PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

Communicating with an external server.


Aug 24, 2017 12:09
Antonio

Dear All, I'd like guidance how to communicate with an external HTTPS server. Yesterday I tried to establish a connection, the server accepts the connection, but the Handshake failed.. (GOT stuck forever)

I have a client working with the example servers provided under /programs/ssl, now I'd my client to communicate with for example "https://api.ipify.org/" which returns very simple message i.e: my IP address.

My client was trimmed to minimum, since I am using a board which is limited in memory. I my configuration, I also do not use any Eliptic curves..

 
Aug 24, 2017 13:41
Ron Eldor

Hi Antonio,
From your description, I assume you haven't set the CA certificate of the server, using the mbedtls_ssl_conf_ca_chain API, and you are using the default root CA certificate used in mbed TLS, for test purposes. From my brief check, I have noticed that https://api.ipify.org/ is using the COMODO certificate. I have tested the ssl_client2 sample application with the https://api.ipify.org/, and used the comodorsadomainvalidationsecureserverca.crt as ca_file (it is an intermedaite certificate, you can use comodo-rsa-domain-validation-sha-2-w-root.ca-bundle for the full CA bundle, in the same link), and successfully connected to the server.
I suggest you try the same.
Regards,
mbed TLS Team member
Ron

 
Aug 24, 2017 22:01
Antonio

Hi Ron, Thanks for your help, but I still have troubles..

I replaced the DFL_CA_FILE with the certificate file, it ssl_client2 can read it manages to connect, however, the handshake fails. I also replaced the DFL_SERVER_ADDR "50.19.238.1" //NULL and DFL_SERVER_NAME "api.ipify.org" //"localhost" Here is the output.

" . Seeding the random number generator... ok

. Loading the CA root certificate ... ok (0 skipped)

. Loading the client cert. and key... ok

. Connecting to tcp/50.19.238.1/443... ok

. Setting up the SSL/TLS structure... ok

. Performing the SSL/TLS handshake... failed

! mbedtls_ssl_handshake returned -0x7200

Last error was: -0x7200 - SSL - An invalid SSL record was received"

 
Aug 27, 2017 07:50
Ron Eldor

Hi Antonio,
error -0x7200 (MBEDTLS_ERR_SSL_INVALID_RECORD) is an error that is returned in numerous locations. It is an error that is returned when the message cannot be read. If the issue was an invalid CA_ROOT file, the error that you should have got was -0x2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED), unless the error you are receiving is before the certificate was sent. To better understand the flow, and the location where the error is returned, please run the ssl_client2 program with parameter debug_level=5 and look at the logs.
Regards,
Mbed TLS Team member
Ron

 
Aug 28, 2017 07:57
Antonio

Hi Ron,

Here is a more extensive debug log.

./ssl_client2 debug_level=5

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok
  . Connecting to tcp/api.ipify.org/443... ok
  . Setting up the SSL/TLS structure...ssl_tls.c:0082: |3| set_timer to 0 ms
 ok
  . Performing the SSL/TLS handshake...ssl_tls.c:6557: |2| => handshake

ssl_cli.c:3363: |2| client state: 0
ssl_tls.c:2416: |2| => flush output
ssl_tls.c:2428: |2| <= flush output
ssl_cli.c:3363: |2| client state: 1
ssl_tls.c:2416: |2| => flush output
ssl_tls.c:2428: |2| <= flush output
ssl_cli.c:0719: |2| => write client hello
ssl_cli.c:0757: |3| client hello, max version: [3:3]
ssl_cli.c:0695: |3| client hello, current time: 1503906701
ssl_cli.c:0766: |3| dumping 'client hello, random bytes' (32 bytes)

ssl_cli.c:0766: |3| 0000:  59 a3 cb 8d f3 e1 33 3d 3d 2b 89 39 f6 71 d3 06  Y.....3==+.9.q..

