Add client authentication with certificates #3

AnthonyGrondin · 2023-04-13T22:04:03Z

Enable the ability to pass a client certificate for client authentication.

Testing: cargo run --release --example async_client --features=async

Testing the certs with curl:

Move the certificate and private key in their own files
curl https://certauth.cryptomix.com/json/ --key <PRIVATE_KEY>.pem --cert <Certificate>.pem -v

Currently, this returns an error, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, and I don't know why it happens,
with MBEDTLS_SSL_VERIFY_OPTIONAL the error changes for MBEDTLS_ERR_SSL_BAD_CONFIG.
FIXED

TODOs:

Adapt other examples to new function signature
- I wonder if we should move the handling of certs in its own struct.
  This would make breaking changes less frequents in the future, and reduce the number of arguments
  The functions about certificates could also be moved there to reduce complexity
Add other examples:
- esp32s3
- esp32c3
- esp32
Enable the usage of a password for private keys.
- Currently, it is hardcoded that the private key doesn't use a password.
  We can allow the passing of a key, but that would increase the number of arguments even more,
  hence the discussion of using a struct to handle certs.

bjoernQ · 2023-04-14T08:57:52Z

I tested this on ESP32-C3 with debug output (we are not able to get debug output on Xtensa currently because there is a problem with variadic args)

Start tls connect
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_HELLO_REQUEST
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_CLIENT_HELLO
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:906 => write client hello
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:1471 Perform PSA-based ECDH computation.
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1d)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(17)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(18)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1e)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(19)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1a)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1b)
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1c)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2554 => write handshake message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2714 => write record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2851 <= write record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2675 <= write handshake message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:994 <= write client hello
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2138 message length: 221, out_left: 221
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2145 ssl->f_send() returned 221 (-0xffffff23)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2172 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_HELLO
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2039 => ssl_tls13_process_server_hello
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2086 <= ssl_tls13_process_server_hello ( ServerHello )
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_HELLO
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2039 => ssl_tls13_process_server_hello
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 127
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 127
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 122 (-0xffffff86)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:1520 received ServerHello message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:491 ECDH curve: x25519
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_keys.c:1339 => ssl_tls13_generate_handshake_keys
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_keys.c:1425 <= ssl_tls13_generate_handshake_keys
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:1991 Switch to handshake keys for inbound traffic
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2086 <= ssl_tls13_process_server_hello ( ServerHello )
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2220 => parse encrypted extensions
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 6
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 6
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 1 (-0xffffffff)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:4770 Ignore ChangeCipherSpec in TLS 1.3 compatibility mode
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 32
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 32
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 27 (-0xffffffe5)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1291 => decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1892 <= decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2254 <= parse encrypted extensions
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_CERTIFICATE_REQUEST
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2467 => parse certificate request
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 67
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 67
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 62 (-0xffffffc2)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1291 => decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1892 <= decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3955 reuse previously read message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2497 <= parse certificate request
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_CERTIFICATE
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:747 => parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 500 (-0xfffffe0c)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 505, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:770 <= parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_CERTIFICATE
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:747 => parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 505, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 505, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 505, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 737 (-0xfffffd1f)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 1242, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:770 <= parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_CERTIFICATE
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:747 => parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 1242, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 1242, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 1242, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 1474 (-0xfffffa3e)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 2716, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:770 <= parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_CERTIFICATE
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:747 => parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 2716, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 2716, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 2716, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 1474 (-0xfffffa3e)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 4190, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:770 <= parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3939 => handshake
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_SERVER_CERTIFICATE
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:747 => parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 4190, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 4190, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 4190, nb_want: 4321
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 131 (-0xffffff7d)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1291 => decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1892 <= decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:770 <= parse certificate
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2133 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3859 client state: MBEDTLS_SSL_CERTIFICATE_VERIFY
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:295 => parse certificate verify
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3887 => read record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 0, nb_want: 5
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1926 => fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2066 in_left: 5, nb_want: 542
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2086 in_left: 5, nb_want: 542
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2089 ssl->f_recv(_timeout)() returned 537 (-0xfffffde7)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2111 <= fetch input
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1291 => decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:1892 <= decrypt buf
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3959 <= read record
WARN - Unable to allocate 1036 bytes
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:268 mbedtls_pk_verify_ext() returned -17040 (-0x4290)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:338 <= parse certificate verify
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:339 mbedtls_ssl_tls13_process_certificate_verify() returned -28160 (-0x6e00)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:4868 => send alert message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2714 => write record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2124 => flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2138 message length: 7, out_left: 7
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2145 ssl->f_send() returned 7 (-0xfffffff9)
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2172 <= flush output
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:2851 <= write record
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:4880 <= send alert message
INFO - 2 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls.c:3950 <= handshake

