Mbed TLS is now part of TrustedFirmware.org.

Handshake error An invalid SSL record was received error 7200

Sep 1, 2017 10:14


I am working with mbedtls. I am getting some errors while handshake in mbedtls_ssl_handshake(). It return error -0x7200 (An invalid SSL record was received).

How to fix this one? I am using openssl certs in both client and server side. I am working mqtt and I want to add TLS/SSL security between client and server.

Please help me out.

Sep 3, 2017 12:01
Ron Eldor

Hi muralikrishna,
Error -0x7200 (MBEDTLS_ERR_SSL_INVALID_RECORD) is returned in numerous locations, and you will have to look in the logs to understand where this error is orioginated from.
In order to enabled logs, you will need to compile your library in debug mode (DEBUG=1 parameter) , and set a debug function callback to mbedtls_ssl_conf_dbg API.
Mbed TLS Team member

Sep 4, 2017 09:00

Hi Ron,

Thank you for the same reply.

I found the cause for handshake error (7200). I am running a server with TLS/SSL. And I integrated mbedtls API's in client side. What I need to do is client should connect to server with openssl certs.

Here I am unable to change SSL/TLS version in client side. I need to work mbedtls with "TLSV1.2". I modified config.h file options(Marcos )for enabling TLSV1.2 version and I disabled SSLv3.0. But it's still running with SSLv3.0.

Major Modifications:

1) Modified config.h file options to enable TLSV1.2, And disabled SSLV3.0.

2) Added below functions also.

--> mbedtls_ssl_conf_max_version(&ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
 --> mbedtls_ssl_conf_min_version(&ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);

How to enable TLSV1.2 ? and how to disable SSLV3.0 ?

Please help me out? I struck here.



Sep 4, 2017 11:16
Ron Eldor

Hi muralikrishna,
You should verify you call mbedtls_ssl_conf_max_version and mbedtls_ssl_conf_min_version after you have called mbedtls_ssl_config_defaults.
You should verify that MBEDTLS_SSL_PROTO_SSL3 is in fact undefined on your system, and also that MBEDTLS_SSL_PROTO_TLS1 is undefined, if you want to disable TLS 1.0 as well.
If all these are undefined, it is strange to me why your client still claims to be SSL3 while the server is not.

Mbed TLS Team member

Sep 5, 2017 14:19


mbedtls version: mbedtls-2.5.0

I undefined macro's in mbed/config.h But still it's unable to compile with TLSV1.2.

//#define MBEDTLS_SSL_PROTO_SSL3 (Undefined) //#define MBEDTLS_SSL_PROTO_TLS1

#define MBEDTLS_SSL_PROTO_TLS1_2(Defined)

Clinet Log : TLS Version=: SSLv3.0 Client handshake----->>>> Client handshake----->>>> Client handshake----->>>> ret = -29184 mbedtls_ssl_handshake

Below code only I am using for security in client side. If any thing I need to do here. For me server is mosquitto broker with TLSV1.2.

Please help me out.

Int TLS_init(void) 
    int ret;    

    const char *pers = "mbed TLS helloword client";                             
    const char *temp;                                                          
    mbedtls_net_context server_fd;                                              
    mbedtls_entropy_context entropy;                                            
    mbedtls_ctr_drbg_context ctr_drbg;                                          
    mbedtls_ssl_context ssl;                                                    
    mbedtls_ssl_config ssl_conf;                                                
    mbedtls_x509_crt cacert;                                                                            
    mbedtls_ssl_init( &ssl );                                                   
    mbedtls_ssl_config_init( &ssl_conf );                                       
    mbedtls_ctr_drbg_init( &ctr_drbg );                                         
    mbedtls_x509_crt_init( &cacert );     
    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
                    (const unsigned char *) pers,                               
                    strlen( pers ) ) ) != 0 )                                   
        printf( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );      
        return 0;                                                               
    if ((ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) SSL_CA_PEM,
                    sizeof (SSL_CA_PEM))) != 0) {                               
        return 0;                                                               
    if ((ret = mbedtls_ssl_config_defaults(&ssl_conf,                           
        return 0;                                                               
    temp = mbedtls_ssl_get_version (&ssl);                                      
    printf("TLS Version= %s\r\n", temp);                                                                           
    mbedtls_ssl_conf_min_version(&ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2);
    mbedtls_ssl_conf_max_version(&ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2);

