Manuel,

Thank you for the reply! This solution has been very hard to come by. For the sake of neophytes like me, it would be nice to have a user guide as well as the Doxygen-generated reference manual, so that developers can learn how to put the functions together, as well as how to satisfy the requirements of each function.

Here's how my code now looks, followed by the debug output. The call to https_client_tls_xchg is what NXP provided in their example, lwip_httpscli_mbedTLS_freertos. I've added my own code to pass in the HTTPS from a queue of requests, as well my own write_request and read_request handlers.

It seems that I'm not getting past the point where the server's certificate gets verified. In a previous version, we were using Firebase, and everything went well, even with the client certificate. Now that we're using googleapis.com, it's failing. Postman and browser queries run from PC do work, so I'm suspecting I don't have a good CA certificate chain.

static int _iot_tls_verify_cert(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) { char buf[1024]; ((void)data);

HTTPS_DEBUG_NORMAL("\nVerify requested for (Depth %d):\n", depth); mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt); HTTPS_DEBUG_NORMAL("%s", buf);

if ((*flags) == 0) { HTTPS_DEBUG_NORMAL(" This certificate has no flags\n"); } else { HTTPS_DEBUG_NORMAL(buf, sizeof(buf), " ! ", *flags); HTTPS_DEBUG_NORMAL("%s\n", buf); }

return 0; }

#ifdef MBEDTLS_DEBUG_C static void my_debug(void *ctx, int level, const char *file, int line, const char *str) { ((void)level);

HTTPS_DEBUG_NORMAL("\r\n%s, at line %d in file %s\n", str, line, file); } #endif

#undef USE_CLIENT_CERT

int https_client_tls_xchg( CLOUD_OUT_MSG_Q_ITEM* item ) { int ret = 0; const char *pers = "aws_iot_tls_wrapper"; char vrfy_buf[512]; bool ServerVerificationFlag = false; const mbedtls_md_info_t *md_info; char* hostNameLoc = strstr(item->messageHeader, "Host: "); char* hostNameEnd = NULL;

#ifdef MBEDTLS_DEBUG_C unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1]; #endif

// find and copy host name from message header to httpsServerName if( NULL == hostNameLoc ) { HTTPS_DEBUG_NORMAL( "\r\n Host name identifier not found\r\n" ); return FAILURE; } else if (NULL == (hostNameLoc = strpbrk(hostNameLoc, " ")) ) { HTTPS_DEBUG_NORMAL( "\r\n Host name space delimiter not found\r\n"); return FAILURE; } else if( NULL == (hostNameEnd = strpbrk(hostNameLoc += 1, "\r\n")) ) { HTTPS_DEBUG_NORMAL( "\r\n Host name end not found\r\n" ); return FAILURE; } memcpy( httpsServerName, hostNameLoc, hostNameEnd - hostNameLoc); httpsServerName[ hostNameEnd - hostNameLoc ] = 0;

mbedtls_ssl_init(&(tlsDataParams.ssl)); mbedtls_ssl_config_init(&(tlsDataParams.conf)); mbedtls_hmac_drbg_init(&(tlsDataParams.hmac_drbg)); mbedtls_x509_crt_init(&(tlsDataParams.cacert)); #if USE_CLIENT_CERT mbedtls_x509_crt_init(&(tlsDataParams.clicert)); #endif //USE_CLIENT_CERT mbedtls_pk_init(&(tlsDataParams.pkey));

#if defined(MBEDTLS_DEBUG_C) /* Enable debug output of mbedtls */ mbedtls_ssl_conf_dbg(&(tlsDataParams.conf), my_debug, NULL); mbedtls_debug_set_threshold(DEBUG_LEVEL); #endif

HTTPS_DEBUG_NORMAL("\n . Seeding the random number generator..."); mbedtls_entropy_init(&(tlsDataParams.entropy)); md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); if ((ret = mbedtls_hmac_drbg_seed(&(tlsDataParams.hmac_drbg), md_info, mbedtls_entropy_func, &(tlsDataParams.entropy), (const unsigned char *)pers, strlen(pers))) != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_hmac_drbg_seed returned -%x\n", -ret); return NETWORK_MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED; }

