_file or ca_path to an appropriate value, in tls handshake “MBEDTLS_SSL_SERVER_CERTIFICATE”.

How to call the api to config 2 ca files?
I don’t know if the reason is the ca file error configuration.

Thanks,

2

HoneywellQAProductPKI.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
15:f2:ff:b7:95:f8:e9:14
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Validity
Not Before: Sep 9 00:19:31 2016 GMT
Not After : Dec 30 23:58:59 9999 GMT
Subject: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:eb:68:5f:56:99:ed:a1:cf:cf:77:32:aa:1c:9b:
9d:e3:1b:a3:d3:96:cb:4e:63:36:d8:da:1d:d0:79:
cf:34:39:28:ca:e7:48:c2:db:40:dd:78:5e:f4:86:
ff:86:8d:73:ce:32:ef:bc:40:c0:ea:98:67:2d:bc:
99:df:b7:32:bd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
     30:46:02:21:00:92:09:14:ea:29:dd:61:1a:45:94:b1:88:f8:
     18:63:47:e6:87:f3:e3:db:aa:38:0d:b4:51:91:fb:18:6e:d5:
     96:02:21:00:b5:16:68:a2:91:f3:61:11:1f:c8:84:1f:ff:6b:
     a0:51:b2:27:3c:2d:18:90:90:98:d0:2a:57:cc:0b:31:c1:4f
3

SharedQACA.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:e7:64:6f:84:c6:3e:42
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Validity
Not Before: Sep 9 00:37:14 2016 GMT
Not After : Feb 1 00:00:00 9999 GMT
Subject: C=US, O=Honeywell International Inc., OU=ACS, CN=Shared QA CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e0:47:a6:aa:d2:b6:a7:f1:4b:1e:90:a6:4d:23:
12:63:8b:66:62:80:f6:3e:36:20:67:5e:c2:30:6b:
c9:64:75:ab:b0:96:48:a3:c6:85:70:e0:ff:e1:4b:
70:83:6e:da:c2:8d:04:c2:97:91:eb:e8:08:34:fc:
bc:9d:4b:e3:4a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
8A:0A:3B:1D:70:6A:49:09:37:6F:8D:00:C5:DF:21:A8:45:6F:AE:0D
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://qhppki.honeywell.com/crl/HoneywellQARoot.crl

        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:21:00:9a:7b:65:b0:c9:b6:b5:8f:30:de:30:2d:18:
     e3:f3:e4:47:83:75:70:1c:4e:1f:21:3b:4f:3c:a7:ae:18:ce:
     8e:02:20:64:6f:a6:69:6e:aa:58:30:c5:72:32:9e:5b:a9:7e:
     2d:34:cc:0c:73:e1:15:16:09:39:7f:12:16:72:ba:25:7f
4

ClientCert.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:51:6a:9e:77:08:40:b3
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., OU=ACS, CN=Shared QA CA
Validity
Not Before: Dec 7 03:45:55 2018 GMT
Not After : Feb 1 00:00:00 9999 GMT
Subject: C=US, O=Honeywell International Inc., OU=HBT, CN=cube-c 001f55000829
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f4:d1:02:23:de:7b:14:6a:a4:71:26:ff:50:4d:
41:72:d9:07:07:5c:51:e4:f7:9a:13:60:34:c1:f4:
16:33:51:72:37:6c:94:93:0c:4a:c6:0e:41:5b:1e:
cf:50:47:73:78:fa:01:c7:1b:7f:ec:25:c1:e4:42:
da:1d:af:e4:3d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:8A:0A:3B:1D:70:6A:49:09:37:6F:8D:00:C5:DF:21:A8:45:6F:AE:0D

        Authority Information Access:
            OCSP - URI:http://qhppki.honeywell.com/ocsp

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://qhppki.honeywell.com/crl/SharedQACA2.crl

        X509v3 Subject Key Identifier:
            D1:00:D3:CF:6C:4E:6C:55:CA:B8:48:4F:DC:49:75:89:AC:62:FC:CB
        X509v3 Key Usage: critical
            Digital Signature
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:20:5e:8d:cb:76:88:98:1b:5f:90:55:6e:49:26:f0:
     55:c4:ac:48:59:ec:17:74:14:4a:26:c4:fc:ee:3e:71:8d:60:
     02:21:00:e5:97:ca:ba:8c:57:68:0d:66:58:c9:fa:35:19:e7:
     87:6c:24:cb:08:68:16:ca:b8:03:ef:8a:0b:ba:be:44:1a
5

Hi @sg0993
I have tried connecting to qa.iot1.homecloud.honeywell.com.cn and the server is sending a certificate signed by digicert.
This means you should set digicert as the trusted CA for the server.
As for setting the client certificate, you should call mbedtls_ssl_conf_own_cert() with your client certificate and your client private key.
It is safe assume that your client is signed by a CA trusted by your server (honeywell), and that your server will accept your certificate.
Please try setting the digicert certificate as the trusted root CA, and update with results.

As for setting several CA certificates, you can just concatenate all the PEM certificates into a single file.
Regsards,
Mbed Support
Ron

6

Hi Ron Eldor,
I have call the function mbedtls_ssl_conf_own_cert to set the client certificate and call mbedtls_ssl_conf_ca_chain to set ca certificate,and concatenate the 2 pem ca files into a single file, but also the error is the same.
the code setment:
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, “none” ) != 0 &&
strcmp( opt.ca_file, “none” ) != 0 )
{
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( strcmp( opt.crt_file, “none” ) != 0 )
{
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
LOGE( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
}
#endif

And any other reason for this error?

7

Can you offer your mail so i can sent your sample code and wireshark network dumpfile?
I want th your help urgently.
Thanks.

8

Hi feng,
I am sorry, but as an open source project, with public support, the support channel should be done in the channel, for the benefit of the community.

Please paste a sample code here, with the logs (you can follow the example in the client application when debug_level=4)
Regards,
Ron