Arm Mbed and Pelion Device Management support forum

Mbedtls_ssl_handshake failed in pkcs#1 verification

Dear All
We are using mbedtls ssl_client2 and ssl_server2 examples with cert chain of root,intermediate and device.
Please refer earlier conversation as per below link
My own sample rootCA is failing on handshaking with aws.
We have created a new topic as per earlier request.
We have hard-coded root ca ,intermediate(Server) and device(client) certs and keys in certs.c file.
Please let us know if any additional information is required.


Hi @manish_arm
Thank you for posting a new topic.
As questioned in the original topic, What is the “own key” You have set in the client side?
Could you please share logs?

Hi Mr Ron

Thanks a lot for your support.

As per current understanding we have replaced certs and keys in certs.c file.

So we have replace TEST_CLI_KEY_RSA_PEM in certs.c file with RSA private key.

In the client example this points to mbedtls_test_cli_key in mbedtls_pk_parse_key(…) function.

Please correct the understanding if required.

The server and client side logs are at below location valid for one day.

Please note these are old logs and the certs are expired now and we have to debug by creating new certs.



(Attachment ARmEmbedLogs.7z is missing)

Hi Manish,
You don’t need to replace the certificates in keys in certs.c. This file holds test certificates used by Mbed TLS.
You should use your own certificates and keys, by parsing them, whether with mbedtls_x509_crt_parse() or with mbedtls_x509_crt_parse_file(). For keys, you should parse with mbedtls_pk_parse_key().
If you are using the sslclient2 example, you can send these as parameters to the example application.
As for the logs, they are not accessible; Please paste the logs as text.

Hi Mr Ron

Thanks for your feedback.

The logs are again uploaded to below link. Please do confirm they are available and u can download.

For us its downloading from below link

The final cert chain for us will be

DEVICE SIDE: root ca,intermediate1,intermediate2,device cert

SERVER SIDE: root ca,intermediate1,server cert

Please share mbedtls library expectation for device and server cert verification so that we can work accordingly.



Hi Manish,
The root CA should not be sent as part of the certificate chain in the handshake.
It should be set as a trusted certificate using mbedtls_ssl_conf_ca_chain() (or mbedtls_ssl_conf_ca_cb()). From the logs, I understand that you have set two way authentication method, that the server requires client certificate verification. Was this your intention?

The failure is when the server tries to verify the client certificate. It is probably because the public key used for verification is not the pair of the private key that signed the certificate.