Manuel,
Thank you for the reply! This solution has been very hard to come by. For the sake of neophytes like me, it would be nice to have a user guide as well as the Doxygen-generated reference manual, so that developers can learn how to put the
functions together, as well as how to satisfy the requirements of each function.
Here’s how my code now looks, followed by the debug output. The call to https_client_tls_xchg is what NXP provided in their example, lwip_httpscli_mbedTLS_freertos. I’ve added my own code to pass in the HTTPS from a queue of requests, as
well my own write_request and read_request handlers.
It seems that I’m not getting past the point where the server’s certificate gets verified. In a previous version, we were using Firebase, and everything went well, even with the client certificate. Now that we’re using googleapis.com, it’s
failing. Postman and browser queries run from PC do work, so I’m suspecting I don’t have a good CA certificate chain.
static
int
_iot_tls_verify_cert(void *data,
mbedtls_x509_crt *crt,
int depth,
uint32_t *flags)
{
char buf[1024];
((void)data);
HTTPS_DEBUG_NORMAL("\nVerify requested for (Depth %d):\n",
depth);
mbedtls_x509_crt_info(buf,
sizeof(buf) - 1,
"", crt);
HTTPS_DEBUG_NORMAL("%s",
buf);
if ((*flags) == 0)
{
HTTPS_DEBUG_NORMAL(" This certificate has no flags\n");
}
else
{
HTTPS_DEBUG_NORMAL(buf,
sizeof(buf),
" ! ", *flags);
HTTPS_DEBUG_NORMAL("%s\n",
buf);
}
return 0;
}
#ifdef MBEDTLS_DEBUG_C
static
void
my_debug(void *ctx,
int level,
const
char *file,
int line,
const
char *str)
{
((void)level);
HTTPS_DEBUG_NORMAL("\r\n%s, at line %d in file %s\n",
str, line, file);
}
#endif
#undef USE_CLIENT_CERT
int
https_client_tls_xchg( CLOUD_OUT_MSG_Q_ITEM* item )
{
int ret = 0;
const
char *pers =
"aws_iot_tls_wrapper";
char vrfy_buf[512];
bool ServerVerificationFlag = false;
const
mbedtls_md_info_t *md_info;
char* hostNameLoc =
strstr(item->messageHeader,
"Host: ");
char* hostNameEnd = NULL;
#ifdef MBEDTLS_DEBUG_C
unsigned
char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
#endif
// find and copy host name from message header to httpsServerName
if( NULL == hostNameLoc )
{
HTTPS_DEBUG_NORMAL(
"\r\n Host name identifier not found\r\n" );
return
FAILURE;
}
else
if (NULL == (hostNameLoc =
strpbrk(hostNameLoc,
" ")) )
{
HTTPS_DEBUG_NORMAL(
"\r\n Host name space delimiter not found\r\n");
return
FAILURE;
}
else
if( NULL == (hostNameEnd =
strpbrk(hostNameLoc += 1,
"\r\n")) )
{
HTTPS_DEBUG_NORMAL(
"\r\n Host name end not found\r\n" );
return
FAILURE;
}
memcpy( httpsServerName, hostNameLoc, hostNameEnd - hostNameLoc);
httpsServerName[ hostNameEnd - hostNameLoc ] = 0;
mbedtls_ssl_init(&(tlsDataParams.ssl));
mbedtls_ssl_config_init(&(tlsDataParams.conf));
mbedtls_hmac_drbg_init(&(tlsDataParams.hmac_drbg));
mbedtls_x509_crt_init(&(tlsDataParams.cacert));
#if USE_CLIENT_CERT
mbedtls_x509_crt_init(&(tlsDataParams.clicert));
#endif
//USE_CLIENT_CERT
mbedtls_pk_init(&(tlsDataParams.pkey));
#if defined(MBEDTLS_DEBUG_C)
/* Enable debug output of
mbedtls */
mbedtls_ssl_conf_dbg(&(tlsDataParams.conf),
my_debug, NULL);
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