-0x4290 is likely MBEDTLS_ERR_RSA_KEY_CHECK_FAILED

bjoernQ · 2023-04-14T13:09:24Z

I made some progress.

First thing was increasing the heap ( https://github.com/esp-rs/esp-wifi/blob/cce6738220f4f12ab4db92f74295e762f5425e99/esp-wifi/src/lib.rs#L96 ) to 110k

Then I was able to get through the handshake on ESP32-C3 but I wasn't able to receive data afterwards. Since there might be problems with the async IO I basically did the same things you did for async for the sync API.

Now on ESP32-C3 I get this with a sync_client.rs example

Call wifi_connect
Wait to get connected
Wait to get an ip address
Got ip Ok(IpInfo { ip: 192.168.137.131, subnet: Subnet { gateway: 192.168.137.1, mask: Mask(24) }, dns: Some(192.168.137.1), secondary_dns: None })
We are connected!
Making HTTP request
Start tls connect
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:1471 Perform PSA-based ECDH computation.

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1d)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(17)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(18)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1e)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(19)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1a)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1b)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_client.c:258 got supported group(1c)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:1991 Switch to handshake keys for inbound traffic

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:4770 Ignore ChangeCipherSpec in TLS 1.3 compatibility mode

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:339 mbedtls_ssl_tls13_process_certificate_verify() returned 0 (-0x00)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_client.c:2584 Switch to handshake traffic keys for outbound traffic

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:1278 Switch to application keys for inbound traffic

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_tls13_generic.c:1281 Switch to application keys for outbound traffic

Write to connection
Read from connection
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:5483 mbedtls_ssl_handshake() returned -31488 (-0x7b00)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:5483 mbedtls_ssl_handshake() returned -31488 (-0x7b00)

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2023 12:50:28 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000
Content-Length: 2051
Connection: close
Content-Type: application/json

