Hello,
I
run a client that has been ported MbedTLS, but the client connect
server faild. I check the debug log, the end client state is 15. In the
client state 3, the client receive only one certificate from server,
and the log printing "Certificate verification flags 8". Here are part
of logs:
..\MbedTLS\library\ssl_tls.c:4232: dumping 'input record from network' (4467 bytes)
..\MbedTLS\library\ssl_tls.c:4232: 0000: 16 03 03 11 6e 0b 00 11 6a 00 11 67 00 05 c2 30 ....n...j..g...0
..\MbedTLS\library\ssl_tls.c:4232: 0010: -------- omit some network input data --------
..\MbedTLS\library\ssl_tls.c:4232: 0ff0: 38 a0 36 a0 34 86 32 68 74 74 70 3a 2f 2f 63 72 8.6.4.2http://cr
..\MbedTLS\library\ssl_tls.c:3624: handshake message: msglen = 4462, type = 11, hslen = 4462
..\MbedTLS\library\ssl_tls.c:4385: <= read record
..\MbedTLS\library\ssl_tls.c:5606: peer certificate #1:
..\MbedTLS\library\ssl_tls.c:5606: cert. version : 3
..\MbedTLS\library\ssl_tls.c:5606: serial number : F0:57:5F:65:80:A9:70:B4:F9:8E:42:91:AE:D0:70:27
..\MbedTLS\library\ssl_tls.c:5606:
issuer name : C=GB, ST=Greater Manchester, L=Salford, O=Sectigo
Limited, CN=Sectigo RSA Domain Validation Secure Server CA
..\MbedTLS\library\ssl_tls.c:5606: subject name : CN=*.xxxxxxxx.com
..\MbedTLS\library\ssl_tls.c:5606: issued on : 2020-06-01 00:00:00
..\MbedTLS\library\ssl_tls.c:5606: expires on : 2021-05-26 23:59:59
..\MbedTLS\library\ssl_tls.c:5606: signed using : RSA with SHA-256
..\MbedTLS\library\ssl_tls.c:5606: RSA key size : 2048 bits
..\MbedTLS\library\ssl_tls.c:5606: basic constraints : CA=false
..\MbedTLS\library\ssl_tls.c:5606: subject alt name : *.xxxxxxxx.com, xxxxxxxx.com
..\MbedTLS\library\ssl_tls.c:5606: key usage : Digital Signature, Key Encipherment
..\MbedTLS\library\ssl_tls.c:5606: ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
..\MbedTLS\library\ssl_tls.c:5606: value of 'crt->rsa.N' (2048 bits) is:
..\MbedTLS\library\ssl_tls.c:5606: af b7 73 1a f9 8a 2d 5e a2 e8 0f fd 89 5d 60 1d
..\MbedTLS\library\ssl_tls.c:5606: -------- omit some bits --------
..\MbedTLS\library\ssl_tls.c:5606: e6 8e f8 3e ed ec 8e dd ec 46 48 85 9a b4 c8 71
..\MbedTLS\library\ssl_tls.c:5606: value of 'crt->rsa.E' (17 bits) is:
..\MbedTLS\library\ssl_tls.c:5606: 01 00 01
..\MbedTLS\library\ssl_tls.c:5757: x509_verify_cert() returned -9984 (-0x2700)
..\MbedTLS\library\ssl_tls.c:5851: ! Certificate verification flags 8
..\MbedTLS\library\ssl_tls.c:5863: <= parse certificate
At
the client side, I download certificate of server, and get CA and root
CA base on this certificate. Loading any one of these certificates into
the client can't connect server.
I
did a test with another server. The different of the handshark is that
the server issued two certificates, one is server's cert and another is
CA cert. Loading CA or root CA into the client both can connect server
successfully.
problems:
1. Must the server send CA certificate in handshake phase?
2. The client holds CA certificate, dose MbedTLS client support downloading CA base on server's certificate?
3. In the source code, the certificate chain only contains the
certificate issued by the server during handshake, not the CA
certificate downloaded by the client according to the server
certificate?
Thank you very much for the answers.
Best regards,
berry chen