Mbed TLS is now part of TrustedFirmware.org.

Issue enabling SSL/TLS connection


Jul 22, 2015 07:33
Francois Mace

Issue enabling SSL/TLS connection

Hello,

I am currently trying to enable SSL/TLS capabilities in a client using mbed TLS. The server application uses openSSL as SSL/TLS supporting library.

I am experiencing difficulties since it seems that the server application closes the connection during the SSL/TLS handshake. I am not sure how I can fix this issue (explicitely, I am not sure what I am getting wrong).

I am currently using the latest release of mbed TLS. I have based my inclusion of the library on the examples provided in programs/ssl/client1.c, programs/ssl/client2.c and on the advices given here (https://tls.mbed.org/kb/how-to/polarssl-tutorial).

Samples of my code are the following (it's using a sort of C++ wrapping of C functions since the base client library is providing a usefull network agnostic C++ wrapping that I modified to introduce mbed TLS in it).

class mbedTLSSocket
{
public:    
    mbedTLSSocket()
    {

    }


    int init(const char *pers, size_t len,char * keyFile, char * keyPassword, char * certFile ){

        int ret;

        ssl         = new ssl_context;
        entropy     = new entropy_context;
        ctr_drbg    = new ctr_drbg_context;
        mycert      = new x509_crt;
        mykey       = new pk_context;

        entropy_init(entropy);
        if((ret = ctr_drbg_init(ctr_drbg, entropy_func, entropy,
                    (unsigned char *)pers,len))!=0){
            fprintf(stderr,"Error: ctr_drbg_init returned %d\n",ret);
            return ret;
        }
        memset(ssl,0,sizeof(ssl_context));
        x509_crt_init(mycert);
        pk_init(mykey);

        if ((ret = pk_parse_keyfile(mykey,keyFile,keyPassword))!=0){
            fprintf(stderr,"Error: pk_parse_keyfile returned %d\n",ret);
            return ret;
        }

        if ((ret = x509_crt_parse_file(mycert,certFile))!=0){
            fprintf(stderr,"Error: x509_crt_parse_file (%s) returned %d\n",certFile,ret);
            return ret;
        }

        return 0;
    }

    int sslInit(int ssl_authmode)
    {
        int ret;

        if((ret=ssl_init(ssl))!=0){
            fprintf(stderr,"Error: ssl_init returned %d\n",ret);
            return ret;
        }
        ssl_set_endpoint(ssl,SSL_IS_CLIENT);
        ssl_set_authmode(ssl,ssl_authmode);
        ssl_set_ca_chain(ssl,mycert,NULL,NULL);
        ssl_set_min_version(ssl,SSL_MAJOR_VERSION_3,SSL_MINOR_VERSION_1);/*TLS 1.0*/
        ssl_set_rng(ssl, ctr_drbg_random, ctr_drbg);
        ssl_set_dbg(ssl, my_debug, stdout);
        debug_set_threshold(5);
        ssl_set_bio(ssl, net_recv, &mysock, net_send, &mysock);
        ssl_set_ciphersuites(ssl,ssl_list_ciphersuites());

        if((ret=ssl_set_own_cert(ssl,mycert,mykey))!=0){
            fprintf(stderr,"Error: ssl_set_own_cert returned %d\n",ret);
            return ret;
        }

        //ssl_set_renegotiation(ssl,SSL_RENEGOTIATION_ENABLED);

        while((ret=ssl_handshake(ssl))!=0){
            if(ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE){
                fprintf(stderr,"Error: ssl_handshake returned -0x%x\n",-ret);
                return ret;
            }
        }
        if((ret=ssl_get_verify_result(ssl))!=0){
            char vrfy_buf[512];
            fprintf(stderr,"Error: 509 verification failed\n");
            fprintf(stderr,"%s\n",vrfy_buf);
            if((ret = x509_crt_verify_info(vrfy_buf,sizeof(vrfy_buf), "  ! ",ret))!=0){
                fprintf(stderr,"Error: return from x509_crt_verify_info is %d\n",ret);
            }

        }
        return 0;
    }

The output I get from the mbed TLS messages are:

