SSL/TLS Certificate type

Hello Everyone,

I am using mbedtls library for mqtt connection using lwIP. The code and library I got from internet works fine.
I want to know how to configure mbedtls for different types of TLS certificate types viz. (1) CA Signed Server Certificate, (2) CA Certificate Only, (3) Self signed Certificates.

If I want to configure my device to work in “CA Signed Server Certificate” mode, then what steps should I perform?
If I want to configure my device to work in “CA Certificate Only” mode, then what steps should I perform?
If I want to configure my device to work in “Self signed Certificates” mode, then what steps should I perform?

My TLS init code is given below:

/* Setup the thread callbacks */
mbedtls_threading_set_alt(threading_mutex_init_pthread,
threading_mutex_free_pthread, threading_mutex_lock_pthread,
threading_mutex_unlock_pthread);

/* initialize the different descriptors */
mbedtls_entropy_init( &stentropy );

ret = mbedtls_entropy_add_source(&stentropy, entropy_source, NULL, 128,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (ret != 0) {
mbedtls_entropy_free(&stentropy);
return -1;
}

mbedtls_ctr_drbg_init( &stctr_drbg );

if( ( ret = mbedtls_ctr_drbg_seed( &stctr_drbg, mbedtls_entropy_func, &stentropy,
(const unsigned char *) pers,
strlen(pers ) ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ));
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
return -1;
}

mbedtls_ssl_init( &stssl );
mbedtls_ssl_config_init( &stconf );
mbedtls_x509_crt_init( &stcacert );

/*

  • First prepare the SSL configuration by setting the endpoint and transport type, and loading reasonable
  • defaults for security parameters. The endpoint determines if the stconf/TLS layer will act as a server (MBEDTLS_SSL_IS_SERVER)
  • or a client (MBEDTLS_SSL_IS_CLIENT). The transport type determines if we are using TLS (MBEDTLS_SSL_TRANSPORT_STREAM)
  • or DTLS (MBEDTLS_SSL_TRANSPORT_DATAGRAM).
    */
    if( ( ret = mbedtls_ssl_config_defaults( &stconf,
    MBEDTLS_SSL_IS_CLIENT,
    MBEDTLS_SSL_TRANSPORT_STREAM,
    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
    LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ));
    printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
    return -1;
    }

/* The authentication mode determines how strict the certificates that are presented are checked. */
#if CONFIG_USE_SERVER_VERIFICATION
#if CONFIG_USE_BROKER_ADAFRUIT
#error “no certificate?”
#elif CONFIG_USE_BROKER_AZURE
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_azure_ca_crt, mbedtls_azure_ca_crt_len );
#elif CONFIG_USE_BROKER_MOSQUITTO_TEST
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_mosquitto_test_ca_crt, mbedtls_mosquitto_test_ca_crt_len );
#elif CONFIG_USE_BROKER_LOCAL
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_m2mqtt_srv_crt, mbedtls_m2mqtt_srv_crt_len );
#else
#error “unknown mqtt broker?”
#endif

if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
}

mbedtls_ssl_conf_ca_chain( &stconf, &stcacert, NULL );
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_REQUIRED);
#else
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_NONE);
#endif

/* The library needs to know which random engine to use and which debug function to use as callback. */
mbedtls_ssl_conf_rng( &stconf, mbedtls_ctr_drbg_random, &stctr_drbg );
mbedtls_ssl_conf_dbg( &stconf, my_debug, stdout );

ret = mbedtls_ssl_setup(&stssl, &stconf);
if (ret != 0) {
LWIP_ASSERT(“mbedtls_ssl_setup failed. \n”, ret == 0);
/* TODO: convert ‘ret’ to err_t */
return ERR_MEM;
}

/* the SSL context needs to know the input and output functions it needs to use for sending out network traffic. */
mbedtls_ssl_set_bio(&stssl, &mqtt_client, mbedtls_net_send, mbedtls_net_recv, NULL);

Hi @urvishah
I don’t quite understand your use cases \ mode

My understanding is, that your device is a client that connects to an mqtt broker, via LwIP connection.

During a TLS handshake negotiation, the server sends your device its device certificate, signed by some CA,
If you trust this CA, you should set its root certificate via mbedtls_ssl_conf_ca_chain() (or mbedtls_ssl_conf_ca_cb() ), which is what I believe you are doing.

What are “CA Certificate Only” and “Self signed Certificates” modes ?
regards,
Mbed TLS Support
Ron