Mbed forum

mbedTLS SSL handshake issue 2

(Peter Hirt) #21

Thanks @roneld01!
I’ve defined MBEDTLS_ECP_DP_SECP521R1_ENABLED as well as modified config.
But situation is the same.

I don’t know but openssl works fine on local machine using the same pairs.

My server do not uses time. As well it does not use date_time.
But client uses.
Server hello message send some data in the time field, and this data corresponds the time from future.
Can it be an issue?

What should I do with function mbedtls_ssl_conf_ca_chain?
There is only CA cert sends to this function in mbedtls examples.
But from tls1.2 handshake description I see that full chain should be sent.
Which way is correct?

(Ron Eldor) #22

Hi @disgust

Have you tried my suggestion in first commnet:

  1. Use a local server ( ssl_server2 ) compiled with the shown configuration.


This could help you understand if it’s a configuration issue or a platform issue.

Can it be an issue?

It might be, but the previous error shown is not related to time, unless the current failure is different than what was mentioned earlier.

Which way is correct?

In mbedtls_ssl_conf_ca_chain() you should set all the CA certificates that you wish your server to support. As an embedded device, it is simply not possible to store full chain of CA certificates.

You can look at this PR which introduces a new way of setting CA certificate( instead of a static list).

Mbed TLS Team member

(Peter Hirt) #23

I have tried. First I got it worked but without memory allocation functions being redefined.
When I redefine memory functions - I get an error -0x4e00
That was tomorrow. Today I get peer cert error when trying connect using the same settings. (-0x7880)

I don’t have an implementation of calloc for heap_4 (using FreeRTOS)
So I’ve written a wrapper:

#define calloc(x,y) malloc(x*y)

It’s strange if this is an issue…
I didn’t concerned that calloc in opposite of malloc set all allocated memory with zero values.
I fixed it and can successfully handle handshake!
Thanks @roneld01

(Ron Eldor) #24

I am glad you resolved your issue!

(Peter Hirt) #25

Thanks for assistance and advises!