ssl_cli.c:0766: |3| 0010:  4c ce 92 08 f5 5e 90 63 cf 59 11 04 99 dd 1f 7a  L....^.c.Y.....z

ssl_cli.c:0819: |3| client hello, session id len.: 0

ssl_cli.c:0820: |3| dumping 'client hello, session id' (0 bytes)

ssl_cli.c:0887: |3| client hello, add ciphersuite: c02c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c030
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ad
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c024
ssl_cli.c:0887: |3| client hello, add ciphersuite: c028
ssl_cli.c:0887: |3| client hello, add ciphersuite: 006b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c014
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0039
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0af
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a3
ssl_cli.c:0887: |3| client hello, add ciphersuite: c087
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c073
ssl_cli.c:0887: |3| client hello, add ciphersuite: c077
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00c4
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0088
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02f
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ac
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c023
ssl_cli.c:0887: |3| client hello, add ciphersuite: c027
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0067
ssl_cli.c:0887: |3| client hello, add ciphersuite: c009
ssl_cli.c:0887: |3| client hello, add ciphersuite: c013
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0033
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ae
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a2
ssl_cli.c:0887: |3| client hello, add ciphersuite: c086
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c072
ssl_cli.c:0887: |3| client hello, add ciphersuite: c076
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00be
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0045
ssl_cli.c:0887: |3| client hello, add ciphersuite: c008
ssl_cli.c:0887: |3| client hello, add ciphersuite: c012
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0016
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ab
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a7
ssl_cli.c:0887: |3| client hello, add ciphersuite: c038
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b3
ssl_cli.c:0887: |3| client hello, add ciphersuite: c036
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0091
ssl_cli.c:0887: |3| client hello, add ciphersuite: c091
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09b
ssl_cli.c:0887: |3| client hello, add ciphersuite: c097
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0ab
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00aa
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a6
ssl_cli.c:0887: |3| client hello, add ciphersuite: c037
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b2
ssl_cli.c:0887: |3| client hello, add ciphersuite: c035
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0090
ssl_cli.c:0887: |3| client hello, add ciphersuite: c090
ssl_cli.c:0887: |3| client hello, add ciphersuite: c096
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0aa
ssl_cli.c:0887: |3| client hello, add ciphersuite: c034
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008f
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09d
ssl_cli.c:0887: |3| client hello, add ciphersuite: 003d
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0035
ssl_cli.c:0887: |3| client hello, add ciphersuite: c032
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c026
ssl_cli.c:0887: |3| client hello, add ciphersuite: c005
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a1
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07b
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00c0
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0084
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c079
ssl_cli.c:0887: |3| client hello, add ciphersuite: c089
ssl_cli.c:0887: |3| client hello, add ciphersuite: c075
ssl_cli.c:0887: |3| client hello, add ciphersuite: 009c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c09c
ssl_cli.c:0887: |3| client hello, add ciphersuite: 003c
ssl_cli.c:0887: |3| client hello, add ciphersuite: 002f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c031
ssl_cli.c:0887: |3| client hello, add ciphersuite: c029
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c02d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c025
ssl_cli.c:0887: |3| client hello, add ciphersuite: c004
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a0
ssl_cli.c:0887: |3| client hello, add ciphersuite: c07a
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ba
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0041
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c078
ssl_cli.c:0887: |3| client hello, add ciphersuite: c088
ssl_cli.c:0887: |3| client hello, add ciphersuite: c074
ssl_cli.c:0887: |3| client hello, add ciphersuite: 000a
ssl_cli.c:0887: |3| client hello, add ciphersuite: c00d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c003
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ad
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b7
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0095
ssl_cli.c:0887: |3| client hello, add ciphersuite: c093
ssl_cli.c:0887: |3| client hello, add ciphersuite: c099
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ac
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00b6
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0094
ssl_cli.c:0887: |3| client hello, add ciphersuite: c092
ssl_cli.c:0887: |3| client hello, add ciphersuite: c098
ssl_cli.c:0887: |3| client hello, add ciphersuite: 0093
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00a9
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a5
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00af
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008d
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08f
ssl_cli.c:0887: |3| client hello, add ciphersuite: c095
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a9
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00a8
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a4
ssl_cli.c:0887: |3| client hello, add ciphersuite: 00ae
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008c
ssl_cli.c:0887: |3| client hello, add ciphersuite: c08e
ssl_cli.c:0887: |3| client hello, add ciphersuite: c094
ssl_cli.c:0887: |3| client hello, add ciphersuite: c0a8
ssl_cli.c:0887: |3| client hello, add ciphersuite: 008b
ssl_cli.c:0920: |3| client hello, got 131 ciphersuites
ssl_cli.c:0951: |3| client hello, compress len.: 1
ssl_cli.c:0953: |3| client hello, compress alg.: 0

