TLS handshake return error Certificate verification flags 00010000 (x509_verify_cert() returned -9984 (-0x2700))

sebcerdan · May 5, 2021, 4:27pm

Hello,

Could you help me to solve this error:
ssl_msg.c:3874: dumping ‘input record from network’ (503 bytes)
ssl_msg.c:3874: 0000: 16 03 03 01 f2 0b 00 01 ee 00 01 eb 00 01 e8 30 …0
ssl_msg.c:3874: 0010: 82 01 e4 30 82 01 4d a0 03 02 01 02 02 01 0a 30 …0…M…0
ssl_msg.c:3874: 0020: 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 46 ….H…0F
ssl_msg.c:3874: 0030: 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 13 30 1.0…U…FR1.0
ssl_msg.c:3874: 0040: 11 06 03 55 04 08 0c 0a 53 6f 6d 65 2d 53 74 61 …U…Some-Sta
ssl_msg.c:3874: 0050: 74 65 31 0e 30 0c 06 03 55 04 0a 0c 05 53 45 42 te1.0…U…SEB
ssl_msg.c:3874: 0060: 43 41 31 12 30 10 06 03 55 04 03 0c 09 53 45 42 CA1.0…U…SEB
ssl_msg.c:3874: 0070: 43 45 52 44 41 4e 30 1e 17 0d 32 31 30 35 30 35 CERDAN0…210505
ssl_msg.c:3874: 0080: 31 32 34 35 30 32 5a 17 0d 32 33 30 35 30 35 31 124502Z…2305051
ssl_msg.c:3874: 0090: 32 34 35 30 32 5a 30 41 31 0f 30 0d 06 03 55 04 24502Z0A1.0…U.
ssl_msg.c:3874: 00a0: 03 0c 06 53 45 52 56 45 52 31 13 30 11 06 03 55 …SERVER1.0…U
ssl_msg.c:3874: 00b0: 04 08 0c 0a 53 6f 6d 65 2d 53 74 61 74 65 31 0b …Some-State1.
ssl_msg.c:3874: 00c0: 30 09 06 03 55 04 06 13 02 46 52 31 0c 30 0a 06 0…U…FR1.0…
ssl_msg.c:3874: 00d0: 03 55 04 0a 0c 03 53 45 42 30 59 30 13 06 07 2a .U…SEB0Y0…
ssl_msg.c:3874: 00e0: 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 .H.=….H.=…
ssl_msg.c:3874: 00f0: 03 42 00 04 4a 43 4b db 3e 59 0d 90 2a 2b 98 29 .B…JCK.>Y…+.)
ssl_msg.c:3874: 0100: 52 c7 89 07 da dd 66 3d 26 b9 c8 77 6a a4 d4 75 R…f=&…wj…u
ssl_msg.c:3874: 0110: 59 6f 14 dc 06 35 e6 6e 00 83 de c2 29 08 ca 11 Yo…5.n…)…
ssl_msg.c:3874: 0120: 71 b3 81 73 78 14 e2 53 57 34 cb be f9 4c b8 b1 q…sx…SW4…L…
ssl_msg.c:3874: 0130: af 10 b9 e9 a3 2e 30 2c 30 2a 06 03 55 1d 1f 04 …0,0*…U…
ssl_msg.c:3874: 0140: 23 30 21 30 1f a0 1d a0 1b 86 19 68 74 74 70 3a #0!0…http:
ssl_msg.c:3874: 0150: 2f 2f 31 32 37 2e 30 2e 30 2e 31 2f 72 6f 6f 74 //127.0.0.1/root
ssl_msg.c:3874: 0160: 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 .crl0…*.H…
ssl_msg.c:3874: 0170: 0b 05 00 03 81 81 00 9b c3 a9 73 dc 48 e0 da 6c …s.H…l