Connecting to 192.168.1.5:1883
ssl_tls.c(4433): => handshake
ssl_cli.c(2748): client state: 0
ssl_tls.c(2053): => flush output
ssl_tls.c(2071): <= flush output
ssl_cli.c(2748): client state: 1
ssl_tls.c(2053): => flush output
ssl_tls.c(2071): <= flush output
ssl_cli.c(0515): => write client hello
ssl_cli.c(0551): client hello, max version: [3:3]
ssl_cli.c(0560): client hello, current time: 947335827
ssl_cli.c(0575): dumping 'client hello, random bytes' (32 bytes)
ssl_cli.c(0575): 0000:  38 77 32 93 94 b0 d7 5f 39 f3 aa c5 e3 d6 ee 8e  8w2...._9.......
ssl_cli.c(0575): 0010:  3c ce dd 4e 64 40 30 fa 7a db ae 9d d3 44 20 57  <..Nd@0.z....D W
ssl_cli.c(0625): client hello, session id len.: 0
ssl_cli.c(0626): dumping 'client hello, session id' (0 bytes)
ssl_cli.c(0651): client hello, add ciphersuite: 49196
ssl_cli.c(0651): client hello, add ciphersuite: 49200
ssl_cli.c(0651): client hello, add ciphersuite: 159
ssl_cli.c(0651): client hello, add ciphersuite: 49325
ssl_cli.c(0651): client hello, add ciphersuite: 49311
ssl_cli.c(0651): client hello, add ciphersuite: 49188
ssl_cli.c(0651): client hello, add ciphersuite: 49192
ssl_cli.c(0651): client hello, add ciphersuite: 107
ssl_cli.c(0651): client hello, add ciphersuite: 49162
ssl_cli.c(0651): client hello, add ciphersuite: 49172
ssl_cli.c(0651): client hello, add ciphersuite: 57
ssl_cli.c(0651): client hello, add ciphersuite: 49327
ssl_cli.c(0651): client hello, add ciphersuite: 49315
ssl_cli.c(0651): client hello, add ciphersuite: 49287
ssl_cli.c(0651): client hello, add ciphersuite: 49291
ssl_cli.c(0651): client hello, add ciphersuite: 49277
ssl_cli.c(0651): client hello, add ciphersuite: 49267
ssl_cli.c(0651): client hello, add ciphersuite: 49271
ssl_cli.c(0651): client hello, add ciphersuite: 196
ssl_cli.c(0651): client hello, add ciphersuite: 136
ssl_cli.c(0651): client hello, add ciphersuite: 49195
ssl_cli.c(0651): client hello, add ciphersuite: 49199
ssl_cli.c(0651): client hello, add ciphersuite: 158
ssl_cli.c(0651): client hello, add ciphersuite: 49324
ssl_cli.c(0651): client hello, add ciphersuite: 49310
ssl_cli.c(0651): client hello, add ciphersuite: 49187
ssl_cli.c(0651): client hello, add ciphersuite: 49191
ssl_cli.c(0651): client hello, add ciphersuite: 103
ssl_cli.c(0651): client hello, add ciphersuite: 49161
ssl_cli.c(0651): client hello, add ciphersuite: 49171
ssl_cli.c(0651): client hello, add ciphersuite: 51
ssl_cli.c(0651): client hello, add ciphersuite: 49326
ssl_cli.c(0651): client hello, add ciphersuite: 49314
ssl_cli.c(0651): client hello, add ciphersuite: 49286
ssl_cli.c(0651): client hello, add ciphersuite: 49290
ssl_cli.c(0651): client hello, add ciphersuite: 49276
ssl_cli.c(0651): client hello, add ciphersuite: 49266
ssl_cli.c(0651): client hello, add ciphersuite: 49270
ssl_cli.c(0651): client hello, add ciphersuite: 190
ssl_cli.c(0651): client hello, add ciphersuite: 69
ssl_cli.c(0651): client hello, add ciphersuite: 49160
ssl_cli.c(0651): client hello, add ciphersuite: 49170
ssl_cli.c(0651): client hello, add ciphersuite: 22
ssl_cli.c(0651): client hello, add ciphersuite: 171
ssl_cli.c(0651): client hello, add ciphersuite: 49319
ssl_cli.c(0651): client hello, add ciphersuite: 49208