ssl_cli.c:0072: |3| client hello, adding server name extension: api.ipify.org

ssl_cli.c:0178: |3| client hello, adding signature_algorithms extension

ssl_cli.c:0263: |3| client hello, adding supported_elliptic_curves extension

ssl_cli.c:0328: |3| client hello, adding supported_point_formats extension

ssl_cli.c:0510: |3| client hello, adding encrypt_then_mac extension

ssl_cli.c:0544: |3| client hello, adding extended_master_secret extension

ssl_cli.c:0577: |3| client hello, adding session ticket extension

ssl_cli.c:1025: |3| client hello, total extension length: 94

ssl_tls.c:2701: |2| => write record

ssl_tls.c:2838: |3| output record: msgtype = 22, version = [3:1], msglen = 401

ssl_tls.c:2841: |4| dumping 'output record sent to network' (406 bytes)
ssl_tls.c:2841: |4| 0000:  16 03 01 01 91 01 00 01 8d 03 03 59 a3 cb 8d f3  ...........Y....
ssl_tls.c:2841: |4| 0010:  e1 33 3d 3d 2b 89 39 f6 71 d3 06 4c ce 92 08 f5  .3==+.9.q..L....
ssl_tls.c:2841: |4| 0020:  5e 90 63 cf 59 11 04 99 dd 1f 7a 00 01 06 c0 2c  ^.c.Y.....z....,
ssl_tls.c:2841: |4| 0030:  c0 30 00 9f c0 ad c0 9f c0 24 c0 28 00 6b c0 0a  .0.......$.(.k..
ssl_tls.c:2841: |4| 0040:  c0 14 00 39 c0 af c0 a3 c0 87 c0 8b c0 7d c0 73  ...9.........}.s
ssl_tls.c:2841: |4| 0050:  c0 77 00 c4 00 88 c0 2b c0 2f 00 9e c0 ac c0 9e  .w.....+./......
ssl_tls.c:2841: |4| 0060:  c0 23 c0 27 00 67 c0 09 c0 13 00 33 c0 ae c0 a2  .#.'.g.....3....
ssl_tls.c:2841: |4| 0070:  c0 86 c0 8a c0 7c c0 72 c0 76 00 be 00 45 c0 08  .....|.r.v...E..
ssl_tls.c:2841: |4| 0080:  c0 12 00 16 00 ab c0 a7 c0 38 00 b3 c0 36 00 91  .........8...6..
ssl_tls.c:2841: |4| 0090:  c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6 c0 37 00 b2  .............7..
ssl_tls.c:2841: |4| 00a0:  c0 35 00 90 c0 90 c0 96 c0 9a c0 aa c0 34 00 8f  .5...........4..
ssl_tls.c:2841: |4| 00b0:  00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e  .....=.5.2.*....
ssl_tls.c:2841: |4| 00c0:  c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79  .&.....{.......y
ssl_tls.c:2841: |4| 00d0:  c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29  ...u.....<./.1.)
ssl_tls.c:2841: |4| 00e0:  c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41  ...-.%.....z...A
ssl_tls.c:2841: |4| 00f0:  c0 8c c0 78 c0 88 c0 74 00 0a c0 0d c0 03 00 ad  ...x...t........
ssl_tls.c:2841: |4| 0100:  00 b7 00 95 c0 93 c0 99 00 ac 00 b6 00 94 c0 92  ................
ssl_tls.c:2841: |4| 0110:  c0 98 00 93 00 a9 c0 a5 00 af 00 8d c0 8f c0 95  ................
ssl_tls.c:2841: |4| 0120:  c0 a9 00 a8 c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8  ................
ssl_tls.c:2841: |4| 0130:  00 8b 00 ff 01 00 00 5e 00 00 00 12 00 10 00 00  .......^........
ssl_tls.c:2841: |4| 0140:  0d 61 70 69 2e 69 70 69 66 79 2e 6f 72 67 00 0d  .api.ipify.org..
ssl_tls.c:2841: |4| 0150:  00 16 00 14 06 03 06 01 05 03 05 01 04 03 04 01  ................
ssl_tls.c:2841: |4| 0160:  03 03 03 01 02 03 02 01 00 0a 00 18 00 16 00 19  ................
ssl_tls.c:2841: |4| 0170:  00 1c 00 18 00 1b 00 17 00 16 00 1a 00 15 00 14  ................
ssl_tls.c:2841: |4| 0180:  00 13 00 12 00 0b 00 02 01 00 00 16 00 00 00 17  ................
ssl_tls.c:2841: |4| 0190:  00 00 00 23 00 00                                ...#..