HTTPS_DEBUG_NORMAL("\n . Loading the CA root certificate ..."); ret = mbedtls_x509_crt_parse(&(tlsDataParams.cacert), (const unsigned char *)mbedtls_test_ca_crt, mbedtls_test_ca_crt_len); if (ret < 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_x509_crt_parse returned -%x while parsing root cert\n\n", -ret); return NETWORK_X509_ROOT_CRT_PARSE_ERROR; } HTTPS_DEBUG_NORMAL(" ok (%d skipped)\n", ret); #if USE_CLIENT_CERT HTTPS_DEBUG_NORMAL(" . Loading the client cert and key..."); ret = mbedtls_x509_crt_parse(&(tlsDataParams.clicert), (const unsigned char *)mbedtls_test_cli_crt, mbedtls_test_cli_crt_len); if (ret != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_x509_crt_parse returned -%x while parsing device cert\n\n", -ret); return NETWORK_X509_DEVICE_CRT_PARSE_ERROR; }

ret = mbedtls_pk_parse_key(&(tlsDataParams.pkey), (const unsigned char *)mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0); if (ret != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_pk_parse_key returned -%x while parsing private key\n\n", -ret); return NETWORK_PK_PRIVATE_KEY_PARSE_ERROR; } HTTPS_DEBUG_NORMAL(" ok\n"); #endif //USE_CLIENT_CERT

HTTPS_DEBUG_NORMAL("\nConnecting to %s/%s", httpsServerName, HTTPS_SERVER_PORT);

struct addrinfo hints; struct addrinfo *res; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE;

ret = getaddrinfo(httpsServerName, HTTPS_SERVER_PORT, &hints, &res); if ((ret != 0) || (res == NULL)) { return NETWORK_ERR_NET_UNKNOWN_HOST; }

tlsDataParams.fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (tlsDataParams.fd < 0) { return NETWORK_ERR_NET_SOCKET_FAILED; }

ret = connect(tlsDataParams.fd, res->ai_addr, res->ai_addrlen);

freeaddrinfo(res);

if (ret != 0) { close(tlsDataParams.fd); return NETWORK_ERR_NET_CONNECT_FAILED; }

HTTPS_DEBUG_NORMAL("\n . Setting up the SSL/TLS structure..."); if ((ret = mbedtls_ssl_config_defaults(&(tlsDataParams.conf), MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_config_defaults returned -%x\n\n", -ret); return SSL_CONNECTION_ERROR; }

mbedtls_ssl_conf_verify(&(tlsDataParams.conf), _iot_tls_verify_cert, NULL); if (ServerVerificationFlag == true) { mbedtls_ssl_conf_authmode(&(tlsDataParams.conf), MBEDTLS_SSL_VERIFY_REQUIRED); } else { mbedtls_ssl_conf_authmode(&(tlsDataParams.conf), MBEDTLS_SSL_VERIFY_OPTIONAL); } mbedtls_ssl_conf_rng(&(tlsDataParams.conf), mbedtls_hmac_drbg_random, &(tlsDataParams.hmac_drbg));

mbedtls_ssl_conf_ca_chain(&(tlsDataParams.conf), &(tlsDataParams.cacert), NULL); #if USE_CLIENT_CERT if ((ret = mbedtls_ssl_conf_own_cert(&(tlsDataParams.conf), &(tlsDataParams.clicert), &(tlsDataParams.pkey))) != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_conf_own_cert returned -%x\n\n", -ret); return SSL_CONNECTION_ERROR; } #endif //USE_CLIENT_CERT if ((ret = mbedtls_ssl_setup(&(tlsDataParams.ssl), &(tlsDataParams.conf))) != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_setup returned -%x\n\n", -ret); return SSL_CONNECTION_ERROR; } if ((ret = mbedtls_ssl_set_hostname(&(tlsDataParams.ssl), httpsServerName)) != 0) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_set_hostname returned -%x\n\n", -ret); return SSL_CONNECTION_ERROR; } HTTPS_DEBUG_NORMAL("\n\nSSL state connect : %d ", tlsDataParams.ssl.state);

mbedtls_ssl_set_bio(&(tlsDataParams.ssl), &(tlsDataParams.fd), lwipSend, (mbedtls_ssl_recv_t *)lwipRecv, NULL);