HTTPS_DEBUG_NORMAL("\n . Seeding the random number generator...");
mbedtls_entropy_init(&(tlsDataParams.entropy));
md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
if ((ret = mbedtls_hmac_drbg_seed(&(tlsDataParams.hmac_drbg),
md_info, mbedtls_entropy_func,
&(tlsDataParams.entropy),
(const
unsigned
char *)pers,
strlen(pers))) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_hmac_drbg_seed returned
-%x\n", -ret);
return
NETWORK_MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
}
HTTPS_DEBUG_NORMAL("\n . Loading the CA root certificate ...");
ret = mbedtls_x509_crt_parse(&(tlsDataParams.cacert),
(const
unsigned
char *)mbedtls_test_ca_crt,
mbedtls_test_ca_crt_len);
if (ret < 0)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_x509_crt_parse returned
-%x while parsing root cert\n\n", -ret);
return
NETWORK_X509_ROOT_CRT_PARSE_ERROR;
}
HTTPS_DEBUG_NORMAL("
ok (%d skipped)\n", ret);
#if USE_CLIENT_CERT
HTTPS_DEBUG_NORMAL(" . Loading
the client cert and key...");
ret = mbedtls_x509_crt_parse(&(tlsDataParams.clicert), (const
unsigned
char *)mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len);
if (ret != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n
! mbedtls_x509_crt_parse returned -%x while parsing device cert\n\n", -ret);
return NETWORK_X509_DEVICE_CRT_PARSE_ERROR;
}
ret = mbedtls_pk_parse_key(&(tlsDataParams.pkey), (const
unsigned
char *)mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0);
if (ret != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n
! mbedtls_pk_parse_key returned -%x while parsing private key\n\n", -ret);
return NETWORK_PK_PRIVATE_KEY_PARSE_ERROR;
}
HTTPS_DEBUG_NORMAL("
ok\n");
#endif
//USE_CLIENT_CERT
HTTPS_DEBUG_NORMAL("\nConnecting to %s/%s",
httpsServerName, HTTPS_SERVER_PORT);
struct
addrinfo hints;
struct
addrinfo *res;
memset(&hints, 0,
sizeof(struct
addrinfo));
hints.ai_family
= AF_INET;
hints.ai_socktype
= SOCK_STREAM;
hints.ai_flags
= AI_PASSIVE;
ret = getaddrinfo(httpsServerName, HTTPS_SERVER_PORT, &hints, &res);
if ((ret != 0) || (res == NULL))
{
return
NETWORK_ERR_NET_UNKNOWN_HOST;
}
tlsDataParams.fd
= socket(res->ai_family, res->ai_socktype,
res->ai_protocol);
if (tlsDataParams.fd
< 0)
{
return
NETWORK_ERR_NET_SOCKET_FAILED;
}
ret = connect(tlsDataParams.fd,
res->ai_addr, res->ai_addrlen);
freeaddrinfo(res);
if (ret != 0)
{
close(tlsDataParams.fd);
return
NETWORK_ERR_NET_CONNECT_FAILED;
}
HTTPS_DEBUG_NORMAL("\n . Setting up the SSL/TLS structure...");
if ((ret = mbedtls_ssl_config_defaults(&(tlsDataParams.conf),
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_config_defaults returned
-%x\n\n", -ret);
return
SSL_CONNECTION_ERROR;
}
mbedtls_ssl_conf_verify(&(tlsDataParams.conf),
_iot_tls_verify_cert, NULL);
if (ServerVerificationFlag == true)
{
mbedtls_ssl_conf_authmode(&(tlsDataParams.conf),
MBEDTLS_SSL_VERIFY_REQUIRED);
}
else
{
mbedtls_ssl_conf_authmode(&(tlsDataParams.conf),
MBEDTLS_SSL_VERIFY_OPTIONAL);
}
mbedtls_ssl_conf_rng(&(tlsDataParams.conf),
mbedtls_hmac_drbg_random, &(tlsDataParams.hmac_drbg));
mbedtls_ssl_conf_ca_chain(&(tlsDataParams.conf),
&(tlsDataParams.cacert), NULL);
