Dear Mbed TLS team,
I am trying to integrate Mbed TLS in our platform: - nxp imx rt 1024 CPU (arm based) - FreeRTOS (10.6) - Lwip (2.2) - Mbed TLS (3.6.2)
I am using the LWIP port to Mbed TLS and managed to create an client configuration by supplying a google certificate which I created as follows: openssl s_client -showcerts -connect www.google.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > google_root_ca.pem
PS: using the true random number generator in our CPU as the entropy source for Mbed TLS.
I ran into some issues which I managed to resolve by adding another option in Mbed TLS (found this on a forum which solved the problem): #define MBEDTLS_RSA_C /* required for google's root CA */ #define MBEDTLS_PKCS1_V21 /* required for RSA */
Next I connected our http client to use the TLS configuration and gave it a first spin by trying to send a HTTP GET request to google.com. The TLS handshake failed. I enabled logging in the hope this would give me a direction, but I can't see where things go wrong (until the obvious error -0x7780 (MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE)).
Can somebody see what goes wrong on the client side, which results in the server deciding to fail the request?
Attached the log and will paste it here in the email.
======================
[2024-12-11 09:08:28] 2024-12-10 12:53:35.612 [Info ] [Http] GET from google.com:443 - / [2024-12-11 09:08:28] 2024-12-10 12:53:35.630 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(1327): The SSL configuration is tls12 only. [2024-12-11 09:08:28] 2024-12-10 12:53:35.676 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4606): => handshake [2024-12-11 09:08:28] 2024-12-10 12:53:35.678 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:28] 2024-12-10 12:53:35.678 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:28] 2024-12-10 12:53:35.696 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_HELLO_REQUEST [2024-12-11 09:08:28] 2024-12-10 12:53:35.718 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:28] 2024-12-10 12:53:35.736 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:28] 2024-12-10 12:53:35.766 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_CLIENT_HELLO [2024-12-11 09:08:28] 2024-12-10 12:53:35.792 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(919): => write client hello [2024-12-11 09:08:28] 2024-12-10 12:53:35.820 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): dumping 'client hello, random bytes' (32 bytes) [2024-12-11 09:08:28] 2024-12-10 12:53:35.848 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): 0000: 7b 5a 55 53 71 4d 5d ec 7e 88 19 f8 fc b7 72 b4 {ZUSq M].~.....r. [2024-12-11 09:08:28] 2024-12-10 12:53:35.878 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): 0010: d1 7e 13 df 21 b8 b6 3f 38 36 d4 63 19 f4 27 89 .~..! ..?86.c..'. [2024-12-11 09:08:28] 2024-12-10 12:53:35.904 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(511): dumping 'session id' (0 bytes) [2024-12-11 09:08:28] 2024-12-10 12:53:35.930 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(369): client hello, add ciphersuite: c02b, TLS-ECDHE-ECDSA-WITH-AES -128-GCM-SHA256 [2024-12-11 09:08:28] 2024-12-10 12:53:35.962 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(387): adding EMPTY_RENEGOTIATION_INFO_SCSV [2024-12-11 09:08:28] 2024-12-10 12:53:35.988 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(396): client hello, got 2 cipher suites [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(230): client hello, adding supported_groups extension [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(249): got supported group(0017) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(281): NamedGroup: secp256r1 ( 17 ) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(249): got supported group(0018) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(281): NamedGroup: secp384r1 ( 18 ) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(301): dumping 'Supported groups extension' (6 bytes) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(301): 0000: 00 04 00 17 00 18 ..... . [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9593): adding signature_algorithms extension [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9613): got signature scheme [403] ecdsa_secp256r1_sha256 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9622): sent signature scheme [403] ecdsa_secp256r1_sha256 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9613): got signature scheme [401] rsa_pkcs1_sha256 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9622): sent signature scheme [401] rsa_pkcs1_sha256 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(105): client hello, adding supported_point_formats extension [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(688): client hello, total extension length: 26 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): dumping 'client hello extensions' (26 bytes) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): 0000: 00 1a 00 0a 00 06 00 04 00 17 00 18 00 0d 00 06 ..... ........... [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): 0010: 00 04 04 03 04 01 00 0b 00 02 ..... ..... [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2783): => write handshake message [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2943): => write record [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3027): output record: msgtype = 22, version = [3:3], msglen = 75 [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): dumping 'output record sent to network' (80 bytes) [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0000: 16 03 03 00 4b 01 00 00 47 03 03 7b 5a 55 53 71 ....K.. .G..{ZUSq [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0010: 4d 5d ec 7e 88 19 f8 fc b7 72 b4 d1 7e 13 df 21 M].~... ..r..~..! [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0020: b8 b6 3f 38 36 d4 63 19 f4 27 89 00 00 04 c0 2b ..?86.c ..'.....+ [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0030: 00 ff 01 00 00 1a 00 0a 00 06 00 04 00 17 00 18 ....... ......... [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0040: 00 0d 00 06 00 04 04 03 04 01 00 0b 00 02 01 00 ....... ......... [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3080): <= write record [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2904): <= write handshake message [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(1012): <= write client hello [2024-12-11 09:08:28] 2024-12-10 12:53:35.