Hello Everyone,
I am using mbedtls library for mqtt connection using lwIP. The code and library I got from internet works fine.
I want to know how to configure mbedtls for different types of TLS certificate types viz. (1) CA Signed Server Certificate, (2) CA Certificate Only, (3) Self signed Certificates.
If I want to configure my device to work in “CA Signed Server Certificate” mode, then what steps should I perform?
If I want to configure my device to work in “CA Certificate Only” mode, then what steps should I perform?
If I want to configure my device to work in “Self signed Certificates” mode, then what steps should I perform?
My TLS init code is given below:
/* Setup the thread callbacks */
mbedtls_threading_set_alt(threading_mutex_init_pthread,
threading_mutex_free_pthread, threading_mutex_lock_pthread,
threading_mutex_unlock_pthread);
/* initialize the different descriptors */
mbedtls_entropy_init( &stentropy );
ret = mbedtls_entropy_add_source(&stentropy, entropy_source, NULL, 128,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (ret != 0) {
mbedtls_entropy_free(&stentropy);
return -1;
}
mbedtls_ctr_drbg_init( &stctr_drbg );
if( ( ret = mbedtls_ctr_drbg_seed( &stctr_drbg, mbedtls_entropy_func, &stentropy,
(const unsigned char *) pers,
strlen(pers ) ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ));
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
return -1;
}
mbedtls_ssl_init( &stssl );
mbedtls_ssl_config_init( &stconf );
mbedtls_x509_crt_init( &stcacert );
/*
- First prepare the SSL configuration by setting the endpoint and transport type, and loading reasonable
- defaults for security parameters. The endpoint determines if the stconf/TLS layer will act as a server (MBEDTLS_SSL_IS_SERVER)
- or a client (MBEDTLS_SSL_IS_CLIENT). The transport type determines if we are using TLS (MBEDTLS_SSL_TRANSPORT_STREAM)
- or DTLS (MBEDTLS_SSL_TRANSPORT_DATAGRAM).
*/
if( ( ret = mbedtls_ssl_config_defaults( &stconf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ));
printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
return -1;
}
/* The authentication mode determines how strict the certificates that are presented are checked. */
#if CONFIG_USE_SERVER_VERIFICATION
#if CONFIG_USE_BROKER_ADAFRUIT
#error “no certificate?”
#elif CONFIG_USE_BROKER_AZURE
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_azure_ca_crt, mbedtls_azure_ca_crt_len );
#elif CONFIG_USE_BROKER_MOSQUITTO_TEST
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_mosquitto_test_ca_crt, mbedtls_mosquitto_test_ca_crt_len );
#elif CONFIG_USE_BROKER_LOCAL
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_m2mqtt_srv_crt, mbedtls_m2mqtt_srv_crt_len );
#else
#error “unknown mqtt broker?”
#endif
if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
}
mbedtls_ssl_conf_ca_chain( &stconf, &stcacert, NULL );
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_REQUIRED);
#else
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_NONE);
#endif
/* The library needs to know which random engine to use and which debug function to use as callback. */
mbedtls_ssl_conf_rng( &stconf, mbedtls_ctr_drbg_random, &stctr_drbg );
mbedtls_ssl_conf_dbg( &stconf, my_debug, stdout );
ret = mbedtls_ssl_setup(&stssl, &stconf);
if (ret != 0) {
LWIP_ASSERT(“mbedtls_ssl_setup failed. \n”, ret == 0);
/* TODO: convert ‘ret’ to err_t */
return ERR_MEM;
}
/* the SSL context needs to know the input and output functions it needs to use for sending out network traffic. */
mbedtls_ssl_set_bio(&stssl, &mqtt_client, mbedtls_net_send, mbedtls_net_recv, NULL);