ssl_cli.c(0651): client hello, add ciphersuite: 179
ssl_cli.c(0651): client hello, add ciphersuite: 49206
ssl_cli.c(0651): client hello, add ciphersuite: 145
ssl_cli.c(0651): client hello, add ciphersuite: 49297
ssl_cli.c(0651): client hello, add ciphersuite: 49307
ssl_cli.c(0651): client hello, add ciphersuite: 49303
ssl_cli.c(0651): client hello, add ciphersuite: 49323
ssl_cli.c(0651): client hello, add ciphersuite: 170
ssl_cli.c(0651): client hello, add ciphersuite: 49318
ssl_cli.c(0651): client hello, add ciphersuite: 49207
ssl_cli.c(0651): client hello, add ciphersuite: 178
ssl_cli.c(0651): client hello, add ciphersuite: 49205
ssl_cli.c(0651): client hello, add ciphersuite: 144
ssl_cli.c(0651): client hello, add ciphersuite: 49296
ssl_cli.c(0651): client hello, add ciphersuite: 49302
ssl_cli.c(0651): client hello, add ciphersuite: 49306
ssl_cli.c(0651): client hello, add ciphersuite: 49322
ssl_cli.c(0651): client hello, add ciphersuite: 49204
ssl_cli.c(0651): client hello, add ciphersuite: 143
ssl_cli.c(0651): client hello, add ciphersuite: 157
ssl_cli.c(0651): client hello, add ciphersuite: 49309
ssl_cli.c(0651): client hello, add ciphersuite: 61
ssl_cli.c(0651): client hello, add ciphersuite: 53
ssl_cli.c(0651): client hello, add ciphersuite: 49202
ssl_cli.c(0651): client hello, add ciphersuite: 49194
ssl_cli.c(0651): client hello, add ciphersuite: 49167
ssl_cli.c(0651): client hello, add ciphersuite: 49198
ssl_cli.c(0651): client hello, add ciphersuite: 49190
ssl_cli.c(0651): client hello, add ciphersuite: 49157
ssl_cli.c(0651): client hello, add ciphersuite: 49313
ssl_cli.c(0651): client hello, add ciphersuite: 49275
ssl_cli.c(0651): client hello, add ciphersuite: 192
ssl_cli.c(0651): client hello, add ciphersuite: 132
ssl_cli.c(0651): client hello, add ciphersuite: 49293
ssl_cli.c(0651): client hello, add ciphersuite: 49273
ssl_cli.c(0651): client hello, add ciphersuite: 49289
ssl_cli.c(0651): client hello, add ciphersuite: 49269
ssl_cli.c(0651): client hello, add ciphersuite: 156
ssl_cli.c(0651): client hello, add ciphersuite: 49308
ssl_cli.c(0651): client hello, add ciphersuite: 60
ssl_cli.c(0651): client hello, add ciphersuite: 47
ssl_cli.c(0651): client hello, add ciphersuite: 49201
ssl_cli.c(0651): client hello, add ciphersuite: 49193
ssl_cli.c(0651): client hello, add ciphersuite: 49166
ssl_cli.c(0651): client hello, add ciphersuite: 49197
ssl_cli.c(0651): client hello, add ciphersuite: 49189
ssl_cli.c(0651): client hello, add ciphersuite: 49156
ssl_cli.c(0651): client hello, add ciphersuite: 49312
ssl_cli.c(0651): client hello, add ciphersuite: 49274
ssl_cli.c(0651): client hello, add ciphersuite: 186
ssl_cli.c(0651): client hello, add ciphersuite: 65
ssl_cli.c(0651): client hello, add ciphersuite: 49292
ssl_cli.c(0651): client hello, add ciphersuite: 49272
ssl_cli.c(0651): client hello, add ciphersuite: 49288
ssl_cli.c(0651): client hello, add ciphersuite: 49268
ssl_cli.c(0651): client hello, add ciphersuite: 10
ssl_cli.c(0651): client hello, add ciphersuite: 49165
ssl_cli.c(0651): client hello, add ciphersuite: 49155
ssl_cli.c(0651): client hello, add ciphersuite: 173
ssl_cli.c(0651): client hello, add ciphersuite: 183
