A little progress. I figured out where—ssl_encrypt_buf() in ssl_tls.c—to output the name of the offending ciphersuite, which is included in all 3 of the preconfigure Google Cloud SSL policies.

 

So what’s going on here? Why should the mbedTLS client wait forever for 5 bytes it will never get, stalling the connection, instead timing out or otherwise detecting an error it could return?

 

I’m totally at a loss for what to do with this, other than looking for a commercially supported alternative, which I don’t think would be received very well by my manager.

 

Jeff Thompson  |  Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com

 

From: Thompson, Jeff
Sent: Friday, June 26, 2020 09:40
To: mbed-tls@lists.trustedfirmware.org
Subject: Choosing a cipher

 

The TLS handshake between my device and ghs.googlehosted.com gets stalled when the server sends the device a Change Cipher Spec message—the device waits forever, wanting 5 more bytes. From what I Google’d, I need to change the cipher suite I’m using. How do I know which cipher the server doesn’t like (so I can avoid that in future), and which one I should be using—there are scores of these available in the config file, though some of them clearly should not be used, as they are commented that way..

 

Jeff Thompson  |  Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com