mbedTLS SSL handshake issue 2

disgust · April 1, 2019, 1:43pm

Thanks @roneld01!
I’ve defined MBEDTLS_ECP_DP_SECP521R1_ENABLED as well as modified config.
But situation is the same.

I don’t know but openssl works fine on local machine using the same pairs.

My server do not uses time. As well it does not use date_time.
But client uses.
Server hello message send some data in the time field, and this data corresponds the time from future.
Can it be an issue?

What should I do with function mbedtls_ssl_conf_ca_chain?
There is only CA cert sends to this function in mbedtls examples.
But from tls1.2 handshake description I see that full chain should be sent.
Which way is correct?

roneld01 · April 1, 2019, 3:40pm

Hi @disgust

Have you tried my suggestion in first commnet:

Use a local server ( ssl_server2 ) compiled with the shown configuration.

?

This could help you understand if it’s a configuration issue or a platform issue.

Can it be an issue?

It might be, but the previous error shown is not related to time, unless the current failure is different than what was mentioned earlier.

Which way is correct?

In mbedtls_ssl_conf_ca_chain() you should set all the CA certificates that you wish your server to support. As an embedded device, it is simply not possible to store full chain of CA certificates.

You can look at this PR which introduces a new way of setting CA certificate( instead of a static list).

Regards,
Mbed TLS Team member
Ron

disgust · April 2, 2019, 9:22am

I have tried. First I got it worked but without memory allocation functions being redefined.
When I redefine memory functions - I get an error -0x4e00
That was tomorrow. Today I get peer cert error when trying connect using the same settings. (-0x7880)

I don’t have an implementation of calloc for heap_4 (using FreeRTOS)
So I’ve written a wrapper:

#define calloc(x,y) malloc(x*y)

It’s strange if this is an issue…
UPD:
I didn’t concerned that calloc in opposite of malloc set all allocated memory with zero values.
I fixed it and can successfully handle handshake!
Thanks @roneld01

roneld01 · April 2, 2019, 11:30am

@disgust
I am glad you resolved your issue!

disgust · April 2, 2019, 11:30am

Thanks for assistance and advises!

sg0993 · November 25, 2019, 8:59am

Hi @disgust,
I have faced the same issue,so the last modification is config the ca certificates by https://github.com/ARMmbed/mbedtls/pull/2532?
Where is the code?I can’t clear that how to modify?
Many thanks!
regards,
Ellen

Topic		Replies	Views
TLS handshake issue Generic mbed_client , mbed_tls	5	4775	October 7, 2018
MbedTLS handshake is not functioning properly when attempting client authentication Platform specific questions mbed_client , mbed_tls , stmicroelectronics	2	2947	January 1, 2024
Mbed TLS Server MBEDTLS_SSL_VERIFY_REQUIRED handshake fails Generic mbed_tls	0	236	October 11, 2023
SSL/TLS handshake failed: mbedtls_ssl_handshake returned -0x7200 Crypto and SSL questions mbed_client	0	7264	February 26, 2021
Bad Key received from SSL Server Mbed TLS mbed_client , mbed_tls , stmicroelectronics	1	610	October 15, 2020

mbedTLS SSL handshake issue 2

Related Topics