ssl_msg.c:3874: 0180: d2 f9 07 f3 a8 b2 b5 10 1f 08 d1 bb d8 64 11 fd …d…
ssl_msg.c:3874: 0190: af 0c b6 39 45 28 14 df 1c b4 55 81 d6 8c 28 99 …9E(…U…(.
ssl_msg.c:3874: 01a0: a8 ea ec 90 cd 4c bb 96 07 e6 7b 55 e0 09 d2 2b …L…{U…+
ssl_msg.c:3874: 01b0: 9a 8e b5 2a 4e 7b 26 1b 15 be 15 7e 96 45 29 2c …*N{&…~.E),
ssl_msg.c:3874: 01c0: 38 d5 cb 5b d5 21 4c 5b 76 77 9b 68 dc e2 b7 04 8…[.!L[vw.h…
ssl_msg.c:3874: 01d0: e6 7b 36 8f 34 64 1b f8 4d 7f 15 d3 09 4f 52 47 .{6.4d…M…ORG
ssl_msg.c:3874: 01e0: d7 8f b8 cc 84 8e cd af 6f 53 36 59 38 82 65 8e …oS6Y8.e.
ssl_msg.c:3874: 01f0: 32 01 03 42 17 ac 68 2…B…h
ssl_msg.c:3145: handshake message: msglen = 498, type = 11, hslen = 498
ssl_msg.c:4103: <= read record
ssl_tls.c:2455: peer certificate #1:
ssl_tls.c:2455: cert. version : 3
ssl_tls.c:2455: serial number : 0A
ssl_tls.c:2455: issuer name : C=FR, ST=Some-State, O=SEBCA, CN=SEBCERDAN
ssl_tls.c:2455: subject name : CN=SERVER, ST=Some-State, C=FR, O=SEB
ssl_tls.c:2455: issued on : 2021-05-05 12:45:02
ssl_tls.c:2455: expires on : 2023-05-05 12:45:02
ssl_tls.c:2455: signed using : RSA with SHA-256
ssl_tls.c:2455: EC key size : 256 bits
ssl_tls.c:2455: value of ‘crt->eckey.Q(X)’ (255 bits) is:
ssl_tls.c:2455: 4a 43 4b db 3e 59 0d 90 2a 2b 98 29 52 c7 89 07
ssl_tls.c:2455: da dd 66 3d 26 b9 c8 77 6a a4 d4 75 59 6f 14 dc
ssl_tls.c:2455: value of ‘crt->eckey.Q(Y)’ (251 bits) is:
ssl_tls.c:2455: 06 35 e6 6e 00 83 de c2 29 08 ca 11 71 b3 81 73
ssl_tls.c:2455: 78 14 e2 53 57 34 cb be f9 4c b8 b1 af 10 b9 e9
ssl_tls.c:2562: Use configuration-specific verification callback
ssl_tls.c:2619: x509_verify_cert() returned -9984 (-0x2700)
ssl_msg.c:5067: => send alert message
ssl_msg.c:5068: send alert level=2 message=43
ssl_msg.c:2826: => write record
ssl_msg.c:2941: output record: msgtype = 21, version = [3:3], msglen = 2
ssl_msg.c:2946: dumping ‘output record sent to network’ (7 bytes)
ssl_msg.c:2946: 0000: 15 03 03 00 02 02 2b …+
ssl_msg.c:2228: => flush output
ssl_msg.c:2246: message length: 7, out_left: 7
ssl_msg.c:2253: ssl->f_send() returned 7 (-0xfffffff9)
ssl_msg.c:2281: <= flush output
ssl_msg.c:2997: <= write record
ssl_msg.c:5080: <= send alert message
ssl_tls.c:2713: ! Certificate verification flags 00010000
ssl_tls.c:5816: <= handshake

