I am using mbedtls v3.2.1 and compiling only TLS 1.3, and using ccadb pem certs for a simple RSS reader.
I found that defining SNI with mbedtls_ssl_set_hostname() works on some websites while fails on others.
For example :
- with SNI set will pass handshake & fetches the news
- if I comment out the SNI settings it will fail handshake. It fails with " -0x2700 - X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" because the peer cert has text that says “No SNI provided; please fix your client”.
- with SNI set will fail handshake with error -0x7500 “Client received an extended server hello containing an unsupported extension”.
- But if I comment out SNI settings it will pass handshake and fetches the news.
How would I know which website needs to have SNI set and which website site does not?
Is there a mbedtls function that can automatically set the SNI for websites that needs one?
My code is as follows:
As there is no TLS 1.3 only example, I knocked this up from my previous mbedtls code.
Thanks.
psa_crypto_init();
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &rng.drbg );
mbedtls_entropy_init( &rng.entropy );
mbedtls_x509_crt_init( &cacert );
ret = mbedtls_ctr_drbg_seed( &rng.drbg, mbedtls_entropy_func, &rng.entropy, (const unsigned char *) pers, strlen( pers ) );
if( ret != 0 ) {
my_error_str("TLS init error");
return PHW_SSLERR_INIT;
}
ret = mbedtls_x509_crt_parse( &cacert, ccadb_pem, sizeof(ccadb_pem) );
if (ret < 0) {
my_error_str( "TLS can't load CCADB PEM data");
return PHW_SSLERR_INIT;
}
if( ( rc = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
my_error_str("HTTP SSL config error");
return PHW_SSLERR_INIT;
}
mbedtls_ssl_conf_rng( &conf, rng_get, &rng );
mbedtls_ssl_conf_read_timeout( &conf, 0 );
mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
if( ( rc = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) {
my_error_str("TLS setup error");
return PHW_SSLERR_INIT;
}
mbedtls_ssl_set_bio( &ssl, &net_ctx, mywin_net_send, mywin_net_recv, NULL );
if( ( rc = mbedtls_ssl_set_hostname( &ssl, hostname ) ) != 0 ) {
my_error_str("HTTP SSL set hostname error");
return PHW_SSLERR_INIT;
}
while( ( rc = mbedtls_ssl_handshake( &ssl ) ) != 0 ) {
if( rc != MBEDTLS_ERR_SSL_WANT_READ && rc != MBEDTLS_ERR_SSL_WANT_WRITE ) {
my_error_str("TLS handshake error");
return PHW_SSLERR_HANDSHAKE;
}
}