Hello
I am relatively new to mbedTLS, but I'm trying to develop an MQTT client running on an STM32 board connected to an ESP8266 MCU/WiFi module. The client should publish messages to a local broker/server where I am using Mosquitto for that purpose. I want to test different Cipher suites but when I limiting the Server to only accept one particle Cipher suite I receive an error from the server point of view "1622667145: OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher" Which I find is strange because when I read through the debug list presented below it says "[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02c".
I "think" I have enabled the "MBEDTLS_SHA256_C" in the config file (mbed_lib.json) for the TLSsocket, and the cipher suites I have tested so far to limit it for is: DHE-RSA-AES128-SHA |AES128-SHA | DHE-RSA-AES128-SHA256.
Could you please look at the debug list presented below to see if anything looks suspicious, or if you have any ideas? because I am truly lost and I am shooting in the dark trying to find the answer online...
Thank you sincerely in advance Best regards Victor
--------Debug list --------
AT< WIFI CONNECTED AT< WIFI GOT IP AT< AT= OK AT> AT+CIFSR AT< AT< AT+CIFSR AT< +CIFSR:APIP,"192.168.4.1" AT< +CIFSR:APMAC,"da:bf:c0:0d:c5:d8" AT= +CIFSR:STAIP,"192.168.10.103" AT< AT< +CIFSR:STAMAC,"d8:bf:c0:0d:c5:d8" AT< AT= OK Network interface opened successfully.
Connecting to host 192.168.10.165:8883 ... Hello [INFO][TLSx]: Connecting to 192.168.10.165:8883 AT> AT+CIPSTART=0,"TCP","192.168.10.165",8883 AT< AT< AT+CIPSTART=0,"TCP","192.168.10.165",8883 AT< 0,CONNECT AT< AT= OK [INFO][TLSx]: Connected. [INFO][TLSx]: Starting the TLS handshake... [DBG ][TLSx]: ssl_tls.c:6335: |2| => handshake
[DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 0
[DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output
[DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output
[DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 1
[DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output
[DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output
[DBG ][TLSx]: ssl_cli.c:0717: |2| => write client hello
[DBG ][TLSx]: ssl_cli.c:0754: |3| client hello, max version: [3:3]
[DBG ][TLSx]: ssl_cli.c:0693: |3| client hello, current time: 14712
[DBG ][TLSx]: ssl_cli.c:0764: |3| dumping 'client hello, random bytes' (32 bytes)
[DBG ][TLSx]: ssl_cli.c:0764: |3| 0000: 00 00 39 78 00 7d 4e 7a c5 43 7f d9 5b 0c cd 3f ..9x.}Nz.C..[..?
[DBG ][TLSx]: ssl_cli.c:0764: |3| 0010: 01 a0 2f 60 8e a5 c1 54 1c 0e 58 6a a3 da c0 7a ../`...T..Xj...z
[DBG ][TLSx]: ssl_cli.c:0817: |3| client hello, session id len.: 0
[DBG ][TLSx]: ssl_cli.c:0818: |3| dumping 'client hello, session id' (0 bytes)
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02c
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c030
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ad
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c024
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c028
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0af
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02b
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c02f
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ac
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c023
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c027
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0ae
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c038
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c037
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00a9
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a5
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00af
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a9
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00a8
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a4
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: 00ae
[DBG ][TLSx]: ssl_cli.c:0884: |3| client hello, add ciphersuite: c0a8
[DBG ][TLSx]: ssl_cli.c:0918: |3| client hello, got 23 ciphersuites
[DBG ][TLSx]: ssl_cli.c:0949: |3| client hello, compress len.: 1
[DBG ][TLSx]: ssl_cli.c:0950: |3| client hello, compress alg.: 0
[DBG ][TLSx]: ssl_cli.c:0071: |3| client hello, adding server name extension: 192.168.10 .165
[DBG ][TLSx]: ssl_cli.c:0178: |3| client hello, adding signature_algorithms extension
[DBG ][TLSx]: ssl_cli.c:0263: |3| client hello, adding supported_elliptic_curves extensi on
[DBG ][TLSx]: ssl_cli.c:0326: |3| client hello, adding supported_point_formats extension
[DBG ][TLSx]: ssl_cli.c:0507: |3| client hello, adding encrypt_then_mac extension
[DBG ][TLSx]: ssl_cli.c:0541: |3| client hello, adding extended_master_secret extension
[DBG ][TLSx]: ssl_cli.c:0575: |3| client hello, adding session ticket extension
[DBG ][TLSx]: ssl_cli.c:1022: |3| client hello, total extension length: 73
[DBG ][TLSx]: ssl_tls.c:2701: |2| => write record
[DBG ][TLSx]: ssl_tls.c:2835: |3| output record: msgtype = 22, version = [3:1], msglen = 164
[DBG ][TLSx]: ssl_tls.c:2840: |4| dumping 'output record sent to network' (169 bytes)
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0000: 16 03 01 00 a4 01 00 00 a0 03 03 00 00 39 78 00 .............9x.
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0010: 7d 4e 7a c5 43 7f d9 5b 0c cd 3f 01 a0 2f 60 8e }Nz.C..[..?../`.
