[solved] Help need to setup a TLS server, getting a "Unexpected Message" fatal error

I’m trying to setup a TLS server using mbed test certificates.
I’m getting an “Unexpected Message” fatal error.
I’m new in TLS world, I appreciate any help or ideas that I can try.

I left here the Wireshark log:

And the command:
$ openssl s_client -connect -debug

Hi @mrluzeiro,

From https://pastebin.com/raw/K8DJYMYW - could understand following:

1. Client is: and Server is192.168.1.3
2. Here, server is also requesting client's certificate
[] -> [] TLSv1.2 209 Certificate Request, Server Hello Done
3. But client is not sending it's certificate.
4. Client needs it own cert & key or use MBEDTLS_SSL_VERIFY_NONE on server

Thanks I will try,
regarding “4. Client needs it own cert” any help where can I get the cert files and how to use it with some command line or browser?

Hi @mrluzeiro
In addition to what has correctly mentioned by @gopi219 , you could use a ciphersuite that doesn’t use certificates ( PSK based certificate), depending on your use case and threat model. If your threat model requires you to authenticate the client(by not setting MBEDTLS_SSL_VERIFY_NONE in your serer authentication configuration ), you will need to set the client certificate to send to server.
Using the openssl s_client help command, you will see you need to consider the following parameters:

-cert arg     - certificate file to use, PEM format assumed
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private key file to use, in cert file if
                 not specified but cert file is.
 -keyform arg  - key format (PEM or DER) PEM default

Since you are using the Mbed TLS test certificates you should probably use tests/data_files/cli2.crt or tests/data_files/cli-rsa-sha256.crt.

I suggest you read https://tls.mbed.org/kb/development/debugging-tls to help you debug your server issues, and extract server logs, so you would understand what cause the server to send the unexpected message error.

Mbed TLS Team member

thanks RON! I managed to get a TLS server working.
There was lots of issues regarding lwIP and mbedTLS. Then I was able to load the certificated on both sides and make it work.

1 Like