Hi Jeff,

if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty certificate list as required by the standard.

Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments, and end up with a functional example without client certificates.

Also, you might want to have a look at this example from our source, which is a simple client without client-side certificates: https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client1.c

Hope that helps,
Manuel.

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Thompson, Jeff via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 22 June 2020 16:03
To: 'mbed-tls@lists.trustedfirmware.org' <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Using mbed without a client certificate
 

I'm usiing:

#define MBEDTLS_VERSION_NUMBER 0x020D0100
#define MBEDTLS_VERSION_STRING "2.13.1"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1"

According to RFC5246:

If no suitable certificate is available,
the client MUST send a certificate message containing no
certificates. That is, the certificate_list structure has a
length of zero.

How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length list.

 

 

Jeff Thompson  |  Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com