Mbed TLS is now part of TrustedFirmware.org.

x509_verify_cert() returned -9982 (-0x2700) at mbedtls-Examples


Mar 29, 2018 10:39
Manuel

Hello together,

i have problems with two example-applications from your GIT-Repositry.
The first example i use is the "ssl_pthread_server.c" in combination with the second example "ssl_client1.c". If i run the executable "ssl_pthread_server" and additionally "ssl_client1", the debug-information of the ssl_client gets the exception ...
Performing the SSL/TLS handshake...ssl_tls.c:4643: 0x7fff19c036c0: x509_verify_cert() returned -9984 (-0x2700) failed ! mbedtls_ssl_hanshake returned -0x2700

Last error was: -9984 - X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Any Informations:

At the installation of the mbedtls 2.8-lib i did the following steps.
1. scripts/config.pl set MBEDTLS_THREADING_C
2. scripts/config.pl set MBEDTLS_THREADING_PTHREAD
3. make
4. sudo make install

I use the GCC 5.4 Compiler with Eclipse.
Server:
gcc -std=gnu99 -I/usr/local/include -O0 -g3 -Wall -c -fmessage-length=0 -pthread -MMD -MP -MF"src/Protokoll-Test-Server.d" -MT"src/Protokoll-Test-Server.o" -o "src/Protokoll-Test-Server.o" "../src/Protokoll-Test-Server.c"
g++ -L/usr/local/lib -o "MBedTls-Test-Server" ./src/Protokoll-Test-Server.o -lmbedtls -lpthread -lmbedcrypto -lmbedx509

Client:
gcc -std=gnu99 -I/usr/local/include -O0 -g3 -Wall -c -fmessage-length=0 -MMD -MP -MF"src/Protokoll-Test-Client.d" -MT"src/Protokoll-Test-Client.o" -o "src/Protokoll-Test-Client.o" "../src/Protokoll-Test-Client.c"
g++ -L/usr/local/lib -o "MBedTls-Test-Client" ./src/Protokoll-Test-Client.o -lmbedtls -lmbedx509 -lmbedcrypto

So what is the problem now? Why does the Examples not working in my case?

Thanks in advance!

 
Mar 29, 2018 16:03
Ron Eldor

Hi Manuel,
I believe the reason you are receiving this failure is because our test certificates are signed with SHA1 , and by default SHA1 certiuficates are not allowed in version 2.8. There is a fix for this here.
You can have a workaround for it, bet enabling MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES:

scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES

Regards,
Mbed TLS Team member
Ron

 
Apr 3, 2018 10:23
Manuel

Hi Ron, thank you very much!

It works now.