Hello,

I am trying to incorporate Mutual Authentication TLS in my hardware. For testing the mutual authentication in TLS, I setup a demo service which would request a client certificate in the TLS handshake.  I used MS Edge, Google Chrome to test whether the service requests a client certificate during the TLS 1.2 handshake. When I ping the website, I do receive a request for a client certificate as shown in the image below. On selecting a certificate, I am able to access the website.

 

Link to the demo service: https://serviceforsomsecurity.azurewebsites.net/

 

A screenshot of a cell phone Description automatically generated

 

The above validates that the service requires the client to provide the client certificate during the TLS handshake.

 

Now, when I test this with the sample mbedTLS ssl_client2.c program: https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client2.c, the client does not send a certificate at all.

The following are the steps that I carry out to test the TLS connection with my service with the sample mbedTLS ssl_client2.exe :
1. Open the mbedTLS.sln and build the ssl_client2 project. This creates a ssl_client2.exe under the Debug folder.

2.  ssl_client2.exe server_name=serviceforsomsecurity.azurewebsites.net server_port=443 debug_level=3 auth_mode=required reconnect=1 crt_file=cert.pem key_file=key.pem ca_file=Digicert.cer force_version=tls1_2

    The above command to test whether the client sends the client certificate during handshake. Here’s the log:
A screenshot of a computer Description automatically generated

 

As you can see, in 3025 client receives: got no certificate request and then followed by server hello done at 3157. And then at 2080 & 2094, client skips writing certificate; during this handshake.

 

3. Then I tried including renegotiation flag:

ssl_client2.exe server_name=serviceforsomsecurity.azurewebsites.net server_port=443 debug_level=3 auth_mode=required reconnect=1 crt_file=cert.pem key_file=key.pem ca_file=Digicert.cer force_version=tls1_2 renegotiate=1

 

Even in this case, the client does not get the certificate and abruptly ends during renegotiation due to timeout.

 

I have included both the log files below for complete handshake review. [ssl_client_without_renegotiation.txt  and ssl_client_with_renegotiation.txt]

 

Can you please let me know how to debug this client certificate problem? It will be really a great help!

 

Million thanks in advance.

Regards,
Abhilash