I’m trying to make a Wifi SSL connection to a TPA, where I must do the handshake and validate the CA at the beginning and send a message to the server, after the server receives the message, it asks for a new handshake to validate the client certificate and key. My code for how I am structuring the steps is below. However when I make the connection via Wifi, this error appears in the connection and I am not seeing what may be causing this error, because if I connect with a SIM card it makes the connection successfully. I would like some help in this regard, to try to understand what I am doing wrong or to know the cause of the error, without being so generic.
int ssl_test()
{
const int ciphersuites[3] = {MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,0};
int ret = 1,
len;
unsigned char buf[1024];
int ServerVerificationFlag = 0;
const char *pers = "ssl_client1";
Buffer_t tFileBuf;
Buffer_t tFileBuf1;
Buffer_t tFileBuf2;
#define SERVER_PORT "10320" //10314
#define SERVER_NAME "195.138.11.17" // 172.17.1.32
// OpenPPP();
uint32_t flags;
mbedtls_net_context server_fd;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
/* 0. Initialize the RNG and the session data */
mbedtls_net_init( &server_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init(&clicert);
mbedtls_pk_init(&pkey);
printf( "\n . Seeding the random number generator..." );
do
{
mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
break;
}
printf( " ok\n" );
/* 0. Initialize certificates */
printf( " . Loading the CA root certificate ..." );
if ( gen_ReadFileData("gp_ca1.der", &tFileBuf, 0, 0) )
{
break;
}
if( (ret = mbedtls_x509_crt_parse(&cacert, tFileBuf.Content, tFileBuf.Len)) < 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", (unsigned int) -ret );
break;
}
printf( " ok (%d skipped)\n", ret );
printf( " . Loading the Client certificate ..." );
if ( gen_ReadFileData("gp_clt1.der", &tFileBuf1, 0, 0) )
{
break;
}
if( (ret = mbedtls_x509_crt_parse(&clicert, tFileBuf1.Content, tFileBuf1.Len)) < 0 )
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", (unsigned int) -ret );
break;
}
printf( " ok (%d skipped)\n", ret );
printf( " . Loading the key ..." );
if ( gen_ReadFileData("gp_key1.der", &tFileBuf2, 0, 0) )
{
break;
}
if( (ret = mbedtls_pk_parse_key(&pkey, tFileBuf2.Content, tFileBuf2.Len, NULL, 0)) < 0 )
{
printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", (unsigned int) -ret );
break;
}
printf( " ok (%d skipped)\n", ret );
/* 1. Start the connection */
printf( " . Connecting to tcp/%s/%s...", SERVER_NAME, SERVER_PORT );
if( ( ret = mbedtls_net_connect( &server_fd, SERVER_NAME, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
{
printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
break;
}
mbedtls_ssl_conf_verify(&conf, my_verify, NULL);
mbedtls_ssl_conf_dbg(&conf, my_debug, NULL);
mbedtls_debug_set_threshold(DEBUG_LEVEL);
printf( " ok\n" );
/* 2. Setup stuff */
printf( " . Setting up the SSL/TLS structure..." );
if( ( ret = mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
break;
}
mbedtls_ssl_conf_verify(&conf, _iot_tls_verify_cert, NULL);
if (ServerVerificationFlag == 1)
{
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
}
else
{
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
}
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
printf( " ok\n" );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL); //MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_ciphersuites(&conf, ciphersuites);
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
break;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
break;
}
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
break;
}
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
/* 4. Handshake */
printf( " . Performing the SSL/TLS handshake..." );
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
break;
}
}
if ( ret != 0 )
{
break;
}
printf( " ok\n" );
/* 5. Verify the server certificate */
printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
// char vrfy_buf[512];
printf( " failed\n" );
// mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! “, flags );
// printf( “%s\n”, vrfy_buf );
}
else
printf( " ok\n” );
/* 3. Write the GET request */
printf( " > Write to server:" );
BYTE abMsg[] = {"\x50\x4F\x53\x54\x20\x2F\x70\x6F\x73\x2F\x6D\x73\x70\x2F\x73\x73\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x31\x0D\x0A\x48\x6F\x73\x74\x3A\x20\x31\x39\x35\x2E\x31\x33\x38\x2E\x31\x31\x2E\x31\x37\x3A\x31\x30\x33\x32\x30\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65\x3A\x20\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x6F\x63\x74\x65\x74\x2D\x73\x74\x72\x65\x61\x6D\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x4C\x65\x6E\x67\x74\x68\x3A\x20\x31\x31\x31\x0D\x0A\x0D\x0A\x00\x6D\x51\x30\x32\x31\x30\x30\x30\x34\x37\x37\x31\x31\x30\x36\x30\x30\x33\x34\x56\x32\x30\x32\x31\x30\x35\x30\x34\x31\x31\x30\x30\x31\x33\x30\x30\x30\x30\x30\x30\x30\x30\x39\x37\x38\x32\x35\x42\x37\x41\x34\x44\x42\x42\x44\x45\x30\x33\x43\x41\x44\x32\x38\x38\x41\x42\x38\x46\x38\x36\x34\x46\x46\x46\x42\x42\x36\x46\x41\x45\x34\x35\x38\x41\x44\x43\x36\x45\x34\x41\x31\x33\x32\x33\x38\x45\x43\x30\x38\x41\x33\x38\x42\x44\x34\x41\x39\x41\x33\x30"};
while( ( ret = mbedtls_ssl_write( &ssl, abMsg, 227 ) ) <= 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
break;
}
}
printf( " %d bytes written\n\n%s", sizeof(abMsg), (char *) abMsg );
/* 7. Read the HTTP response */
printf( " < Read from server:" );
do
{
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
continue;
if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
break;
if( ret < 0 )
{
printf( "failed\n ! mbedtls_ssl_read returned %d\n\n", ret );
break;
}
if( ret == 0 )
{
printf( "\n\nEOF\n\n" );
break;
}
len = ret;
gen_PrintDgBuff("[READ SSL]bytes read\n ", buf, len);
} while( 1 );
} while(0);
mbedtls_ssl_close_notify( &ssl );
mbedtls_net_free( &server_fd );
mbedtls_x509_crt_free( &clicert );
mbedtls_x509_crt_free( &cacert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
if ( tFileBuf.Content != NULL )
{
free(tFileBuf.Content);
}
if ( tFileBuf1.Content != NULL )
{
free(tFileBuf1.Content);
}
if ( tFileBuf2.Content != NULL )
{
free(tFileBuf2.Content);
}
return ret;