HTTPS_DEBUG_NORMAL(" ok\n"); HTTPS_DEBUG_NORMAL("\n\nSSL state connect : %d ", tlsDataParams.ssl.state); HTTPS_DEBUG_NORMAL("\n . Performing the SSL/TLS handshake..."); while ((ret = mbedtls_ssl_handshake(&(tlsDataParams.ssl))) != 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { HTTPS_DEBUG_NORMAL(" failed\n ! mbedtls_ssl_handshake returned -%x\n", -ret); if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { HTTPS_DEBUG_NORMAL( "\n Unable to verify the server's certificate. " "\n Alternatively, you may want to use " "\n auth_mode=optional for testing purposes.\n"); } return SSL_CONNECTION_ERROR; } }

HTTPS_DEBUG_NORMAL(" ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", mbedtls_ssl_get_version(&(tlsDataParams.ssl)), mbedtls_ssl_get_ciphersuite(&(tlsDataParams.ssl))); if ((ret = mbedtls_ssl_get_record_expansion(&(tlsDataParams.ssl))) >= 0) { HTTPS_DEBUG_NORMAL(" [ Record expansion is %d ]\n", ret); } else { HTTPS_DEBUG_NORMAL(" [ Record expansion is unknown (compression) ]\n"); }

HTTPS_DEBUG_NORMAL("\n . Verifying peer X.509 certificate...");

if (ServerVerificationFlag == true) { if ((tlsDataParams.flags = mbedtls_ssl_get_verify_result(&(tlsDataParams.ssl))) != 0) { HTTPS_DEBUG_NORMAL(" failed\n"); mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", tlsDataParams.flags); HTTPS_DEBUG_NORMAL("%s\n", vrfy_buf); ret = SSL_CONNECTION_ERROR; } else { HTTPS_DEBUG_NORMAL(" ok\n"); ret = SUCCESS; } } else { HTTPS_DEBUG_NORMAL(" Server Verification skipped\n"); ret = SUCCESS; }

#ifdef MBEDTLS_DEBUG_C if (mbedtls_ssl_get_peer_cert(&(tlsDataParams.ssl)) != NULL) { HTTPS_DEBUG_NORMAL(" . Peer certificate information ...\n"); mbedtls_x509_crt_info((char *)buf, sizeof(buf) - 1, " ", mbedtls_ssl_get_peer_cert(&(tlsDataParams.ssl))); HTTPS_DEBUG_NORMAL("%s\n", buf); } #endif

mbedtls_ssl_conf_read_timeout(&(tlsDataParams.conf), IOT_SSL_READ_TIMEOUT);

if( (ret = write_request( &item )) > 0 ) { ret = read_request(); HTTPS_DEBUG_VERBOSE( "%s %d read_request ret %d\r\n", __FUNCTION__, __LINE__, ret ); } else { HTTPS_DEBUG_VERBOSE( "%s %d write_request ret %d\r\n", __FUNCTION__, __LINE__, ret ); }

https_client_tls_release();

return ret; }

newInstallationCode '16662' Initializing PHY... Link UP 100 MBit Full duplex Getting IP address from DHCP... DHCP_STATE_BOUND hostCNameTask Looking up CName for '16662.lb.invue-am.com' IPv4 Address : 192.168.180.78 IPv4 Netmask : 255.255.255.0 IPv4 Gateway : 192.168.180.1 hostCNameTask CName 'dev-ir4-sso.invue-am.com' hostCNameTask Looking up CName for '16662.lb.invue-am.com' hostCNameTask CName 'dev-ir4-sso.invue-am.com' AM_task AMMessageHeader "GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1 User-Agent: mbedTLS 2.13.1 Accept: */* Cache-Control: no-cache Host: dev-ir4-sso.invue-am.com Accept-Encoding: identity Connection: keep-alive

" transmitting config request

. Seeding the random number generator... . Loading the CA root certificate ... ok (0 skipped)

Connecting to dev-ir4-sso.invue-am.com/443 . Setting up the SSL/TLS structure...

