Hi @roneld01
I called mbedtls_ssl_conf_ca_chain() to input the cert according to the esp32 wificlient secure library:
mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL);
and mbedtls_ssl_conf_ca_cb() is not called.
i get the two inputs here:
if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *)_ssl_ca_pem,
strlen(_ssl_ca_pem) + 1)) != 0)
{
return -1;
}
if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
{
return -1;
}
The _ssl_ca_pem is the input cert. The full code is here:
if (_ssl_ca_pem == NULL)
{
// No SSL
return _tcp_socket->connect(host, port);
}
// Initialize TLS-related stuf.
int ret;
if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy,
(const unsigned char *) TLS_CUNSTOM,
sizeof (TLS_CUNSTOM))) != 0)
{
return -1;
}
if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *)_ssl_ca_pem,
strlen(_ssl_ca_pem) + 1)) != 0)
{
return -1;
}
if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
{
return -1;
}
mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL);
mbedtls_ssl_conf_rng(&_ssl_conf, mbedtls_ctr_drbg_random, &_ctr_drbg);
/* It is possible to disable authentication by passing
* MBEDTLS_SSL_VERIFY_NONE in the call to mbedtls_ssl_conf_authmode()
*/
// mbedtls_ssl_conf_authmode(&_ssl_conf, /* MBEDTLS_SSL_VERIFY_REQUIRED*/MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_authmode(&_ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
#if DEBUG_LEVEL > 0
mbedtls_ssl_conf_verify(&_ssl_conf, my_verify, NULL);
mbedtls_ssl_conf_dbg(&_ssl_conf, my_debug, NULL);
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
if ((ret = mbedtls_ssl_setup(&_ssl, &_ssl_conf)) != 0)
{
return -1;
}
mbedtls_ssl_set_hostname(&_ssl, host);
mbedtls_ssl_set_bio(&_ssl, static_cast<void *>(_tcp_socket), ssl_send, ssl_recv, NULL );
/* Connect to the server */
ret = _tcp_socket->connect(host, port);
if (ret != NSAPI_ERROR_OK)
{
return ret;
}
/* Start the handshake */
ret = mbedtls_ssl_handshake(&_ssl);
int res = mbedtls_ssl_get_verify_result(&_ssl);
I found the 0x2700 error comes from the second step of server hello here:
case MBEDTLS_SSL_SERVER_HELLO:
ret = ssl_parse_server_hello( ssl );
break;
case MBEDTLS_SSL_SERVER_CERTIFICATE:
printf(ssl->state);
ret = mbedtls_ssl_parse_certificate( ssl );
break;
case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
ret = ssl_parse_server_key_exchange( ssl );
break;
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
ret = ssl_parse_certificate_request( ssl );
break;
case MBEDTLS_SSL_SERVER_HELLO_DONE:
ret = ssl_parse_server_hello_done( ssl );
break;
Does it means that the cert from the server is not vaild?
Thank you for your help!