#if USE_CLIENT_CERT
if ((ret = mbedtls_ssl_conf_own_cert(&(tlsDataParams.conf), &(tlsDataParams.clicert),
&(tlsDataParams.pkey))) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n
! mbedtls_ssl_conf_own_cert returned -%x\n\n", -ret);
return SSL_CONNECTION_ERROR;
}
#endif
//USE_CLIENT_CERT
if ((ret = mbedtls_ssl_setup(&(tlsDataParams.ssl),
&(tlsDataParams.conf))) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_setup returned -%x\n\n",
-ret);
return
SSL_CONNECTION_ERROR;
}
if ((ret = mbedtls_ssl_set_hostname(&(tlsDataParams.ssl),
httpsServerName)) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_set_hostname returned
-%x\n\n", -ret);
return
SSL_CONNECTION_ERROR;
}
HTTPS_DEBUG_NORMAL("\n\nSSL state connect : %d ",
tlsDataParams.ssl.state);
mbedtls_ssl_set_bio(&(tlsDataParams.ssl),
&(tlsDataParams.fd), lwipSend, (mbedtls_ssl_recv_t
*)lwipRecv, NULL);
HTTPS_DEBUG_NORMAL("
ok\n");
HTTPS_DEBUG_NORMAL("\n\nSSL state connect : %d ",
tlsDataParams.ssl.state);
HTTPS_DEBUG_NORMAL("\n . Performing the SSL/TLS handshake...");
while ((ret = mbedtls_ssl_handshake(&(tlsDataParams.ssl)))
!= 0)
{
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
{
HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_handshake returned
-%x\n", -ret);
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
{
HTTPS_DEBUG_NORMAL(
"\n Unable to verify the server's certificate. "
"\n Alternatively, you may want to use "
"\n auth_mode=optional for testing purposes.\n");
}
return
SSL_CONNECTION_ERROR;
}
}
HTTPS_DEBUG_NORMAL("
ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", mbedtls_ssl_get_version(&(tlsDataParams.ssl)),
mbedtls_ssl_get_ciphersuite(&(tlsDataParams.ssl)));
if ((ret = mbedtls_ssl_get_record_expansion(&(tlsDataParams.ssl)))
>= 0)
{
HTTPS_DEBUG_NORMAL(" [ Record expansion is %d ]\n",
ret);
}
else
{
HTTPS_DEBUG_NORMAL(" [ Record expansion is unknown (compression)
]\n");
}
HTTPS_DEBUG_NORMAL("\n . Verifying peer X.509 certificate...");
if (ServerVerificationFlag == true)
{
if ((tlsDataParams.flags
= mbedtls_ssl_get_verify_result(&(tlsDataParams.ssl))) != 0)
{
HTTPS_DEBUG_NORMAL(" failed\n");
mbedtls_x509_crt_verify_info(vrfy_buf,
sizeof(vrfy_buf),
" ! ", tlsDataParams.flags);
HTTPS_DEBUG_NORMAL("%s\n",
vrfy_buf);
ret =
SSL_CONNECTION_ERROR;
}
else
{
HTTPS_DEBUG_NORMAL("
ok\n");
ret =
SUCCESS;
}
}
else
{
HTTPS_DEBUG_NORMAL(" Server Verification skipped\n");
ret =
SUCCESS;
}
#ifdef MBEDTLS_DEBUG_C
if (mbedtls_ssl_get_peer_cert(&(tlsDataParams.ssl))
!= NULL)
{
HTTPS_DEBUG_NORMAL(" . Peer certificate information ...\n");
mbedtls_x509_crt_info((char
*)buf, sizeof(buf) - 1,
" ", mbedtls_ssl_get_peer_cert(&(tlsDataParams.ssl)));
HTTPS_DEBUG_NORMAL("%s\n",
buf);
}
#endif
mbedtls_ssl_conf_read_timeout(&(tlsDataParams.conf),
IOT_SSL_READ_TIMEOUT);
if( (ret = write_request( &item )) > 0 )
{
ret = read_request();
HTTPS_DEBUG_VERBOSE(
"%s %d read_request
ret %d\r\n", __FUNCTION__, __LINE__, ret );
}
else
{
HTTPS_DEBUG_VERBOSE(
"%s %d write_request
ret %d\r\n", __FUNCTION__, __LINE__, ret );
}
https_client_tls_release();
return ret;
}
newInstallationCode '16662'
Initializing PHY...
