Hi Janos,

Yes, it's related to the same issue as mentioned in my previous email.

Is there any specific information required from our side - please let me know in which scenarios "Unknown CA" would be returned?

Regards,
Prakash

On Fri, Apr 12, 2024 at 9:10 PM Janos Follath <Janos.Follath@arm.com> wrote:

Hi Satya,

 

Is this issue related to the one described in your previous email “[mbed-tls] EAP TLS - TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)”?

 

Kind regards,

Janos

 

From: Satya Prakash Prasad <satyaprakash.developer.unix@gmail.com>
Date: Friday, 12 April 2024 at 16:27
To: Janos Follath <Janos.Follath@arm.com>
Subject: Re: [mbed-tls] CA Unknown Certificate

Hi Janos,

Kindly note that I have already provided the same in my initial email. Please refer the same for your reference:

 

Please note that we need to give CN value different for Root and Server / Client (since I am trying got mutual trusted certificate. You can also verify the same in below way:

 

First console :

# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err

or -Verify 1

verify depth is 1, must return a certificate

Using default temp DH parameters

ACCEPT

 

Second Console:

#touch test.txt

 

# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err

or -Verify 1

verify depth is 1, must return a certificate

Using default temp DH parameters

ACCEPT

 

On First Console we receive:

# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err

or -Verify 1

verify depth is 1, must return a certificate

Using default temp DH parameters

ACCEPT

depth=1 C = US, ST = CA, L = Somewhere, O = Someone, CN = FoobarCA

verify return:1

depth=0 C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar

verify return:1

FILE:test.txt


Root CA Key
# openssl genrsa -des3 -out ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key.pem:^1234^
Verifying - Enter pass phrase for ca.key.pem:^1234^

Server Private Key
# openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
.................................................................................................+++++
e is 65537 (0x010001)

Client Private Key
# openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
..........................+++++
e is 65537 (0x010001)

Root CA Certificate from  Root CA Key
# openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out
ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
Enter pass phrase for ca.key.pem:^1234^

Server CSR & Certificate from  Server Private Key
# openssl req -new -sha256 -key server.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr

# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out server.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^


Client CSR & Certificate from  Client Private Key
# openssl req -new -sha256 -key client.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr

# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out client.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^

Regards,
Prakash

 

On Fri, Apr 12, 2024 at 5:55PM Janos Follath <Janos.Follath@arm.com> wrote:

Hi Prakash,

 

Thank you for sharing the details about how you generated the certificates. Could you please share the command line for the server and the client as well?

 

Kind regards,

Janos

 

From: Satya Prakash Prasad via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Friday, 12 April 2024 at 05:03
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] CA Unknown Certificate

Hi,

Please note that while using MBedTLS 3.6.0, when we are trying to
verify server / client connection using self-signed mutually trusted
certificates we are always getting a CA Unknown Certificate error code
46 alert message.

Root CA Key
# openssl genrsa -des3 -out ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key.pem:^1234^
Verifying - Enter pass phrase for ca.key.pem:^1234^

Server Private Key
# openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
.................................................................................................+++++
e is 65537 (0x010001)

Client Private Key
# openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
..........................+++++
e is 65537 (0x010001)

Root CA Certificate
# openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out
ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
Enter pass phrase for ca.key.pem:^1234^

Server CSR & Certificate
# openssl req -new -sha256 -key server.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr

# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out server.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^


Client CSR & Certificate
# openssl req -new -sha256 -key client.key.pem -subj
/C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr

# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem
-CAcreateserial -out client.cert.pem -days 365 -sha256
Signature ok
subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar
Getting CA Private Key
Enter pass phrase for ca.key.pem:^1234^

So we have used Root CA Certificatet as trusted certificate but during
handshake steps we see client reporting "Certificate Unknown'' alert
error message 46?

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
Description: Certificate Unknown (46)

Can you please let us know the issue we are doing in creating the
certificates or it can also be some wrong steps / configuration while
compiling the 3.6.0 release?

Regards,
Prakash
--
mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.