This is my server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Some-State, O = SEBCA, CN = SEBCERDAN
Validity
Not Before: May 5 12:45:02 2021 GMT
Not After : May 5 12:45:02 2023 GMT
Subject: CN = SERVER, ST = Some-State, C = FR, O = SEB
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4a:43:4b:db:3e:59:0d:90:2a:2b:98:29:52:c7:
89:07:da:dd:66:3d:26:b9:c8:77:6a:a4:d4:75:59:
6f:14:dc:06:35:e6:6e:00:83:de:c2:29:08:ca:11:
71:b3:81:73:78:14:e2:53:57:34:cb:be:f9:4c:b8:
b1:af:10:b9:e9
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 CRL Distribution Points:

            Full Name:
              URI:http://127.0.0.1/root.crl

Signature Algorithm: sha256WithRSAEncryption
     9b:c3:a9:73:dc:48:e0:da:6c:d2:f9:07:f3:a8:b2:b5:10:1f:
     08:d1:bb:d8:64:11:fd:af:0c:b6:39:45:28:14:df:1c:b4:55:
     81:d6:8c:28:99:a8:ea:ec:90:cd:4c:bb:96:07:e6:7b:55:e0:
     09:d2:2b:9a:8e:b5:2a:4e:7b:26:1b:15:be:15:7e:96:45:29:
     2c:38:d5:cb:5b:d5:21:4c:5b:76:77:9b:68:dc:e2:b7:04:e6:
     7b:36:8f:34:64:1b:f8:4d:7f:15:d3:09:4f:52:47:d7:8f:b8:
     cc:84:8e:cd:af:6f:53:36:59:38:82:65:8e:32:01:03:42:17:
     ac:68

and my CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:a1:b0:44:c5:8b:2b:bb:22:6a:c6:64:7f:77:7f:e1:87:7e:90:68
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Some-State, O = SEBCA, CN = SEBCERDAN
Validity
Not Before: May 2 21:07:48 2021 GMT
Not After : Jan 27 21:07:48 2024 GMT
Subject: C = FR, ST = Some-State, O = SEBCA, CN = SEBCERDAN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:b0:4a:e6:3d:7a:d9:a7:76:a7:88:ad:5a:8e:fe:
2d:76:00:a2:24:c5:15:7e:56:13:9d:43:db:36:48:
4c:b9:ff:4d:49:d2:8e:cd:38:77:ce:12:8a:ca:75:
a9:89:85:11:4c:6f:a2:ce:e1:83:a6:28:90:5c:2c:
04:ab:5d:e8:d0:36:f8:d6:ba:7e:4d:85:06:2b:86:
75:30:d3:f2:75:0a:42:1c:da:b9:c0:61:be:b0:6e:
da:ee:7a:48:4c:08:fc:5c:96:21:a6:ac:11:a5:92:
a6:26:2d:f5:26:d6:f8:3b:17:3b:ec:08:fe:e6:e9:
f0:29:bc:4d:56:ce:d2:43:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F4:0D:02:F7:AE:27:96:D2:85:EB:0D:4F:EC:14:28:3C:20:4E:AA:4A
X509v3 Authority Key Identifier:
keyid:F4:0D:02:F7:AE:27:96:D2:85:EB:0D:4F:EC:14:28:3C:20:4E:AA:4A

        X509v3 Basic Constraints: critical
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     3e:e8:7b:ca:e5:e1:a8:9c:98:08:76:53:8b:ef:5b:8d:ee:de:
     c5:e0:8a:2a:b3:5c:47:31:4e:91:44:f2:b4:07:91:3a:ef:5f:
     2d:d5:d7:16:21:cd:cf:05:84:35:76:21:4d:6c:3f:d3:e5:84:
     a7:7b:60:4c:54:a6:cc:70:04:20:b7:90:fe:2b:11:e4:95:e2:
     e9:63:66:14:3e:4a:b5:5c:24:da:6e:b7:eb:6d:1d:66:cf:f8:
     f6:af:6b:10:f5:53:74:62:da:c2:2e:8b:53:dd:40:ce:9a:54:
     b7:a2:f8:59:cf:ea:97:b2:08:90:49:1a:9b:7e:a4:b0:df:20:
     75:99

Thank you very much for your help
Sebastien

Topic		Replies	Views
X509_verify_cert() -0x2700 & mbedtls_ssl_handshake 0x4380-0x4c80 Crypto and SSL questions mbed_tls	1	994	May 12, 2021
Mbedtls_ssl_handshake return error -0x2700 Generic mbed_client , mbed_tls , mbed_os	8	10726	February 3, 2020
Error 0x7780 during handshake Mbed TLS mbed_tls	7	7199	May 10, 2023
MbedTLS handshake fail return -0x50 Bug Reports / Issues mbed_client	11	7903	May 20, 2019
X509_verify_cert() returned -9984 (-0x2700) Mbed TLS	16	9196	July 17, 2019

TLS handshake return error Certificate verification flags 00010000 (x509_verify_cert() returned -9984 (-0x2700))

Related Topics