Mbedtls_ssl_handshake returned -0x7200 connecting to Amazon API gateway

Mbed TLS
1

Hello,

I am trying to open a SSL connection to an AWS Cloudfront server from an ESP32 using mbedtls.
The mbedtls_ssl_handshake function always returns -0x7200.

From what I have seen this may be because the the buffer used to store TLS incoming fragment is to small but for me it is set to 16384 bytes which is the maximum value I can set.

I am able to open TLS connection to other amazon endpoints without issue. The only one that is failing is to the cloudfront server.

In the mbetls logs I can see that the TLS version extracted by mbedtls from the server Hello message is [0:0] which leads to a “major version mismatch” log. What can be the cause of this problem ? How could I solve it ?

As a note, I am able to connect to the server using postman/curl/python without issue.

Here are the full logs :

11:51:07.331 -> D (41521) esp-tls: handshake in progress...e[0m
11:51:07.331 -> e[0;32mI (41522) mbedtls: ssl_tls.c:8203 => handshake
11:51:07.331 -> e[0m
11:51:07.331 -> e[0;32mI (41522) mbedtls: ssl_cli.c:3785 client state: 0
11:51:07.331 -> e[0m
11:51:07.331 -> e[0;32mI (41525) mbedtls: ssl_tls.c:2847 => flush output
11:51:07.331 -> e[0m
11:51:07.331 -> e[0;32mI (41531) mbedtls: ssl_tls.c:2859 <= flush output
11:51:07.331 -> e[0m
11:51:07.331 -> e[0;32mI (41536) mbedtls: ssl_cli.c:3785 client state: 1
11:51:07.331 -> e[0m
11:51:07.331 -> e[0;32mI (41542) mbedtls: ssl_tls.c:2847 => flush output
11:51:07.364 -> e[0m
11:51:07.364 -> e[0;32mI (41548) mbedtls: ssl_tls.c:2859 <= flush output
11:51:07.364 -> e[0m
11:51:07.364 -> e[0;32mI (41553) mbedtls: ssl_cli.c:805 => write client hello
11:51:07.364 -> e[0m
11:51:07.364 -> D (41559) mbedtls: ssl_cli.c:861 client hello, max version: [3:3]
11:51:07.364 -> e[0m
11:51:07.364 -> D (41565) mbedtls: ssl_cli.c:730 client hello, current time: 40
11:51:07.364 -> e[0m
11:51:07.364 -> D (41572) mbedtls: ssl_cli.c:870 dumping 'client hello, random bytes' (32 bytes)
11:51:07.364 -> e[0m
11:51:07.364 -> D (41579) mbedtls: ssl_cli.c:870 0000:  00 00 00 28 56 34 8d 6a 10 42 08 e8 93 7e bf df  ...(V4.j.B...~..
11:51:07.486 -> e[0m
11:51:07.486 -> D (41589) mbedtls: ssl_cli.c:870 0010:  97 e1 52 cd d7 61 d7 6a 6c 6c e3 92 9b 01 72 08  ..R..a.jll....r.
11:51:07.486 -> e[0m
11:51:07.486 -> D (41599) mbedtls: ssl_cli.c:930 client hello, session id len.: 0
11:51:07.486 -> e[0m
11:51:07.486 -> D (41605) mbedtls: ssl_cli.c:931 dumping 'client hello, session id' (0 bytes)
11:51:07.486 -> e[0m
11:51:07.486 -> D (41612) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02c
11:51:07.486 -> e[0m
11:51:07.486 -> D (41619) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c030
11:51:07.486 -> e[0m
11:51:07.486 -> D (41625) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 009f
11:51:07.486 -> e[0m
11:51:07.486 -> D (41632) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0ad
11:51:07.486 -> e[0m
11:51:07.486 -> D (41638) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c09f
11:51:07.486 -> e[0m
11:51:07.486 -> D (41645) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c024
11:51:07.486 -> e[0m
11:51:07.486 -> D (41651) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c028
11:51:07.486 -> e[0m
11:51:07.486 -> D (41658) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 006b
11:51:07.486 -> e[0m
11:51:07.486 -> D (41665) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c00a
11:51:07.486 -> e[0m
11:51:07.486 -> D (41671) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c014
11:51:07.486 -> e[0m
11:51:07.486 -> D (41678) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 0039
