Mbed TLS is now part of TrustedFirmware.org.

mbed TLS 2.5.1 Server - Bug with Chrome ?

Jun 27, 2017 12:25

Hi, I try to migrate my http server using mbed TLS 1.3 to 2.5.1, and it's working fine if I use firefox, edge, but with chrome i get an ERR_SSL_PROTOCOL_ERROR. The pb appears during the handshake, in the step MBEDTLS_SSL_SERVER_CERTIFICATE, chrome stop everything just after this instruction ( file ssl_srv.c,line 4062)

            ret = mbedtls_ssl_write_certificate( ssl );

Any idea, if I missed something while migrating, or if it is a bug ?

Best Regards,

Jun 27, 2017 13:11
Ron Eldor

Hi Loic,
on your migration to mbed TLS 2.5.1, I assume you follow this article. Although it is instructions for migrating to mbed TLS 2.0, it is same flow.
Your issue seems similar to this issue, but it was fixed for mbed TLS 2.5.1 , so you should verify that the configuration file supports the cipher suites sent by the client.
It seems that the client ( Chrome in this case ) does not accept the certificate, and thus fails. You should also check if the client sends some Fatal Alert message prior to disconnecting.
mbed TLS Team member

Jun 29, 2017 17:36

Hi Ron,

Thanks for your answer, but actually I think it's related to multithreading. I tried the exemple ssl_server on visual studio 10, and it's working fine. Then I modified the exemple to make it work using threads to manage each client, and now it's not working.

I have something like that:

    mbedtls_ssl_context ssl;

    mbedtls_ssl_init( &ssl );
    mbedtls_ssl_setup( &ssl, pSslConf );
    mbedtls_ssl_session_reset( &ssl );

    while ( 1 )
        // Wait a client
        sckClient = accept(sckServer,NULL,NULL);
        mbedtls_ssl_set_bio( &ssl, (mbedtls_net_context*) &sckClient, mbedtls_net_send, mbedtls_net_recv, NULL );
        AnswerClient( &sckClient, &ssl );

void AnswerClient( SOCKET* pSckClient, mbedtls_ssl_context* pSsl )
    // HandShake
    iRes = mbedtls_ssl_handshake( pSsl );
    if ( iRes ) 
        goto closecomm;

    //  Read the HTTP Request
    iRes = mbedtls_ssl_read(pSsl, buf, sizeof(buf) );
    if ( iRes <= 0 ) 
        goto closecomm;

    // Write Answer
    const char szAnswer[] = "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<h2>mbed TLS Test Server</h2>\r\n<p>Successful connection</p>\r\n";
    iRes = mbedtls_ssl_write( pSsl, (const unsigned char*) szAnswer, strlen(szAnswer) );

    // Closing connection
    iRes = mbedtls_ssl_close_notify( pSsl );
    mbedtls_net_free( (mbedtls_net_context*) pSckClient );
    mbedtls_ssl_session_reset( pSsl );

No problem, everything is working.

But if I want to use a thread to call AnswerClient() so my main thread can accept more than 1 client I run into this problem and i can't figure out what is going wrong. First client is OK, but the second one on Firefox i get this error message : SSL_ERROR_RX_UNEXPECTED_CERTIFICATE.

I use a pool of mbedtls_ssl_context for each new client. I changed the main thread like that:

    while ( 1 )
        // Wait a new client
        sckClient = accept(sckServer,NULL,NULL);
        // Get an unused ssl context from the pool
        mbedtls_ssl_context* pSsl = GetFreeSslContext();

        pParam->pSsl = pSsl;
        pParam->sckClient = sckClient;

        mbedtls_ssl_set_bio( pParam->pSsl, (mbedtls_net_context*) &pParam->sckClient, mbedtls_net_send, mbedtls_net_recv, NULL );

        // Start thread AnswerClient 
        _beginthread( ThreadAnswerClient, 0, pParam );


ThreadAnswerClient() just call the blocking function AnswerClient(..)

So in this second exemple, firefox can connect and get the answer one time, then second time I get the error SSL_ERROR_RX_UNEXPECTED_CERTIFICATE, then the next time it's fine, and error again etc.

Funny things is:

1) I connect firefox one time : it's working.

2) Stop the app.

3) Start the normal app without thread

and here also i get the SSL_ERROR_RX_UNEXPECTED_CERTIFICATE when i try to reload the page.

Jul 24, 2017 13:30
Ron Eldor

Hi Loic,
Thanks for your explanation.
Have you tried testing with the ssl_pthread_server example? This example is more suitable for a multithreaded environment.
mbed TLS Team member