ssl_tls.c:2416: |2| => flush output

ssl_tls.c:2435: |2| message length: 406, out_left: 406

ssl_tls.c:2441: |2| ssl->f_send() returned 406 (-0xfffffe6a)

ssl_tls.c:2460: |2| <= flush output

ssl_tls.c:2850: |2| <= write record

ssl_cli.c:1051: |2| <= write client hello

ssl_cli.c:3363: |2| client state: 2

ssl_tls.c:2416: |2| => flush output

ssl_tls.c:2428: |2| <= flush output

ssl_cli.c:1447: |2| => parse server hello

ssl_tls.c:3721: |2| => read record

ssl_tls.c:2208: |2| => fetch input

ssl_tls.c:2366: |2| in_left: 0, nb_want: 5

ssl_tls.c:2390: |2| in_left: 0, nb_want: 5

ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

ssl_tls.c:2403: |2| <= fetch input

ssl_tls.c:3478: |4| dumping 'input record header' (5 bytes)

ssl_tls.c:3478: |4| 0000:  16 03 03 00 59                                   ....Y

ssl_tls.c:3487: |3| input record: msgtype = 22, version = [3:3], msglen = 89

ssl_tls.c:2208: |2| => fetch input

ssl_tls.c:2366: |2| in_left: 5, nb_want: 94

ssl_tls.c:2390: |2| in_left: 5, nb_want: 94

ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 89 (-0xffffffa7)

ssl_tls.c:2403: |2| <= fetch input

ssl_tls.c:3650: |4| dumping 'input record from network' (94 bytes)

ssl_tls.c:3650: |4| 0000:  16 03 03 00 59 02 00 00 55 03 03 aa 94 44 5c 20  ....Y...U....D\ 

ssl_tls.c:3650: |4| 0010:  9d f3 4c 31 8a ae ae 67 94 2b bc db 59 39 5d 15  ..L1...g.+..Y9].

ssl_tls.c:3650: |4| 0020:  40 49 0a 78 5e 5d d7 65 4a 3c 61 20 ed 2c 8d 7d  @I.x^].eJ<a .,.}

ssl_tls.c:3650: |4| 0030:  a2 6a 22 5d 8f 5c 9b 0e c5 8b 4b 83 63 1f 81 03  .j"].\....K.c...

ssl_tls.c:3650: |4| 0040:  0a ef ea 28 3b 16 d9 28 a0 07 a9 e4 c0 2f 00 00  ...(;..(...../..

ssl_tls.c:3650: |4| 0050:  0d ff 01 00 01 00 00 0b 00 04 03 00 01 02        ..............

ssl_tls.c:3089: |3| handshake message: msglen = 89, type = 2, hslen = 89

ssl_tls.c:3754: |2| <= read record

ssl_cli.c:1527: |3| dumping 'server hello, version' (2 bytes)

ssl_cli.c:1527: |3| 0000:  03 03                                            ..

ssl_cli.c:1553: |3| server hello, current time: 2861843548

ssl_cli.c:1560: |3| dumping 'server hello, random bytes' (32 bytes)

ssl_cli.c:1560: |3| 0000:  aa 94 44 5c 20 9d f3 4c 31 8a ae ae 67 94 2b bc  ..D\ ..L1...g.+.

