Hi Dmitrij,
(Please note, I've moved this question to the main Mbed TLS list as this is the right place for this kind of question).
I've tested our example ssl_client2 against test.mosquitto.org, using a client certificate & key generated via https://test.mosquitto.org/ssl/index.php, and CA file from https://test.mosquitto.org/. This connects properly using the command line:
./ssl_client2 server_addr=test.mosquitto.org server_port=8884 ca_file=mosquitto.org.crt server_name=test.mosquitto.org crt_file=client.crt key_file=client.key
Similarly, OpenSSL succeeds using the same certificates:
openssl s_client -connect test.mosquitto.org:8884 -CAfile mosquitto.org.crt -servername test.mosquitto.org -cert client.crt -key client.key
However, if I omit the client key (i.e. remove "-key client.key"), Mbed TLS fails in the manner you describe. It looks like you are not supplying the client key?
Regards
Dave Rodgman
On 21/02/2022, 10:55, "Dmitrij Shabroff via Mbed-tls-announce via mbed-tls" mbed-tls@lists.trustedfirmware.org wrote:
Good day
Please answer my questions - there is very little literature on the topic. I do not know what to do.
I have dealt with the message [2:40] issue. I did not enroll the user certificate using:
if((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey))!= 0)
and this certificate was not transmitted. Now I have taken it a step further, the certificate is successfully transferred and the server does not break the connection. I switched to TLS 1.3. ---------------------------------------------------------------------- But in your examples, I see the use of two certificates:
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) )
And also the key:
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng );
In my version, I only have a client certificate. I working with https://test.mosquitto.org/
Would you advise where to get the missing certificates and where to get the key for the mbedtls_pk_parse_key function? ---------------------------------------------------------------------- Now in both functions I use the same certificate and a PCA key from the example. I get a message:
..\Src\mbedTLS\library\ssl_msg.c:4645:got an alert message, type: [2:51] ..\Src\mbedTLS\library\ssl_msg.c:4653:is a fatal alert message (msg 51) ..\Src\mbedTLS\library\ssl_msg.c:3763:mbedtls_ssl_handle_message_type() returned -30592 (-0x7780) ..\Src\mbedTLS\library\ssl_msg.c:4771:mbedtls_ssl_read_record() returned -30592 (-0x7780)
Sincerely, Shabrov Dmitry
>Понедельник, 7 февраля 2022, 16:28 +03:00 от B Mahesh via Mbed-tls-announce via mbed-tls mbed-tls@lists.trustedfirmware.org: > >Hi , > > > >*Problem description :* > > > >Trying to run example >https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c . > >Updated ssl_server2 port to listen on 7777 for incoming client request >,ssl_server2 >will be waiting for remote connection continuously. > >There was no client request for connection on this port, but still server >is getting some spurious connection request and goes for handshake and >fails with below error code. > > > >Error code: mbedtls_ssl_handshake returned error -30976 > > > > >*Steps to reproduce: =============* > > 1. start ssl_server2 program > 2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will > accept spurious connection request and goes for handshake and fails >with above > mentioned error code. > > > >*Expected behavior:* >ssl_server2 wait for remote connection infinitely and connect to valid >client request and perform handshake every time. > > >*Actual behavior:* >Occasionally ssl_server2 will accept spurious connection request and goes >for handshake and fails with below error code. > > > >Error code: >mbedtls_ssl_handshake returned error -30976 on ssl_server2 > > > >*Analysis:* > >As per below logs what we understand is ssl_server2 will accept spurious >connection request and goes for handshake and fails with error code >-30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO >on ssl_server2 side . > > > >Can you please help us to understand this behavior? > >What could be the reason for ssl_server2 to connect to a spurious >connection request?, as mentioned above there was no client request for >connection on this ssl_server2 port( 7777) . > >We have tried this on other SERVER_PORT as well . > > > >*Logs Snippet:* > >*==========* > > > >. Seeding the random number generator... ok > > . Loading the CA root certificate ... ok (0 skipped) > > . Loading the server cert. and key... ok > > . Bind on tcp://*:7777/ ... ok > > . Setting up the SSL/TLS structure... ok > > . Waiting for a remote connection ...ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > >Regards >Mahesh >-- >Mbed-tls-announce mailing list -- mbed-tls-announce@lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-announce-leave@lists.trustedfirmware.org >-- >mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
-- Mbed-tls-announce mailing list -- mbed-tls-announce@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave@lists.trustedfirmware.org -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
Good day Thanks for the answer. I have already resolved this issue. I used to connect to the server without having a client certificate. In fact, I did not need this mode. I connected to port 8883 with one CA certificate. Everything is working properly. I switched to TLS 1.3 and everything also works properly, as I wrote about 5 days ago. Thank you very much for participating because I was confused. Sincerely, Shabrov Dmitry
Среда, 23 февраля 2022, 23:42 +08:00 от Dave Rodgman dave.rodgman@arm.com: Hi Dmitrij,
(Please note, I've moved this question to the main Mbed TLS list as this is the right place for this kind of question).