11:51:07.486 -> e[0m
11:51:07.486 -> D (41684) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0af
11:51:07.486 -> e[0m
11:51:07.486 -> D (41691) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0a3
11:51:07.486 -> e[0m
11:51:07.486 -> D (41697) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02b
11:51:07.486 -> e[0m
11:51:07.486 -> D (41704) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02f
11:51:07.486 -> e[0m
11:51:07.486 -> D (41710) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 009e
11:51:07.529 -> e[0m
11:51:07.529 -> D (41717) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0ac
11:51:07.529 -> e[0m
11:51:07.529 -> D (41724) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c09e
11:51:07.529 -> e[0m
11:51:07.529 -> D (41730) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c023
11:51:07.529 -> e[0m
11:51:07.529 -> D (41737) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c027
11:51:07.529 -> e[0m
11:51:07.529 -> D (41743) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 0067
11:51:07.529 -> e[0m
11:51:07.529 -> D (41750) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c009
11:51:07.529 -> e[0m
11:51:07.529 -> D (41756) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c013
11:51:07.596 -> e[0m
11:51:07.596 -> D (41763) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 0033
11:51:07.596 -> e[0m
11:51:07.596 -> D (41769) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0ae
11:51:07.596 -> e[0m
11:51:07.596 -> D (41776) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0a2
11:51:07.596 -> e[0m
11:51:07.596 -> D (41783) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 009d
11:51:07.596 -> e[0m
11:51:07.596 -> D (41789) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c09d
11:51:07.596 -> e[0m
11:51:07.596 -> D (41796) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 003d
11:51:07.629 -> e[0m
11:51:07.629 -> D (41802) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 0035
11:51:07.629 -> e[0m
11:51:07.629 -> D (41809) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c032
11:51:07.629 -> e[0m
11:51:07.629 -> D (41815) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02a
11:51:07.629 -> e[0m
11:51:07.629 -> D (41822) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c00f
11:51:07.629 -> e[0m
11:51:07.629 -> D (41828) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02e
11:51:07.629 -> e[0m
11:51:07.629 -> D (41835) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c026
11:51:07.629 -> e[0m
11:51:07.629 -> D (41842) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c005
11:51:07.662 -> e[0m
11:51:07.662 -> D (41848) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0a1
11:51:07.662 -> e[0m
11:51:07.662 -> D (41855) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 009c
11:51:07.662 -> e[0m
11:51:07.662 -> D (41861) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c09c
11:51:07.662 -> e[0m
11:51:07.662 -> D (41868) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 003c
11:51:07.662 -> e[0m
11:51:07.662 -> D (41874) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: 002f
11:51:07.662 -> e[0m
11:51:07.662 -> D (41881) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c031
11:51:07.728 -> e[0m
11:51:07.728 -> D (41887) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c029
11:51:07.728 -> e[0m
11:51:07.728 -> D (41894) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c00e
11:51:07.728 -> e[0m
11:51:07.728 -> D (41901) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c02d
11:51:07.728 -> e[0m
11:51:07.728 -> D (41907) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c025
