Arm Mbed and Pelion Device Management support forum

Some problems for mbedtls

I have transplanted mbed TLS repository to android jni and also built the code successfully.
We used atmel ecc508A to save private key.
And when I tested ssl_client2.c,last error is the same:” 0x4E00, the signature is not valid.”.
url is: qa.iot1.homecloud.honeywell.com.cn:8883.
Regarding to this issue information,Please look all the attachments.
download
password is:t5vd
HoneywellQAProductPKI.pem: QA CA root certificate(This root CA is issued by Honeywell not official CA institution).
SharedQACA.pem: middle QA CA certificate issued by HoneywellQAProductPKI.pem.
ClientCert.pem:device certificate issued by SharedQACA.pem.
Mbedconn.c: test file,entrance function: Java_com_honeywell_finaltest_NativeMbed_initNativeTls()
Tls.log: log file.
Mbed1.cap: network package that can be open by wireshark.
And private key for device is stored in external processor Atmel ECC508A ,slot 2.

Looking forward to your reply!
Thanks!

Regards,
Ellen

Hi Ellen,

I am not able to get the issue information, would you please first confirm if the host name and common name configured correctly?

Regards,
Desmond

Hi Desmond,
I set the hostname and port as follows:
char *argv[7] = {"\0",“server_name=qa.iot1.homecloud.honeywell.com.cn”,“request_page=/cgi-bin/hello.pl”,
“server_port=8883”,“ca_file=/system/etc/security/cacerts/HoneywellQAProductPKI.pem”,“crt_file=/data/security/ClientCert.pem”,
“slot_number=2”};


opt.server_name = getParameter(argv[1]);
opt.server_port = getParameter(argv[3]);
opt.crt_file = getParameter(argv[5]);

any other option shoud to be confirm?
And about ca file configuration,if i have 2 CA files,one is root ca,one is middle ca,
How to config the ca file ?I only see only one option name opt.ca_file or opt.ca_path.

Thanks

Hi @sg0993
Please paste the logs you received.
It is not clear exactly when you get this signature failure.
How are you accessing the private key in the secure element? What Mbed TLS API you are using, to access the relevant key? What Mbed TLS version are you using? I am not use that secure element is supported in the version you are using.

And about ca file configuration,if i have 2 CA files,one is root ca,one is middle ca,
How to config the ca file ?I only see only one option name opt.ca_file or opt.ca_path.

You are referencing the sample application ssl_client2, and you can use it as reference. It is not designed to be for production, meaning, you can modify it to fit your needs.
However, if you choose ca_path option, you can put all your CA files in a single folder, and use this folder as the CA path. If you choose to use ca_file option, you can concatanate all you PEM formatted certificate files into a single file, and use it as the CA file.
Note you can also use the CA callback option, where you send a callback function for verifying the root certificates.

Is the intermediate CA and the root CA for the same chain? Why do you wish to store both?
Regards,
Mbed TLS Support
Ron

Hi Ron Eldor,
Thanks four reply.I used the chip ecc508A to save the private key.I certtificate are save the common flash.
Now i only want to test the tls connecting,so I refer the sample ssl_client2.
I also concatanate all the pem ca files into one single file,and ca_file option,But also the error:

Unable to verify the server’s certificate. Either it is invalid, or you didn’t set ca_file or ca_path to an appropriate value.Alternatively, you may want to use auth_mode=optional for testing purposes.
Last error was: -0x2700 - X509 - Certificate verification failed, e.g. CRL, CA or signature .

And can you offer your mail and send you sample code file and network dump file?
Or any other file?
Thanks!

Hi feng,
From your description, I understand you are runningssl_client2.
Please add the parameter debug_level=4 and paste here the logs.

Since the server certificate verification fails, there could several reasons for it, which can be understood from the logs. For example:

  1. You haven’t set the correct CA root certificate as a trusted CA.
  2. The hostname does not fir the subject \ subject alternative name of the certificate
  3. The certificate is signed with SHA1, and MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES is not configured.
  4. Other reason.

Please share the logs, and add details of the server (address, name, port etc…)
Regards,
Ron