Hi Dmitrij,
(Please note, I've moved this question to the main Mbed TLS list as this is the right place for this kind of question).
I've tested our example ssl_client2 against test.mosquitto.org, using a client certificate & key generated via
https://test.mosquitto.org/ssl/index.php, and CA file from
https://test.mosquitto.org/. This connects properly using the command line:
./ssl_client2 server_addr=test.mosquitto.org server_port=8884 ca_file=mosquitto.org.crt server_name=test.mosquitto.org crt_file=client.crt key_file=client.key
Similarly, OpenSSL succeeds using the same certificates:
openssl s_client -connect test.mosquitto.org:8884 -CAfile mosquitto.org.crt -servername test.mosquitto.org -cert client.crt -key client.key
However, if I omit the client key (i.e. remove "-key client.key"), Mbed TLS fails in the manner you describe. It looks like you are not supplying the client key?
Regards
Dave Rodgman
On 21/02/2022, 10:55, "Dmitrij Shabroff via Mbed-tls-announce via mbed-tls" <
mbed-tls@lists.trustedfirmware.org> wrote:
Good day
Please answer my questions - there is very little literature on the topic. I do not know what to do.
I have dealt with the message [2:40] issue. I did not enroll the user certificate using:
if((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey))!= 0)
and this certificate was not transmitted. Now I have taken it a step further, the certificate is successfully transferred and the server does not break the connection. I switched to TLS 1.3.
----------------------------------------------------------------------
But in your examples, I see the use of two certificates:
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) )
And also the key:
ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng );
In my version, I only have a client certificate. I working with
https://test.mosquitto.org/ Would you advise where to get the missing certificates and where to get the key for the mbedtls_pk_parse_key function?
----------------------------------------------------------------------
Now in both functions I use the same certificate and a PCA key from the example. I get a message:
..\Src\mbedTLS\library\ssl_msg.c:4645:got an alert message, type: [2:51]
..\Src\mbedTLS\library\ssl_msg.c:4653:is a fatal alert message (msg 51)
..\Src\mbedTLS\library\ssl_msg.c:3763:mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
..\Src\mbedTLS\library\ssl_msg.c:4771:mbedtls_ssl_read_record() returned -30592 (-0x7780)
Sincerely,
Shabrov Dmitry
>Понедельник, 7 февраля 2022, 16:28 +03:00 от B Mahesh via Mbed-tls-announce via mbed-tls <
mbed-tls@lists.trustedfirmware.org>:
>
>Hi ,
>
>
>
>*Problem description :*
>
>
>
>Trying to run example
>
https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c .
>
>Updated ssl_server2 port to listen on 7777 for incoming client request
>,ssl_server2
>will be waiting for remote connection continuously.
>
>There was no client request for connection on this port, but still server
>is getting some spurious connection request and goes for handshake and
>fails with below error code.
>
>
>
>Error code: mbedtls_ssl_handshake returned error -30976
>
>
>
>
>*Steps to reproduce: =============*
>
> 1. start ssl_server2 program
> 2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will
> accept spurious connection request and goes for handshake and fails
>with above
> mentioned error code.
>
>
>
>*Expected behavior:*
>ssl_server2 wait for remote connection infinitely and connect to valid
>client request and perform handshake every time.
>
>
>*Actual behavior:*
>Occasionally ssl_server2 will accept spurious connection request and goes
>for handshake and fails with below error code.
>
>
>
>Error code:
>mbedtls_ssl_handshake returned error -30976 on ssl_server2
>
>
>
>*Analysis:*
>
>As per below logs what we understand is ssl_server2 will accept spurious
>connection request and goes for handshake and fails with error code
>-30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
>on ssl_server2 side .
>
>
>
>Can you please help us to understand this behavior?
>
>What could be the reason for ssl_server2 to connect to a spurious
>connection request?, as mentioned above there was no client request for
>connection on this ssl_server2 port( 7777) .
>
>We have tried this on other SERVER_PORT as well .
>
>
>
>*Logs Snippet:*
>
>*==========*
>
>
>
>. Seeding the random number generator... ok
>
> . Loading the CA root certificate ... ok (0 skipped)
>
> . Loading the server cert. and key... ok
>
> . Bind on tcp://*:7777/ ... ok
>
> . Setting up the SSL/TLS structure... ok
>
> . Waiting for a remote connection ...ok
>
> . Performing the SSL/TLS handshake... failed
>
> ! mbedtls_ssl_handshake returned -0x7900
>
>
>
>Last error was: -30976 - SSL - Processing of the ClientHello handshake
>message failed
>
>
>
> . Waiting for a remote connection ... ok
>
> . Performing the SSL/TLS handshake... failed
>
> ! mbedtls_ssl_handshake returned -0x7900
>
>
>
>Last error was: -30976 - SSL - Processing of the ClientHello handshake
>message failed
>
>
>
> . Waiting for a remote connection ... ok
>
> . Performing the SSL/TLS handshake... failed
>
> ! mbedtls_ssl_handshake returned -0x7900
>
>
>
>Last error was: -30976 - SSL - Processing of the ClientHello handshake
>message failed
>
>
>
>Regards
>Mahesh
>--
>Mbed-tls-announce mailing list --
mbed-tls-announce@lists.trustedfirmware.org >To unsubscribe send an email to
mbed-tls-announce-leave@lists.trustedfirmware.org >--
>mbed-tls mailing list --
mbed-tls@lists.trustedfirmware.org >To unsubscribe send an email to
mbed-tls-leave@lists.trustedfirmware.org --
Mbed-tls-announce mailing list --
mbed-tls-announce@lists.trustedfirmware.org To unsubscribe send an email to
mbed-tls-announce-leave@lists.trustedfirmware.org --
mbed-tls mailing list --
mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to
mbed-tls-leave@lists.trustedfirmware.org