Hello, guys. I’m trying to make a secure connection between the server and the client. The server is on stm32f4 platform with LwIp and FreeRTOS. For test connection I am using two utilities: First, compiled from mbedtls repository ssl_client2 ssl_client2 ca_file=~/ca.crt key_file=~/client.key c…

Thank you Ron! [image] roneld01: Could be. It depends what ciphersuite was sent\ ecp curve, cerdtificate, etc… I use test PK and test certs provided by mbedtls, as well as mbed tls client application built without any changes. Why this does not work? What can be wrong? With cert_app I have …

Which ciphersuites I need to include to project to be able to work with test PK and Certs provided in mbedtls repo?

The reason for your failure is because the server hostname doesn’t fit the server certificate subject \ subject alternative name. ( This is one of the checks done on the certificate) Unfortunately, in the cert_app the server_name and server_addr are the same. You should change the value of the se…

Which ciphersuites I need to include to project to be able to work with test PK and Certs provided in mbedtls repo? There are RSA and ECC certificates in “certs”, so your configuration seems to be fine, as the failure is in the server certificate failure

I used only ECC certs and keys. Same with configuration. But I even tried to add all the ciphersuites. Nothing changed. [image] roneld01: If your authentication method is only verifying the server, then there is no need to set hostname in the server side. On server side I switched off auth…

This is because, as mentioned, the issue is not the configuration, but the hostname. For test purposes please set in your client: mbedtls_ssl_conf_authmode( &tls.conf, MBEDTLS_SSL_VERIFY_OPTIONAL); To see if all the rest of the handshake succeeds. Note that this is not secure, as it doesn’t v…

If I plovide big list of ciphersuites on both sides how mbedtls stack choose the one to use? OK, seems I have same error with cert_app as with ssl_client2 mbedtls_pk_verify() returned -19968 (-0x4e00) Since this alert is produced by client this means that here is something wrong with client PK… …

I looked for the function which emits an error step by step: /* * Step 8: check if v (that is, R.X) is equal to r */ if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0) ... In file ecdsa.c returns -1; Can anyone explain what does it mean? What is wrong with key?

mbedTLS SSL handshake issue 2

Mbed TLS Generic

roneld01 (Ron Eldor) March 28, 2019, 2:16pm 8

So this changes should be performed in client code?
Because in server code I never set server_name

If your authentication method is only verifying the server, then there is no need to set hostname in the server side.

The hostname is set for verifying that the Server common name is valid.

Topic		Replies	Views
MbedTLS handshake fail return -0x50 Bug Reports / Issues mbed_client	11	9100	May 20, 2019
Mbedtls_ssl_handshake fails and returns -0x4D80 error code Crypto and SSL questions	17	4841	June 30, 2019
Mbedtls_ssl_handshake failed Crypto and SSL questions mbed_client , mbed_tls , mbed_os	9	12107	April 22, 2019
Failed handshake - Two Way handshake with ECC 384 Keys Mbed TLS mbed_tls	11	3586	December 9, 2019
Connect to MQTT server Generic mbed_tls	22	5728	November 23, 2018

mbedTLS SSL handshake issue 2

Related topics