Arm Mbed OS support forum

SSL/TLS handshake failed: mbedtls_ssl_handshake returned -0x7200

Hello,

I’m trying to perform a secure connection to an Amazon server (s3 bucket AWS) from the STM32F769I-DISCO evaluation board.

My code is the following:

#if !defined(MBEDTLS_CONFIG_FILE)
#include “mbedtls/config.h”
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_PLATFORM_C)
#include “mbedtls/platform.h”
#else
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_time time
#define mbedtls_time_t time_t
#define mbedtls_fprintf fprintf
#define mbedtls_printf printf
#endif

#include “mbedtls/net_sockets.h”
#include “mbedtls/debug.h”
#include “mbedtls/ssl.h”
#include “mbedtls/entropy.h”
#include “mbedtls/ctr_drbg.h”
#include “mbedtls/error.h”
#include “mbedtls/certs.h”
#include “mbedtls/memory_buffer_alloc.h”

#include “main.h”
#include “cmsis_os.h”

#include <string.h>

static mbedtls_net_context server_fd;
static uint32_t flags;
static uint8_t buf[1024];
static const uint8_t *pers = “ssl_client”;
static uint8_t vrfy_buf[512];
const char *temp;

static int ret;

mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;

/* use static allocation to keep the heap size as low as possible */
#ifdef MBEDTLS_MEMORY_BUFFER_ALLOC_C
uint8_t memory_buf[MAX_MEM_SIZE];
#endif

void SSL_Client(void const *argument)
{
int len;

/*

    1. Initialize the RNG and the session data
      */
      #ifdef MBEDTLS_MEMORY_BUFFER_ALLOC_C
      mbedtls_memory_buffer_alloc_init(memory_buf, sizeof(memory_buf));
      #endif
      mbedtls_net_init(NULL);
      mbedtls_ssl_init(&ssl);
      mbedtls_ssl_config_init(&conf);
      mbedtls_x509_crt_init(&cacert);
      mbedtls_ctr_drbg_init(&ctr_drbg);

mbedtls_printf( “\n . Seeding the random number generator…” );

mbedtls_entropy_init( &entropy );
len = strlen((char *)pers);
if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, len)) != 0)
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}

mbedtls_printf( " ok\n" );

/*

    1. Initialize certificates
      */
      mbedtls_printf( " . Loading the CA root certificate …" );

ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem, mbedtls_test_cas_pem_len );

if( ret < 0 )
{
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
goto exit;
}

mbedtls_printf( " ok (%d skipped)\n", ret );
mbedtls_printf( " CA = %s\n", mbedtls_test_cas_pem );
/*

    1. Start the connection
      */
      mbedtls_printf( " . Connecting to tcp/%s/%s…", SERVER_NAME, SERVER_PORT );

if((ret = mbedtls_net_connect(&server_fd, SERVER_NAME, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0)
{
mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
goto exit;
}

mbedtls_printf( " ok\n" );

/*

    1. Setup stuff
      */
      mbedtls_printf( " . Setting up the SSL/TLS structure…" );

if((ret = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit;
}

mbedtls_printf( " ok\n" );

/* OPTIONAL is not optimal for security,

  • but makes interop easier in this simplified example */
    mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
    mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
    mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );

if((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}

if((ret = mbedtls_ssl_set_hostname( &ssl, “localhost” )) != 0)
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit;
}

mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);

/*

    1. Handshake
      */
      mbedtls_printf( " . Performing the SSL/TLS handshake…" );

while((ret = mbedtls_ssl_handshake( &ssl )) != 0)
{
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
temp = mbedtls_ssl_get_version(&ssl);
goto exit;
}
}

mbedtls_printf( " ok\n" );

/*

    1. Verify the server certificate
      */
      mbedtls_printf( " . Verifying peer X.509 certificate…" );

if(( flags = mbedtls_ssl_get_verify_result( &ssl )) != 0)
{

mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info((char *)vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags);

mbedtls_printf( "%s\n", vrfy_buf );

}
else
{
mbedtls_printf( " ok\n" );
}

/*

    1. Write the GET request
      */

mbedtls_printf( " > Write to server:" );

sprintf((char *) buf, PUT_REQUEST);
len = strlen((char *) buf);

while((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0)
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto exit;
}
}

len = ret;
mbedtls_printf(" %d bytes written\n\n%s", len, (char *) buf);

/*

    1. Read the HTTP response
      */
      mbedtls_printf(" < Read from server:");

do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );

if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
{
  continue;
}

if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
{
  break;
}

if(ret < 0)
{
  mbedtls_printf( "failed\n  ! mbedtls_ssl_read returned %d\n\n", ret );
  break;
}

if(ret == 0)
{
  mbedtls_printf( "\n\nEOF\n\n" );
  break;
}

len = ret;
mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf );

}
while(1);

mbedtls_ssl_close_notify( &ssl );

exit:
mbedtls_net_free( &server_fd );

mbedtls_x509_crt_free( &cacert );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

if ((ret < 0) && (ret != MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY))
{
Error_Handler();
}
else
{
Success_Handler();
}
}

The error is always in the SSL/TLS handshake returning aN -0x7200 error. The strange for me is that I can do the same connection to other type of servers as for example google.com and the handshake is correctly done.

I thought that maybe is something about client and server TLS versions and I have changed the version of the client to TLSv.1.2 but I have the same error.

Why is SSL/TLS handhsaking returning this error? What can I change/configure to solve it?

I’m very very new in this world and some help will very appreciated.

In advance, thank you.