I've tested our example ssl_client2 against test.mosquitto.org, using a client certificate & key generated via https://test.mosquitto.org/ssl/index.php , and CA file from https://test.mosquitto.org/ . This connects properly using the command line:
./ssl_client2 server_addr=test.mosquitto.org server_port=8884 ca_file=mosquitto.org.crt server_name=test.mosquitto.org crt_file=client.crt key_file=client.key
Similarly, OpenSSL succeeds using the same certificates:
openssl s_client -connect test.mosquitto.org:8884 -CAfile mosquitto.org.crt -servername test.mosquitto.org -cert client.crt -key client.key
However, if I omit the client key (i.e. remove "-key client.key"), Mbed TLS fails in the manner you describe. It looks like you are not supplying the client key?
Regards
Dave Rodgman
On 21/02/2022, 10:55, "Dmitrij Shabroff via Mbed-tls-announce via mbed-tls" < mbed-tls@lists.trustedfirmware.org > wrote:
Good day
Please answer my questions - there is very little literature on the topic. I do not know what to do.
I have dealt with the message [2:40] issue. I did not enroll the user certificate using:
if((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey))!= 0)
and this certificate was not transmitted. Now I have taken it a step further, the certificate is successfully transferred and the server does not break the connection. I switched to TLS 1.3. ---------------------------------------------------------------------- But in your examples, I see the use of two certificates:
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) )
And also the key:
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng );
In my version, I only have a client certificate. I working with https://test.mosquitto.org/
Would you advise where to get the missing certificates and where to get the key for the mbedtls_pk_parse_key function? ---------------------------------------------------------------------- Now in both functions I use the same certificate and a PCA key from the example. I get a message:
..\Src\mbedTLS\library\ssl_msg.c:4645:got an alert message, type: [2:51] ..\Src\mbedTLS\library\ssl_msg.c:4653:is a fatal alert message (msg 51) ..\Src\mbedTLS\library\ssl_msg.c:3763:mbedtls_ssl_handle_message_type() returned -30592 (-0x7780) ..\Src\mbedTLS\library\ssl_msg.c:4771:mbedtls_ssl_read_record() returned -30592 (-0x7780)
Sincerely, Shabrov Dmitry
>Понедельник, 7 февраля 2022, 16:28 +03:00 от B Mahesh via Mbed-tls-announce via mbed-tls < mbed-tls@lists.trustedfirmware.org >: > >Hi , > > > >*Problem description :* > > > >Trying to run example > https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c . > >Updated ssl_server2 port to listen on 7777 for incoming client request >,ssl_server2 >will be waiting for remote connection continuously. > >There was no client request for connection on this port, but still server >is getting some spurious connection request and goes for handshake and >fails with below error code. > > > >Error code: mbedtls_ssl_handshake returned error -30976 > > > > >*Steps to reproduce: =============* > > 1. start ssl_server2 program > 2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will > accept spurious connection request and goes for handshake and fails >with above > mentioned error code. > > > >*Expected behavior:* >ssl_server2 wait for remote connection infinitely and connect to valid >client request and perform handshake every time. > > >*Actual behavior:* >Occasionally ssl_server2 will accept spurious connection request and goes >for handshake and fails with below error code. > > > >Error code: >mbedtls_ssl_handshake returned error -30976 on ssl_server2 > > > >*Analysis:* > >As per below logs what we understand is ssl_server2 will accept spurious >connection request and goes for handshake and fails with error code >-30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO >on ssl_server2 side . > > > >Can you please help us to understand this behavior? > >What could be the reason for ssl_server2 to connect to a spurious >connection request?, as mentioned above there was no client request for >connection on this ssl_server2 port( 7777) . > >We have tried this on other SERVER_PORT as well . > > > >*Logs Snippet:* > >*==========* > > > >. Seeding the random number generator... ok > > . Loading the CA root certificate ... ok (0 skipped) > > . Loading the server cert. and key... ok > > . Bind on tcp://*:7777/ ... ok > > . Setting up the SSL/TLS structure... ok > > . Waiting for a remote connection ...ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > >Regards >Mahesh >-- >Mbed-tls-announce mailing list -- mbed-tls-announce@lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-announce-leave@lists.trustedfirmware.org >-- >mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
-- Mbed-tls-announce mailing list -- mbed-tls-announce@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave@lists.trustedfirmware.org -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
mbed-tls@lists.trustedfirmware.org
-
Dave Rodgman -
Dmitrij Shabroff