11:51:07.728 -> e[0m
11:51:07.728 -> D (41914) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c004
11:51:07.728 -> e[0m
11:51:07.728 -> D (41920) mbedtls: ssl_cli.c:998 client hello, add ciphersuite: c0a0
11:51:07.728 -> e[0m
11:51:07.728 -> D (41927) mbedtls: ssl_cli.c:1013 client hello, got 48 ciphersuites (excluding SCSVs)
11:51:07.761 -> e[0m
11:51:07.761 -> D (41935) mbedtls: ssl_cli.c:1022 adding EMPTY_RENEGOTIATION_INFO_SCSV
11:51:07.761 -> e[0m
11:51:07.761 -> D (41942) mbedtls: ssl_cli.c:1076 client hello, compress len.: 1
11:51:07.761 -> e[0m
11:51:07.761 -> D (41948) mbedtls: ssl_cli.c:1078 client hello, compress alg.: 0
11:51:07.761 -> e[0m
11:51:07.761 -> D (41954) mbedtls: ssl_cli.c:213 client hello, adding signature_algorithms extension
11:51:07.761 -> e[0m
11:51:07.761 -> D (41962) mbedtls: ssl_cli.c:306 client hello, adding supported_elliptic_curves extension
11:51:07.761 -> e[0m
11:51:07.761 -> D (41970) mbedtls: ssl_cli.c:376 client hello, adding supported_point_formats extension
11:51:07.794 -> e[0m
11:51:07.794 -> D (41978) mbedtls: ssl_cli.c:549 client hello, adding encrypt_then_mac extension
11:51:07.794 -> e[0m
11:51:07.794 -> D (41986) mbedtls: ssl_cli.c:580 client hello, adding extended_master_secret extension
11:51:07.794 -> e[0m
11:51:07.794 -> D (41994) mbedtls: ssl_cli.c:613 client hello, adding session ticket extension
11:51:07.794 -> e[0m
11:51:07.794 -> D (42002) mbedtls: ssl_cli.c:1218 client hello, total extension length: 72
11:51:07.794 -> e[0m
11:51:07.794 -> e[0;32mI (42009) mbedtls: ssl_tls.c:3286 => write handshake message
11:51:07.836 -> e[0m
11:51:07.836 -> e[0;32mI (42015) mbedtls: ssl_tls.c:3445 => write record
11:51:07.836 -> e[0m
11:51:07.836 -> D (42021) mbedtls: ssl_tls.c:3525 output record: msgtype = 22, version = [3:1], msglen = 215
11:51:07.836 -> e[0m
11:51:07.836 -> V (42029) mbedtls: ssl_tls.c:3528 dumping 'output record sent to network' (220 bytes)
11:51:07.836 -> e[0m
11:51:07.836 -> V (42037) mbedtls: ssl_tls.c:3528 0000:  16 03 01 00 d7 01 00 00 d3 03 03 00 00 00 28 56  ..............(V
11:51:07.836 -> e[0m
11:51:07.836 -> V (42047) mbedtls: ssl_tls.c:3528 0010:  34 8d 6a 10 42 08 e8 93 7e bf df 97 e1 52 cd d7  4.j.B...~....R..
11:51:07.836 -> e[0m
11:51:07.879 -> V (42057) mbedtls: ssl_tls.c:3528 0020:  61 d7 6a 6c 6c e3 92 9b 01 72 08 00 00 62 c0 2c  a.jll....r...b.,
11:51:07.879 -> e[0m
11:51:07.879 -> V (42067) mbedtls: ssl_tls.c:3528 0030:  c0 30 00 9f c0 ad c0 9f c0 24 c0 28 00 6b c0 0a  .0.......$.(.k..
11:51:07.879 -> e[0m
11:51:07.879 -> V (42077) mbedtls: ssl_tls.c:3528 0040:  c0 14 00 39 c0 af c0 a3 c0 2b c0 2f 00 9e c0 ac  ...9.....+./....
11:51:07.879 -> e[0m
11:51:07.879 -> V (42086) mbedtls: ssl_tls.c:3528 0050:  c0 9e c0 23 c0 27 00 67 c0 09 c0 13 00 33 c0 ae  ...#.'.g.....3..
11:51:07.879 -> e[0m
11:51:07.879 -> V (42096) mbedtls: ssl_tls.c:3528 0060:  c0 a2 00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f  .......=.5.2.*..
11:51:07.927 -> e[0m
11:51:07.927 -> V (42106) mbedtls: ssl_tls.c:3528 0070:  c0 2e c0 26 c0 05 c0 a1 00 9c c0 9c 00 3c 00 2f  ...&.........<./
11:51:07.927 -> e[0m
11:51:07.927 -> V (42116) mbedtls: ssl_tls.c:3528 0080:  c0 31 c0 29 c0 0e c0 2d c0 25 c0 04 c0 a0 00 ff  .1.)...-.%......
11:51:07.927 -> e[0m
11:51:07.927 -> V (42126) mbedtls: ssl_tls.c:3528 0090:  01 00 00 48 00 0d 00 16 00 14 06 03 06 01 05 03  ...H............
11:51:07.927 -> e[0m
11:51:07.927 -> V (42136) mbedtls: ssl_tls.c:3528 00a0:  05 01 04 03 04 01 03 03 03 01 02 03 02 01 00 0a  ................
11:51:07.960 -> e[0m
11:51:07.960 -> V (42145) mbedtls: ssl_tls.c:3528 00b0:  00 18 00 16 00 19 00 1c 00 18 00 1b 00 17 00 16  ................
