I managed to solve my issue. Taking a closer look at the cipher suites my client was presenting, and those supported by the server according to a handy nmap script, there wasn't a matching suite. I added #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED to my config file and all is fixed.

On 5 May 2024, at 22:50, Jay Malhotra <jay0@me.com> wrote:

Hi, I'm having an issue with some code using Mbed TLS and I was pointed to this mailing list as the correct place to ask for support. Please let me know if I should ask somewhere else.

I'm trying to connect to my local government's website via a Raspberry Pi Pico, using a TLS client based on lwIP and altcp_tls. It's based off of the example from the Raspberry Pi team here: https://github.com/raspberrypi/pico-examples/tree/master/pico_w/wifi/tls_client. My Mbed TLS config is the same as what they have there, aside from some extra defines I added for debugging.

The issue I am facing is that while various hosts work fine (e.g. postman-echo.com for testing), when I attempt to connect to my local council's website I get a TLS handshake error. My client has TLS verification disabled for the moment, but I have tried with the correct root certificates as well. The error I receive is

mbedtls_ssl_handshake failed: -30592

I cloned down the mbed_tls repo, and had a similar issue with ssl_client1 -- i.e. works on postman-echo, not for my government, with mbedtls_ssl_handshake returning the error. Notably however, the error code in that instance was -31488. Interestingly, ssl_client2 works flawlessly with both hosts. I wasn't quite sure what part of ssl_client2 would cause it to work with my government host, as it's several thousand lines long, but I'm sure the answer is in there somewhere.

I've attached a trace taken with debug logging level 4 on my Pico which shows where the TLS handshake is failing. I'd really appreciate any guidance of areas to troubleshoot next.

Thanks,
Jay

<logs.txt>