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:28] 2024-12-10 12:53:36.008 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2367): message length: 80, out_left: 80 [2024-12-11 09:08:28] 2024-12-10 12:53:36.044 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2374): ssl->f_send() returned 80 (-0xffffffb0) [2024-12-11 09:08:28] 2024-12-10 12:53:36.082 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2401): <= flush output [2024-12-11 09:08:28] 2024-12-10 12:53:36.114 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_SERVER_HELLO [2024-12-11 09:08:28] 2024-12-10 12:53:36.142 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1193): => parse server hello [2024-12-11 09:08:28] 2024-12-10 12:53:36.170 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4189): => read record [2024-12-11 09:08:28] 2024-12-10 12:53:36.196 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input [2024-12-11 09:08:28] 2024-12-10 12:53:36.226 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 0, nb_want: 5 [2024-12-11 09:08:28] 2024-12-10 12:53:36.256 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 0, nb_want: 5 [2024-12-11 09:08:28] 2024-12-10 12:53:36.284 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4617): <= handshake [2024-12-11 09:08:28] 2024-12-10 12:53:36.314 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:29] 2024-12-10 12:53:36.344 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:29] 2024-12-10 12:53:36.374 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:29] 2024-12-10 12:53:36.400 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:29] 2024-12-10 12:53:36.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:29] 2024-12-10 12:53:36.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:29] 2024-12-10 12:53:37.380 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:29] 2024-12-10 12:53:37.382 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:30] 2024-12-10 12:53:37.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:30] 2024-12-10 12:53:37.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:30] 2024-12-10 12:53:38.392 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:30] 2024-12-10 12:53:38.394 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:31] 2024-12-10 12:53:38.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:31] 2024-12-10 12:53:38.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:31] 2024-12-10 12:53:39.346 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4606): => handshake [2024-12-11 09:08:31] 2024-12-10 12:53:39.346 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output [2024-12-11 09:08:31] 2024-12-10 12:53:39.348 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output [2024-12-11 09:08:31] 2024-12-10 12:53:39.348 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_SERVER_HELLO [2024-12-11 09:08:31] 2024-12-10 12:53:39.350 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1193): => parse server hello [2024-12-11 09:08:32] 2024-12-10 12:53:39.350 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4189): => read record [2024-12-11 09:08:32] 2024-12-10 12:53:39.352 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input [2024-12-11 09:08:32] 2024-12-10 12:53:39.378 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 0, nb_want: 5 [2024-12-11 09:08:32] 2024-12-10 12:53:39.404 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 0, nb_want: 5 [2024-12-11 09:08:32] 2024-12-10 12:53:39.430 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2318): ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) [2024-12-11 09:08:32] 2024-12-10 12:53:39.460 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2340): <= fetch input [2024-12-11 09:08:32] 2024-12-10 12:53:39.490 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3855): dumping 'input record header' (5 bytes) [2024-12-11 09:08:32] 2024-12-10 12:53:39.516 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3855): 0000: 15 03 03 00 02 ..... [2024-12-11 09:08:32] 2024-12-10 12:53:39.542 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3857): input record: msgtype = 21, version = [0x303], msglen = 2 [2024-12-11 09:08:32] 2024-12-10 12:53:39.570 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input [2024-12-11 09:08:32] 2024-12-10 12:53:39.598 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 5, nb_want: 7 [2024-12-11 09:08:32] 2024-12-10 12:53:39.630 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 5, nb_want: 7 [2024-12-11 09:09:51] 2024-12-10 12:53:39.656 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2318): ssl->f_recv(_timeout)() returned 2 (-0xfffffffe) [2024-12-11 09:09:51] 2024-12-10 12:53:39.688 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2340): <= fetch input [2024-12-11 09:09:51] 2024-12-10 12:53:39.722 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3964): dumping 'input record from network' (7 bytes) [2024-12-11 09:09:52] 2024-12-10 12:53:39.756 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3964): 0000: 15 03 03 00 02 02 28 ......( [2024-12-11 09:09:55] 2024-12-10 12:53:39.782 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(5092): got an alert message, type: [2:40] [2024-12-11 09:09:55] 2024-12-10 12:53:39.810 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(5099): is a fatal alert message (msg 40) [2024-12-11 09:09:55] 2024-12-10 12:54:59.004 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4244): mbedtls_ssl_handle_message_type() returned -30592 (-0x7780) [2024-12-11 09:09:55] 2024-12-10 12:54:59.036 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1197): mbedtls_ssl_read_record() returned -30592 (-0x7780) [2024-12-11 09:09:55] 2024-12-10 12:54:59.062 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4617): <= handshake [2024-12-11 09:09:55] 2024-12-10 12:54:59.094 [Debug] [External] mbedtls_ssl_handshake failed: -30592 [2024-12-11 09:09:55] 2024-12-10 12:55:02.000 [Debug] [Http] Download failed: httpc_result 4, srv_resp 0, err -15
======================
Many thanks in advance!
Best regards, Bas