ssl_cli.c:1560: |3| 0010:  db 59 39 5d 15 40 49 0a 78 5e 5d d7 65 4a 3c 61  .Y9].@I.x^].eJ<a

ssl_cli.c:1640: |3| server hello, session id len.: 32

ssl_cli.c:1641: |3| dumping 'server hello, session id' (32 bytes)

ssl_cli.c:1641: |3| 0000:  ed 2c 8d 7d a2 6a 22 5d 8f 5c 9b 0e c5 8b 4b 83  .,.}.j"].\....K.

ssl_cli.c:1641: |3| 0010:  63 1f 81 03 0a ef ea 28 3b 16 d9 28 a0 07 a9 e4  c......(;..(....

ssl_cli.c:1679: |3| no session has been resumed

ssl_cli.c:1681: |3| server hello, chosen ciphersuite: c02f

ssl_cli.c:1682: |3| server hello, compress alg.: 0

ssl_cli.c:1698: |3| server hello, chosen ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

ssl_cli.c:1733: |2| server hello, total extension length: 13

ssl_cli.c:1753: |3| found renegotiation extension

ssl_cli.c:1832: |3| found supported_point_formats extension

ssl_cli.c:1237: |4| point format selected: 0

ssl_cli.c:1922: |2| <= parse server hello

ssl_cli.c:3363: |2| client state: 3

ssl_tls.c:2416: |2| => flush output

ssl_tls.c:2428: |2| <= flush output

ssl_tls.c:4320: |2| => parse certificate

ssl_tls.c:3721: |2| => read record

ssl_tls.c:2208: |2| => fetch input

ssl_tls.c:2366: |2| in_left: 0, nb_want: 5

ssl_tls.c:2390: |2| in_left: 0, nb_want: 5

ssl_tls.c:2391: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

ssl_tls.c:2403: |2| <= fetch input

ssl_tls.c:3478: |4| dumping 'input record header' (5 bytes)

ssl_tls.c:3478: |4| 0000:  16 03 03 0b 68                                   ....h

ssl_tls.c:3487: |3| input record: msgtype = 22, version = [3:3], msglen = 2920

ssl_tls.c:3518: |1| bad message length

ssl_tls.c:3729: |1| mbedtls_ssl_read_record_layer() returned -29184 (-0x7200)

ssl_tls.c:4360: |1| mbedtls_ssl_read_record() returned -29184 (-0x7200)

ssl_tls.c:6567: |2| <= handshake

 failed
  ! mbedtls_ssl_handshake returned -0x7200

Last error was: -0x7200 - SSL - An invalid SSL record was received

ssl_tls.c:7344: |2| => free

ssl_tls.c:7409: |2| <= free
 
Aug 28, 2017 08:29
Ron Eldor

Hi Antonio,
I edited your log to make it more readable.
As you can see from the log:

ssl_tls.c:3518: |1| bad message length

This is the reason for your failure. You are receiving the certificate message, which is 2920 bytes long, and you don't have enough space to read it.
This error returns because:

    if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
                         - (size_t)( ssl->in_msg - ssl->in_buf ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
    }

Please check the value of your MBEDTLS_SSL_BUFFER_LEN, specifically, what you have configured as MBEDTLS_SSL_MAX_CONTENT_LEN , but it could be any other of the components of MBEDTLS_SSL_BUFFER_LEN:

#define MBEDTLS_SSL_BUFFER_LEN  ( MBEDTLS_SSL_MAX_CONTENT_LEN               \
                        + MBEDTLS_SSL_COMPRESSION_ADD               \
                        + 29 /* counter + header + IV */    \
                        + MBEDTLS_SSL_MAC_ADD                       \
                        + MBEDTLS_SSL_PADDING_ADD                   \
                        )

Regards,
Mbed TLS Team member
Ron

 
Aug 28, 2017 09:14
Antonio

Thanks Ron, I really appreciate.