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0020: a5 c1 54 1c 0e 58 6a a3 da c0 7a 00 00 2e c0 2c ..T..Xj...z....,
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0030: c0 30 c0 ad c0 24 c0 28 c0 af c0 2b c0 2f c0 ac .0...$.(...+./..
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0040: c0 23 c0 27 c0 ae c0 38 c0 37 00 a9 c0 a5 00 af .#.'...8.7......
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0050: c0 a9 00 a8 c0 a4 00 ae c0 a8 00 ff 01 00 00 49 ...............I
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0060: 00 00 00 13 00 11 00 00 0e 31 39 32 2e 31 36 38 .........192.168
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0070: 2e 31 30 2e 31 36 35 00 0d 00 12 00 10 06 03 06 .10.165.........
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0080: 01 05 03 05 01 04 03 04 01 03 03 03 01 00 0a 00 ................
[DBG ][TLSx]: ssl_tls.c:2840: |4| 0090: 06 00 04 00 18 00 17 00 0b 00 02 01 00 00 16 00 ................
[DBG ][TLSx]: ssl_tls.c:2840: |4| 00a0: 00 00 17 00 00 00 23 00 00 ......#..
[DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output
[DBG ][TLSx]: ssl_tls.c:2434: |2| message length: 169, out_left: 169
AT> AT+CIPSEND=0,169 AT< AT< AT+CIPSEND=0,169 AT< AT< OK AT= > [DBG ][TLSx]: ssl_tls.c:2441: |2| ssl->f_send() returned 169 (-0xffffff57)
[DBG ][TLSx]: ssl_tls.c:2460: |2| <= flush output
[DBG ][TLSx]: ssl_tls.c:2850: |2| <= write record
[DBG ][TLSx]: ssl_cli.c:1049: |2| <= write client hello
[DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 2
[DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output
[DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output
[DBG ][TLSx]: ssl_cli.c:1410: |2| => parse server hello
[DBG ][TLSx]: ssl_tls.c:3728: |2| => read record
[DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input
[DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 0, nb_want: 5
AT< AT< Recv 169 bytes AT< AT< SEND OK AT< AT! +IPD AT= ,0,7: AT< 0,CLOSED [DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 0, nb_want: 5
[DBG ][TLSx]: ssl_tls.c:6345: |2| <= handshake
[DBG ][TLSx]: ssl_tls.c:6335: |2| => handshake
[DBG ][TLSx]: ssl_cli.c:3279: |2| client state: 2
[DBG ][TLSx]: ssl_tls.c:2416: |2| => flush output
[DBG ][TLSx]: ssl_tls.c:2428: |2| <= flush output
[DBG ][TLSx]: ssl_cli.c:1410: |2| => parse server hello
[DBG ][TLSx]: ssl_tls.c:3728: |2| => read record
[DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input
[DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 0, nb_want: 5
[DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 0, nb_want: 5
[DBG ][TLSx]: ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
[DBG ][TLSx]: ssl_tls.c:2403: |2| <= fetch input
[DBG ][TLSx]: ssl_tls.c:3479: |4| dumping 'input record header' (5 bytes)
[DBG ][TLSx]: ssl_tls.c:3479: |4| 0000: 15 03 03 00 02 .....
[DBG ][TLSx]: ssl_tls.c:3485: |3| input record: msgtype = 21, version = [3:3], msglen = 2
[DBG ][TLSx]: ssl_tls.c:2208: |2| => fetch input
[DBG ][TLSx]: ssl_tls.c:2365: |2| in_left: 5, nb_want: 7
[DBG ][TLSx]: ssl_tls.c:2389: |2| in_left: 5, nb_want: 7
[DBG ][TLSx]: ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
[DBG ][TLSx]: ssl_tls.c:2403: |2| <= fetch input
[DBG ][TLSx]: ssl_tls.c:3656: |4| dumping 'input record from network' (7 bytes)
[DBG ][TLSx]: ssl_tls.c:3656: |4| 0000: 15 03 03 00 02 02 28 ......(
[DBG ][TLSx]: ssl_tls.c:3960: |2| got an alert message, type: [2:40]
[DBG ][TLSx]: ssl_tls.c:3968: |1| is a fatal alert message (msg 40)
[DBG ][TLSx]: ssl_tls.c:3744: |1| mbedtls_ssl_handle_message_type() returned -30592 (-0x 7780)
[DBG ][TLSx]: ssl_cli.c:1416: |1| mbedtls_ssl_read_record() returned -30592 (-0x7780)
[DBG ][TLSx]: ssl_tls.c:6345: |2| <= handshake
[ERR ][TLSx]: mbedtls_ssl_handshake() failed: -0x7780 (-30592): SSL AT> AT+CIPCLOSE=0 AT< AT+CIPCLOSE=0 AT< UNLINK AT< AT< ERROR AT> AT+CIPCLOSE=0 AT< AT+CIPCLOSE=0 AT< UNLINK AT< AT< ERROR ERROR: rc from TCP connect is -30592 [DBG ][TLSx]: ssl_tls.c:7055: |2| => free
[DBG ][TLSx]: ssl_tls.c:7120: |2| <= free
AT> AT+CWQAP AT< AT+CWQAP AT< AT= OK