Mbed forum

TLS error making an HTTPS post to an Azure VM's web service

(Dan Lopez) #1

Hi there. I’m making an https post to a web service running (exposed via HTTPS with a self-signed certificate) on an Azure VM, via the mbed-http library (https://os.mbed.com/teams/sandbox/code/http-example/). However, when I try to create a new post request via

HttpsRequest* post_req = new HttpsRequest(network, SSL_CA_PEM, HTTP_POST, "https://myserver.cloudapp.net:777/myservice");

I receive an Mbed TLS error:

Starting the TLS handshake... mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

I know that I’ve properly set the contents of my SSL_CA_PEM certificates variable, and I’ve successfully tested this script against a local, non-Azure server (also using a self-signed certificate) without any problems.

I was wondering if any of y’all knew either how to just turn off certificate validation–for testing, of course–or whether you knew of anything unique to Azure’s cloud VMs that mean that I have to do something different. I know that the self-signed cert that I’m using references the VM’s hostname only, while I’m accessing the VM via its full public FQDN, but I would expect that to trigger the standard name mismatch TLS error, and I’m not even making it to that, which suggests to me that this is something other than the name mismatch.

Thanks for any suggestions y’all could provide!

HTTP request using IP instead of URL
(Jan Jongboom) #2

I’ve pinged the TLS team, they should know :-).

(Ron Eldor) #3

Hi Dan,
For Debug puposes only, you could set the authentication mode to optional, thus avoiding the certificate verification failure. This is done when you call:
mbedtls_ssl_conf_authmode() with MBEDTLS_SSL_VERIFY_OPTIONAL when you set the TLS configuration.
Note this is not a secure solution, as you don’t verify the certificate.

I suggest you call mbedtls_ssl_get_verify_result() after your handshake failure, to see the failure flags of the certificate verification, for better understanding and debugging of the issue.

(Jacob Torres) #5

Great information here!