    temp = mbedtls_ssl_get_version (&ssl);                                      
    printf("TLS Version=: %s\r\n", temp);
    mbedtls_ssl_conf_ca_chain(&ssl_conf, &cacert, NULL);                        

    mbedtls_ssl_conf_authmode(&ssl_conf, /*MBEDTLS_SSL_VERIFY_NONE*/ MBEDTLS_SSL_VERIFY_REQUIRED);
    mbedtls_ssl_conf_rng(&ssl_conf, mbedtls_ctr_drbg_random, &ctr_drbg);        
    mbedtls_ssl_conf_dbg( &ssl_conf, my_debug, stdout );                        

    if ((ret = mbedtls_ssl_setup(&ssl, &ssl_conf)) != 0) {                      
        return 0;                                                               
     mbedtls_ssl_set_hostname(&ssl, /*HTTPS_SERVER_NAME*/ "");      

    mbedtls_ssl_set_bio(&ssl,(void *)(mqttNetwork),                             
            /*ssl_send */ mbedtls_ssl_send, /*ssl_recv*/ mbedtls_ssl_recv,      
            NULL );                   

    do {                                                                        
        ret = mbedtls_ssl_handshake(&ssl);                                      
    } while (ret != 0 && (ret == MBEDTLS_ERR_SSL_WANT_READ ||                   
                ret == MBEDTLS_ERR_SSL_WANT_WRITE));                            
    if (ret < 0) {                                                              
        printf("ret = %d mbedtls_ssl_handshake\r\n", ret);                      
        return 0 ; 
   return 0;     
Sep 5, 2017 14:50
Ron Eldor

Hi muralikrishna,
You should use MBEDTLS_SSL_MINOR_VERSION_3 as you minor version for mbedtls_ssl_conf_min_version and mbedtls_ssl_conf_max_version.
You are trying to set TLS 1.2 as minimal and maximal version, while it is undefined in your configuration. It doesn't explain why you get SSL3 as the version, but it could be some undefined behaviour due to wrong usage.
Please update the minal version and maximal version to TLS 1.2 and check again.
Mbed TLS Team member

Sep 9, 2017 06:54

Hi Ron,

Thank you for reply..I was fixed version issue. I am facing different issue with mbedtls

My Client app will send client_hello msg to server and then it was responded with server_hello. In client side serve_hello parsed but it's failed. Please check below logs.

Ssl_handshake fun returning error num 7280. MSG: bad server hello message.

And Server side I am getting "unexpected message" because of client send wrong client_hello msg.

Here client side logs.

 ssl_cli.c:0717: => write client hello
 ssl_cli.c:0755: client hello, max version: [3:3]
 ssl_cli.c:0764: dumping 'client hello, random bytes' (32 bytes)
 ssl_cli.c:0764: 0000:  00 00 01 8d d7 d2 50 88 59 33 5a 61 cf 3f d1 7e  ......P.Y3Za.?.~
 ssl_cli.c:0764: 0010:  ee ef 1a 79 f5 c5 61 33 3d 6e 5b d5 21 f2 91 a0  ...y..a3=n[.!...
 ssl_cli.c:0817: client hello, session id len.: 0

 <= write record
 <= write client hello
 client state: 2
Client handshake----->>>>
=> parse server hello
dumping 'input record header' (5 bytes)
ssl_tls.c:3479: 0000:  16 03 03 00 3d                                   ....=
ssl_tls.c:3488: input record: msgtype = 22, version = [3:3], msglen = 61
ssl_cli.c:1466: bad server hello message
ret = -31104 mbedtls_ssl_handshake
Sep 10, 2017 07:43
Ron Eldor

Hi Hi muralikrishna,
Thank you for your information.
For better tracking, please create a new post next time, for new issue, for the benefit of the community, since the content is now different than the subject.
There is not enough information from your post to understand reason of failure. You should enable debug level 5 to see full logs.
The error you are encountering is because the following statement:

 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
        buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );

since hs_len is 61 ( larger than 38+4 ) , I can only assume that the message type is not SERVER_HELLO message. You should look at full logs and wireshark capture to understand what message the server is sending, so you would analyze the problem better.
Mbed TLS Team member