ssl_cli.c(0651): client hello, add ciphersuite: 149
ssl_cli.c(0651): client hello, add ciphersuite: 49299
ssl_cli.c(0651): client hello, add ciphersuite: 49305
ssl_cli.c(0651): client hello, add ciphersuite: 172
ssl_cli.c(0651): client hello, add ciphersuite: 182
ssl_cli.c(0651): client hello, add ciphersuite: 148
ssl_cli.c(0651): client hello, add ciphersuite: 49298
ssl_cli.c(0651): client hello, add ciphersuite: 49304
ssl_cli.c(0651): client hello, add ciphersuite: 147
ssl_cli.c(0651): client hello, add ciphersuite: 169
ssl_cli.c(0651): client hello, add ciphersuite: 49317
ssl_cli.c(0651): client hello, add ciphersuite: 175
ssl_cli.c(0651): client hello, add ciphersuite: 141
ssl_cli.c(0651): client hello, add ciphersuite: 49295
ssl_cli.c(0651): client hello, add ciphersuite: 49301
ssl_cli.c(0651): client hello, add ciphersuite: 49321
ssl_cli.c(0651): client hello, add ciphersuite: 168
ssl_cli.c(0651): client hello, add ciphersuite: 49316
ssl_cli.c(0651): client hello, add ciphersuite: 174
ssl_cli.c(0651): client hello, add ciphersuite: 140
ssl_cli.c(0651): client hello, add ciphersuite: 49294
ssl_cli.c(0651): client hello, add ciphersuite: 49300
ssl_cli.c(0651): client hello, add ciphersuite: 49320
ssl_cli.c(0651): client hello, add ciphersuite: 139
ssl_cli.c(0651): client hello, add ciphersuite: 49159
ssl_cli.c(0651): client hello, add ciphersuite: 49169
ssl_cli.c(0651): client hello, add ciphersuite: 49203
ssl_cli.c(0651): client hello, add ciphersuite: 142
ssl_cli.c(0651): client hello, add ciphersuite:  5
ssl_cli.c(0651): client hello, add ciphersuite:  4
ssl_cli.c(0651): client hello, add ciphersuite: 49164
ssl_cli.c(0651): client hello, add ciphersuite: 49154
ssl_cli.c(0651): client hello, add ciphersuite: 146
ssl_cli.c(0651): client hello, add ciphersuite: 138
ssl_cli.c(0684): client hello, got 141 ciphersuites
ssl_cli.c(0696): client hello, compress len.: 1
ssl_cli.c(0697): client hello, compress alg.: 0
ssl_cli.c(0164): client hello, adding signature_algorithms extension
ssl_cli.c(0262): client hello, adding supported_elliptic_curves extension
ssl_cli.c(0301): client hello, adding supported_point_formats extension
ssl_cli.c(0380): client hello, adding encrypt_then_mac extension
ssl_cli.c(0406): client hello, adding extended_master_secret extension
ssl_cli.c(0431): client hello, adding session ticket extension
ssl_cli.c(0763): client hello, total extension length: 76
ssl_tls.c(2084): => write record
ssl_tls.c(2152): output record: msgtype = 22, version = [3:1], msglen = 403
ssl_tls.c(2155): dumping 'output record sent to network' (408 bytes)
ssl_tls.c(2155): 0000:  16 03 01 01 93 01 00 01 8f 03 03 38 77 32 93 94  ...........8w2..
ssl_tls.c(2155): 0010:  b0 d7 5f 39 f3 aa c5 e3 d6 ee 8e 3c ce dd 4e 64  .._9.......<..Nd
ssl_tls.c(2155): 0020:  40 30 fa 7a db ae 9d d3 44 20 57 00 01 1a c0 2c  @0.z....D W....,
ssl_tls.c(2155): 0030:  c0 30 00 9f c0 ad c0 9f c0 24 c0 28 00 6b c0 0a  .0.......$.(.k..
ssl_tls.c(2155): 0040:  c0 14 00 39 c0 af c0 a3 c0 87 c0 8b c0 7d c0 73  ...9.........}.s
ssl_tls.c(2155): 0050:  c0 77 00 c4 00 88 c0 2b c0 2f 00 9e c0 ac c0 9e  .w.....+./......
ssl_tls.c(2155): 0060:  c0 23 c0 27 00 67 c0 09 c0 13 00 33 c0 ae c0 a2  .#.'.g.....3....
