Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate]
Hi Gilles,
Thanks for the quick reply.
I migrated to version 2.16, and I have seen the same issue is still there. Moreover, we have reseeded the RNG, still issue is there.
I created a client and it's working fine, it's able to handshake and send data to the server. Only problem is server communication where control is going in infinite loop while creating server key exchange. As you asked for the call stack of the loop, I am attaching the call stack with this mail.
Please support us.
Thank you.
Regards,
Selin.
On Fri, May 21, 2021 at 5:30 PM mbed-tls-request@lists.trustedfirmware.org wrote:
Send mbed-tls mailing list submissions to mbed-tls@lists.trustedfirmware.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls or, via email, send a message with subject or body 'help' to mbed-tls-request@lists.trustedfirmware.org
You can reach the person managing the list at mbed-tls-owner@lists.trustedfirmware.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of mbed-tls digest..."
Today's Topics:
- Re: Request for Support [Issue : Webserver handshake failing with self-signed certificate] (Gilles Peskine)
Message: 1 Date: Thu, 20 May 2021 15:13:54 +0200 From: Gilles Peskine gilles.peskine@arm.com To: mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate] Message-ID: 93c3cd71-bdc1-c3ec-4bbc-89ff995a8444@arm.com Content-Type: text/plain; charset=utf-8
Hi Selin,
A possible problem could be a misconfigured random generator. However this is purely speculation. Can you get a stack trace? Finding the root cause requires finding where mbedtls_mpi_cmp_mpi is called.
Please note that Mbed TLS 2.16.3 has known bugs and vulnerabilities. You should upgrade to the latest bug-fixing version of the 2.16 branch, 2.16.10.
-- Gilles Peskine Mbed TLS developer
On 20/05/2021 13:06, Selin Chris via mbed-tls wrote:
Hi,
Thank you for adding me to the mbed-tls mailing list.
We have created a self-signed certificate with ECC key of MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate after we send the certificate to chrome from our web server it shows not trusted and goes to the page where we need to manually proceed with the acceptance of the certificate to allow further communication. After this we again have to perform handshake for which we need to prepare the server key exchange, while preparing the server key exchange we notice that it is infinitely calling the mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not able to proceed hereafter. Sometimes we also see that when executing ssl_prepare_server_key_exchange() function in ssl_srv.c we find ciphersuite_info pointer as null and the program goes into data panic due to that. We have checked our stacks and not seen any sign of corruption.
The mbedtls version that we are using is mbedtls-2.16.3. Please find the attached wireshark trace during this scenario. The IP 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc with the browser.
Please let us know the root-cause of the issue and the actions to be taken to fix this - can you please expedite as this is a blocking issue in our project.
Thanks for the support.
Regards, Selin.
Subject: Digest Footer
mbed-tls mailing list mbed-tls@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
End of mbed-tls Digest, Vol 15, Issue 8
mbed-tls@lists.trustedfirmware.org
-
Selin Chris