Mbed TLS is now part of TrustedFirmware.org.

x509_verify_cert() Return 0x2700

Apr 12, 2017 13:36


I have a mqtt server. When I try to make a secure connection to this server via websocket, I get the following error. I am using certbot certificate on the server.

F:/ThirtParty/mbedtls-2.4.2/library/ssl_tls.c Line : 4454 x509_verify_cert() returned -9984 (-0x2700)

Click for debug log file

Apr 13, 2017 10:53
Ron Eldor

Hi Yigit,
From the log and error, I believe that the error is caused by a failure in x509_crt_check_parent. It could be either because:

 /* Parent must be the issuer */
    if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
        return( -1 );


    if( need_ca_bit && ! parent->ca_istrue )
        return( -1 );

Note in your log you have th line: "basic constraints : CA=false" which means parent->ca_istrue==false.
In addition, from certbot user guide: "cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time"
Please verify you have a proper trusted ca, or a parent upwards in the certificate chain
mbed TLS Team member

Apr 13, 2017 11:34

Hi Ron,

I have defined it in the config.h file. #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA

The handshake succeeded after this operation.

Apr 13, 2017 12:04
Ron Eldor

HI Yigit,
Yes, this would be another reason for failure