SSL state connect : 0 ok

SSL state connect : 0 . Performing the SSL/TLS handshake... Verify requested for (Depth 1): cert. version : 3 serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication cert. version : 3 serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication cert. version : 3 serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0): cert. version : 3 serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20 issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2 subject name : CN=dev-ir4-sso.invue-am.com issued on : 2020-05-15 18:33:44 expires on : 2020-08-13 18:33:44 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : dev-ir4-sso.invue-am.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700) , at line 5713 in file .ssl_tls.c ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ]

. Verifying peer X.509 certificate... Server Verification skipped . Peer certificate information ... cert. version : 3 serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20 issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2 subject name : CN=dev-ir4-sso.invue-am.com issued on : 2020-05-15 18:33:44 expires on : 2020-08-13 18:33:44 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : dev-ir4-sso.invue-am.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication

Write to server: 'GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1

User-Agent: mbedTLS 2.13.1 Accept: */* Cache-Control: no-cache Host: dev-ir4-sso.invue-am.com Accept-Encoding: identity Connection: keep-alive

' 236 bytes written

GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306232020082100 HTTP/1.1 User-Agent: mbedTLS 2.13.1 Accept: */* Cache-Control: no-cache Host: dev-ir4-sso.invue-am.com Accept-Encoding: identity Connection: keep-alive

read_request 197 Header: 'HTTP/1.1 200 OK access-control-allow-origin: * x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-xss-protection: 1; mode=block content-type: application/octet-stream; charset=utf-8 etag: W/"62-1uAAylrO8FBct649sAnpL0iMgmc" Date: Tue, 23 Jun 2020 12:33:58 GMT Server: Google Frontend Content-Length: 98' HTTPS REQUEST OK processIncomingMessages, AM message processing takes place here processEthMsg_hdrRev1 hdrHdr.messageHeaderRev 1 hdrHdr.productId 0203 hdrHdr.productMsgTokenRev 01 flags 01 msgToken 16 status 00

============================================== ---> COMMAND msgTkn_kasFirmwareURL_e msg received. processEthMsg_hdrRev1 Outgoing downloadRequestHeader "GET /ir4-kas-firmware/019306042020102700Application.bin HTTP/1.1 User-Agent: mbedTLS 2.13.1 Accept: */* Cache-Control: no-cache Host: storage.googleapis.com Accept-Encoding: identity Connection: keep-alive

"

. Seeding the random number generator... . Loading the CA root certificate ... ok (0 skipped)

Connecting to storage.googleapis.com/443 . Setting up the SSL/TLS structure...

SSL state connect : 0 ok

SSL state connect : 0 . Performing the SSL/TLS handshake... Verify requested for (Depth 1): cert. version : 3 serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication cert. version : 3 serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication cert. version : 3 serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0): cert. version : 3 serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8 issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1 subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com issued on : 2020-05-26 15:27:50 expires on : 2020-08-18 15:27:50 signed using : RSA with SHA-256 EC key size : 256 bits basic constraints : CA=false subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news key usage : Digital Signature ext key usage : TLS Web Server Authentication This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700) , at line 5713 in file .ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280) , at line 4967 in file .ssl_tls.c

ssl_get_next_record() returned -29312 (-0x7280) , at line 4338 in file .ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280) , at line 3302 in file .ssl_cli.c failed ! mbedtls_ssl_handshake returned -7280 https_client_tls_xchg retval -4

. Seeding the random number generator... . Loading the CA root certificate ... ok (0 skipped)

Connecting to storage.googleapis.com/443 . Setting up the SSL/TLS structure...

Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com

[cid:image001.gif@01D6493A.0FCC33E0]

From: Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com Sent: Tuesday, June 23, 2020 6:36 AM To: 'mbed-tls@lists.trustedfirmware.org' mbed-tls@lists.trustedfirmware.org; Thompson, Jeff JeffThompson@invue.com Subject: Re: Using mbed without a client certificate

Hi Jeff,

if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty certificate list as required by the standard.

Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments, and end up with a functional example without client certificates.

Also, you might want to have a look at this example from our source, which is a simple client without client-side certificates: https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client1...

Hope that helps, Manuel.

________________________________ From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.orgmailto:mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Thompson, Jeff via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Sent: 22 June 2020 16:03 To: 'mbed-tls@lists.trustedfirmware.org' <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] Using mbed without a client certificate

I'm usiing:

#define MBEDTLS_VERSION_NUMBER 0x020D0100 #define MBEDTLS_VERSION_STRING "2.13.1" #define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1"

According to RFC5246:

If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero.

How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length list.

Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com

[cid:image001.gif@01D6493A.0FCC33E0]