ssl_tls.c(2155): 0070:  c0 86 c0 8a c0 7c c0 72 c0 76 00 be 00 45 c0 08  .....|.r.v...E..
ssl_tls.c(2155): 0080:  c0 12 00 16 00 ab c0 a7 c0 38 00 b3 c0 36 00 91  .........8...6..
ssl_tls.c(2155): 0090:  c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 c0 37 00 b2  .............7..
ssl_tls.c(2155): 00a0:  c0 35 00 90 c0 90 c0 96 c0 9a c0 aa c0 34 00 8f  .5...........4..
ssl_tls.c(2155): 00b0:  00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e  .....=.5.2.*....
ssl_tls.c(2155): 00c0:  c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79  .&.....{.......y
ssl_tls.c(2155): 00d0:  c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29  ...u.....<./.1.)
ssl_tls.c(2155): 00e0:  c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41  ...-.%.....z...A
ssl_tls.c(2155): 00f0:  c0 8c c0 78 c0 88 c0 74 00 0a c0 0d c0 03 00 ad  ...x...t........
ssl_tls.c(2155): 0100:  00 b7 00 95 c0 93 c0 99 00 ac 00 b6 00 94 c0 92  ................
ssl_tls.c(2155): 0110:  c0 98 00 93 00 a9 c0 a5 00 af 00 8d c0 8f c0 95  ................
ssl_tls.c(2155): 0120:  c0 a9 00 a8 c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8  ................
ssl_tls.c(2155): 0130:  00 8b c0 07 c0 11 c0 33 00 8e 00 05 00 04 c0 0c  .......3........
ssl_tls.c(2155): 0140:  c0 02 00 92 00 8a 00 ff 01 00 00 4c 00 0d 00 1a  ...........L....
ssl_tls.c(2155): 0150:  00 18 06 01 05 01 04 01 03 01 02 01 01 01 06 03  ................
ssl_tls.c(2155): 0160:  05 03 04 03 03 03 02 03 01 03 00 0a 00 18 00 16  ................
ssl_tls.c(2155): 0170:  00 19 00 1c 00 18 00 1b 00 17 00 16 00 1a 00 15  ................
ssl_tls.c(2155): 0180:  00 14 00 13 00 12 00 0b 00 02 01 00 00 16 00 00  ................
ssl_tls.c(2155): 0190:  00 17 00 00 00 23 00 00                          .....#..
ssl_tls.c(2053): => flush output
ssl_tls.c(2058): message length: 408, out_left: 408
ssl_tls.c(2063): ssl->f_send() returned 408 (-0xfffffe68)
ssl_tls.c(2071): <= flush output
ssl_tls.c(2164): <= write record
ssl_cli.c(0784): <= write client hello
ssl_cli.c(2748): client state: 2
ssl_tls.c(2053): => flush output
ssl_tls.c(2071): <= flush output
ssl_cli.c(1029): => parse server hello
ssl_tls.c(2173): => read record
ssl_tls.c(2014): => fetch input
ssl_tls.c(2028): in_left: 0, nb_want: 5
ssl_tls.c(2029): ssl->f_recv() returned -80 (-0x0050)
ssl_tls.c(2218): ssl_fetch_input() returned -80 (-0x0050)
ssl_cli.c(1042): ssl_read_record() returned -80 (-0x0050)
ssl_tls.c(4443): <= handshake
Error: ssl_handshake returned -0x50

The output information I got from the server application is the following:

1436817762: New connection from 192.168.1.4 on port 1883.
1436817763: Socket error on client <unknown>, disconnecting.

Thanks in advance for your help.

 
Aug 18, 2015 13:17
Francois Mace

FIY, I finally found out that the issue seemed to be related to the configuration on the server side, so this has nothing to do with the mbedtls library.

 
Aug 18, 2015 13:36
Manuel Pégourié-Gonnard

Ok, thanks for letting us know!

 
Feb 21, 2018 13:31
Vincent Girouard

Hi,

Do you know what the server issue was? I have the same logs and error code as you and I am clueless as of how to solve this.

Thanks in advance!