Link UP 100 MBit Full duplex
Getting IP address from DHCP...
DHCP_STATE_BOUND
hostCNameTask Looking up CName for '16662.lb.invue-am.com'
IPv4 Address : 192.168.180.78
IPv4 Netmask : 255.255.255.0
IPv4 Gateway : 192.168.180.1
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
hostCNameTask Looking up CName for '16662.lb.invue-am.com'
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
AM_task AMMessageHeader
"GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive
"
transmitting config request
. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
Connecting to dev-ir4-sso.invue-am.com/443
. Setting up the SSL/TLS structure...
SSL state connect : 0 ok
SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
Verify requested for (Depth 0):
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
This certificate has no flags
x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c
ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]
[ Record expansion is 29 ]
. Verifying peer X.509 certificate... Server Verification skipped
. Peer certificate information ...
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
> Write to server: 'GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive
'
236 bytes written
GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive
read_request 197 Header:
'HTTP/1.1 200 OK
access-control-allow-origin: *
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-type: application/octet-stream; charset=utf-8
etag: W/"62-1uAAylrO8FBct649sAnpL0iMgmc"
Date: Tue, 23 Jun 2020 12:33:58 GMT
Server: Google Frontend
Content-Length: 98'
HTTPS REQUEST OK
processIncomingMessages, AM message processing takes place here
processEthMsg_hdrRev1
hdrHdr.messageHeaderRev 1
hdrHdr.productId 0203
hdrHdr.productMsgTokenRev 01
flags 01
msgToken 16
status 00
==============================================
---> COMMAND msgTkn_kasFirmwareURL_e msg received.
processEthMsg_hdrRev1 Outgoing downloadRequestHeader
"GET /ir4-kas-firmware/019306042020102700Application.bin HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: storage.googleapis.com
Accept-Encoding: identity
Connection: keep-alive
"
. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...
SSL state connect : 0 ok
SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com,
*.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags
x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c
mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 4967 in file .ssl_tls.c
ssl_get_next_record() returned -29312 (-0x7280)
, at line 4338 in file .ssl_tls.c
mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 3302 in file .ssl_cli.c
failed
! mbedtls_ssl_handshake returned -7280
https_client_tls_xchg retval -4
. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...
Jeff Thompson | Senior Electrical
Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com
From: Manuel Pegourie-Gonnard <Manuel.Pegourie-Gonnard@arm.com>
Sent: Tuesday, June 23, 2020 6:36 AM
To: 'mbed-tls@lists.trustedfirmware.org' <mbed-tls@lists.trustedfirmware.org>; Thompson, Jeff <JeffThompson@invue.com>
Subject: Re: Using mbed without a client certificate
Hi Jeff,
if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty
certificate list as required by the standard.
Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments,
and end up with a functional example without client certificates.
Also, you might want to have a look at this example from our source, which is a simple client without client-side certificates:
https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client1.c
Hope that helps,
Manuel.
From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Thompson, Jeff via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 22 June 2020 16:03
To: 'mbed-tls@lists.trustedfirmware.org' <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Using mbed without a client certificate
I'm usiing:
#define MBEDTLS_VERSION_NUMBER 0x020D0100
#define MBEDTLS_VERSION_STRING "2.13.1"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1"
According to RFC5246:
If no suitable certificate is available,
the client MUST send a certificate message containing no
certificates. That is, the certificate_list structure has a
length of zero.
How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length
list.
Jeff Thompson | Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com