11:51:07.960 -> e[0m
11:51:07.960 -> V (42155) mbedtls: ssl_tls.c:3528 00c0:  00 1a 00 15 00 14 00 13 00 12 00 0b 00 02 01 00  ................
11:51:07.960 -> e[0m
11:51:07.960 -> V (42165) mbedtls: ssl_tls.c:3528 00d0:  00 16 00 00 00 17 00 00 00 23 00 00              .........#..
11:51:07.960 -> e[0m
11:51:07.960 -> e[0;32mI (42175) mbedtls: ssl_tls.c:2847 => flush output
11:51:07.960 -> e[0m
11:51:07.960 -> e[0;32mI (42180) mbedtls: ssl_tls.c:2866 message length: 220, out_left: 220
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42189) mbedtls: ssl_tls.c:2871 ssl->f_send() returned 220 (-0xffffff24)
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42196) mbedtls: ssl_tls.c:2899 <= flush output
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42200) mbedtls: ssl_tls.c:3578 <= write record
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42206) mbedtls: ssl_tls.c:3422 <= write handshake message
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42212) mbedtls: ssl_cli.c:1255 <= write client hello
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42219) mbedtls: ssl_cli.c:3785 client state: 2
11:51:08.026 -> e[0m
11:51:08.026 -> e[0;32mI (42224) mbedtls: ssl_tls.c:2847 => flush output
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42229) mbedtls: ssl_tls.c:2859 <= flush output
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42235) mbedtls: ssl_cli.c:1684 => parse server hello
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42241) mbedtls: ssl_tls.c:4419 => read record
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42246) mbedtls: ssl_tls.c:2628 => fetch input
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42252) mbedtls: ssl_tls.c:2789 in_left: 0, nb_want: 5
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42258) mbedtls: ssl_tls.c:2813 in_left: 0, nb_want: 5
11:51:08.059 -> e[0m
11:51:08.059 -> e[0;32mI (42264) mbedtls: ssl_tls.c:2814 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
11:51:08.092 -> e[0m
11:51:08.092 -> e[0;32mI (42273) mbedtls: ssl_tls.c:2834 <= fetch input
11:51:08.092 -> e[0m
11:51:08.092 -> V (42278) mbedtls: ssl_tls.c:4155 dumping 'input record header' (5 bytes)
11:51:08.092 -> e[0m
11:51:08.092 -> V (42285) mbedtls: ssl_tls.c:4155 0000:  15 00 00 00 02                                   .....
11:51:08.092 -> e[0m
11:51:08.092 -> D (42294) mbedtls: ssl_tls.c:4164 input record: msgtype = 21, version = [0:0], msglen = 2
11:51:08.092 -> e[0m
11:51:08.092 -> e[0;33mW (42302) mbedtls: ssl_tls.c:4188 major version mismatch
11:51:08.092 -> e[0m
11:51:08.092 -> e[0;33mW (42308) mbedtls: ssl_tls.c:4452 ssl_get_next_record() returned -29184 (-0x7200)
11:51:08.138 -> e[0m
11:51:08.138 -> e[0;33mW (42317) mbedtls: ssl_cli.c:1691 mbedtls_ssl_read_record() returned -29184 (-0x7200)
11:51:08.138 -> e[0m
11:51:08.138 -> e[0;32mI (42325) mbedtls: ssl_tls.c:8213 <= handshake
11:51:08.138 -> e[0m
11:51:08.138 -> e[0;31mE (42330) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x7200e[0m
11:51:08.138 -> e[0;32mI (42337) esp-tls-mbedtls: Certificate verified.e[0m
11:51:08.138 -> e[0;31mE (42342) esp-tls: Failed to open new connectione[0m
2

Hi @Benjamin_Engelman is there any update in this issue? I am facing the same failure

3

Hi @Benjamin_Engelman, my error was solved configuring the SNI. The issue was that the server that I wanted to connect to only supported SNI. You can find more info here: How to use Server Name Indication — Mbed TLS documentation

1 Like
4

Indeed this is what I had to do as well. Sorry I forgot to update my post with the solution.