Got it communicating with "comodorsadomainvalidationsecureserverca.crt" certificate.. getting "bad request" message, but it's not a big deal.

Now, the main problem is that I force the CIPHER_SUITE to

#define MBEDTLS_SSL_CIPHERSUITES                            \
                    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, \
                    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA

and also did set

#define MBEDTLS_SSL_MAX_CONTENT_LEN             4*1024  

in the "config file".. However, the response I get I can see that it still using the default..

[ Protocol is TLSv1.2 ]
    [ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]
    [ Record expansion is 29 ]
    [ Maximum fragment length is 16384 ]

I want to use a very resource limited board, and I can only use MBEDTLS_SSL_MAX_CONTENT_LEN=1024 or max 2048. and also want to limit number of ciphers if necessary only the the absolutely mandatory.

again thanks in advance, I really appreciate.

 
Aug 28, 2017 10:15
Ron Eldor

Hi Antonio,
I tried setting MBEDTLS_SSL_CIPHERSUITES as you did, and I got :

ssl_cli.c:1698: |3| server hello, chosen ciphersuite: TLS-RSA-WITH-AES-128-CBC-SHA

Please check that you don't have override of MBEDTLS_SSL_CIPHERSUITES , and that oit is actually compiled in your code. Please check the list of ciphersuites that your client is sending the server, in the ClientHello message.
As for setting MBEDTLS_SSL_MAX_CONTENT_LEN=1024 or max 2048, please note the following:

/*
 * Maxium fragment length in bytes,
 * determines the size of each of the two internal I/O buffers.
 *
 * Note: the RFC defines the default size of SSL / TLS messages. If you
 * change the value here, other clients / servers may not be able to
 * communicate with you anymore. Only change this value if you control
 * both sides of the connection and have it reduced at both sides, or
 * if you're using the Max Fragment Length extension and you know all your
 * peers are using it too!
 */

If you don't control the server, and the server message size, it is not recommended to set MBEDTLS_SSL_MAX_CONTENT_LEN to 1024, or even 2048. As mentioned, you are receiving the handshake failure because the certificate message you are receiving is 2920 bytes long. Note this is not root CA certificate comodorsadomainvalidationsecureserverca.crt , but the actual server certificate, which was generated by the CA.
Regards,
Mbed TLS Team member
Ron

 
Aug 28, 2017 11:03
Antonio

Hi Ron,

Thanks.. got it working with ssl_client2.

Now I want to get it running on my board, and my configuration disabled many modules, which I did not need using the test_certificates to communicating with the /programs/ssl_server2.

So when I tried to load the server certificate, I get

" . Seeding the random number generator.. ok

. Loading the CA root certificate ... failed

! mbedtls_x509_crt_parse returned -0x262e

Last error was: -9774 - X509 - Signature algorithm (oid) is unsupported : OID - OID is not found "

I suspect something with SHA1

 
Aug 28, 2017 11:43
Ron Eldor

Hi Antonio,
As the error log mentions:
" Signature algorithm (oid) is unsupported : OID - OID is not found" when you load the CA root file. This is because the signature algorithm that is used for signing the CA root certificate is configured out of your config.h file.
If you are still using comodorsadomainvalidationsecureserverca.crt as your CA root file, the signature algorithm is SHA384, and you should verify that you have MBEDTLS_SHA512_C and MBEDTLS_RSA_C defined in your configuration.
Regards,
Mbed TLS Team member
Ron

 
Aug 28, 2017 12:31
Antonio

Hi Ron, Thanks a lot.

I need smaller certificates to work in my project (max 1.5KB and signed with SHA1, or SHA256). Memory usage is my big enemy.

If you know of a test https server that does not require large certificates, I'd appreciate a hint.

Thanks again for your patience.

 
Aug 28, 2017 13:08
Ron Eldor

Hi Antonio,
For test purposes only, you could use the ssl_server2 reference program as your server, since the CA root certificate is an RSA certificate signed with SHA256. However, if you need your client to connect to any server, you might get into problems, since you won't be able to support that server.
You should understand your use case, and test your client according to this use case.
Regards,
Mbed TLS Team member
Ron