{"HTTPS":"on","SSL_SERVER_S_DN_CN":"certauth.cryptomix.com","SSL_SERVER_I_DN_C":"US","SSL_SERVER_I_DN_O":"Let's Encrypt","SSL_SERVER_I_DN_CN":"R3","SSL_CLIENT_S_DN_CN":"esp-mbedtls","SSL_CLIENT_I_DN_CN":"esp-mbedtls.local","SSL_CLIENT_I_DN_O":"Server Certificate","SSL_SERVER_SAN_DNS_0":"certauth.cryptomix.com","SSL_VERSION_INTERFACE":"mod_ssl\/2.4.41","SSL_VERSION_LIBRARY":"OpenSSL\/1.1.1f","SSL_PROTOCOL":"TLSv1.3","SSL_SECURE_RENEG":"true","SSL_COMPRESS_METHOD":"NULL","SSL_CIPHER":"TLS_AES_256_GCM_SHA384","SSL_CIPHER_EXPORT":"false","SSL_CIPHER_USEKEYSIZE":"256","SSL_CIPHER_ALGKEYSIZE":"256","SSL_CLIENT_VERIFY":"FAILED:unable to verify the first certificate","SSL_CLIENT_M_VERSION":"1","SSL_CLIENT_M_SERIAL":"01","SSL_CLIENT_V_START":"Apr 13 21:46:56 2023 GMT","SSL_CLIENT_V_END":"Apr 12 21:46:56 2024 GMT","SSL_CLIENT_V_REMAIN":"365","SSL_CLIENT_S_DN":"CN=esp-mbedtls","SSL_CLIENT_I_DN":"O=Server Certificate,CN=esp-mbedtls.local","SSL_CLIENT_A_KEY":"rsaEncryption","SSL_CLIENT_A_SIG":"sha256WithRSAEncryption","SSL_CLIENT_CERT_RFC4523_CEA":"{ serialNumber 1, issuer rdnSequence:\"O=Server Certificate,CN=esp-mbedtls.local\" }","SSL_SERVER_M_VERSION":"3","SSL_SERVER_M_SERIAL":"0320F49350E2EB81C9F8EA4820C2021F2BFC","SSL_SERVER_V_START":"Mar  8 02:07:24 2023 GMT","SSL_SERVER_V_END":"Jun  6 02:07:23 2023 GMT","SSL_SERVER_S_DN":"CN=certauth.cryptomix.com","SSL_SERVER_I_DN":"CN=R3,O=Let's Encrypt,C=US","SSL_SERVER_A_KEY":"rsaEncryption","SSL_SERVER_A_SIG":"sha256WithRSAEncryption","SSL_SESSION_ID":"91fc101a9672056fbd0cca993423d9261310be6196378f43f486c7146060153d","SSL_SESSION_RESUMED":"Initial","HTTP_HOST":"certauth.cryptomix.com","SERVER_SIGNATURE":"","SERVER_SOFTWARE":"Apache","SERVER_NAME":"certauth.cryptomix.com","SERVER_ADDR":"62.210.201.125","SERVER_PORT":"443","REMOTE_ADDR":"84.59.185.27","REQUEST_SCHEME":"https","REMOTE_PORT":"63030","GATEWAY_INTERFACE":"CGI\/1.1","SERVER_PROTOCOL":"HTTP\/1.0","REQUEST_METHOD":"GET","QUERY_STRING":"","REQUEST_URI":"\/json\/","REQUEST_TIME_FLOAT":1681476628.903,"REQUEST_TIME":1681476628}
INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:3942 mbedtls_ssl_handle_message_type() returned -30848 (-0x7880)

INFO - 1 /mnt/c/projects/esp/esp-mbedtls/build_mbedtls/tmpsrc/mbedtls/library/ssl_msg.c:5501 mbedtls_ssl_read_record() returned -30848 (-0x7880)


Done

However, no luck so far with ESP32-S3 and ESP32.
Maybe this is a good hint: espressif/esp-idf@dc34d49

bjoernQ · 2023-04-14T14:07:28Z

Seems there is really some mis-compilation / mis-optimization. Building mbedtls in debug mode made it kind of work on ESP32-S3

I (43) boot: ESP-IDF v5.0-beta1-764-gdbcf640261 2nd stage bootloader
I (43) boot: compile time 11:32:39
I (43) boot: chip revision: V001
I (47) boot_comm: chip revision: 1, min. bootloader chip revision: 0
I (54) boot.esp32s3: Boot SPI Speed : 80MHz
I (59) boot.esp32s3: SPI Mode       : DIO
I (63) boot.esp32s3: SPI Flash Size : 8MB
I (68) boot: Enabling RNG early entropy source...
I (73) boot: Partition Table:
I (77) boot: ## Label            Usage          Type ST Offset   Length
I (84) boot:  0 nvs              WiFi data        01 02 00009000 00006000
I (92) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (99) boot:  2 factory          factory app      00 00 00010000 007f0000
I (107) boot: End of partition table
I (111) boot_comm: chip revision: 1, min. application chip revision: 0
I (118) esp_image: segment 0: paddr=00010020 vaddr=3c0c0020 size=2e970h (190832) map
I (161) esp_image: segment 1: paddr=0003e998 vaddr=3fc8d310 size=0128ch (  4748) load
I (162) esp_image: segment 2: paddr=0003fc2c vaddr=3fcb5214 size=00168h (   360) load
I (167) esp_image: segment 3: paddr=0003fd9c vaddr=40378000 size=0027ch (   636) load
I (175) esp_image: segment 4: paddr=00040020 vaddr=42000020 size=b755ch (750940) map
I (318) esp_image: segment 5: paddr=000f7584 vaddr=4037827c size=05094h ( 20628) load
I (325) boot: Loaded app from partition at offset 0x10000
I (326) boot: Disabling RNG early entropy source...
Call wifi_connect
Wait to get connected
Wait to get an ip address
Got ip Ok(IpInfo { ip: 192.168.137.59, subnet: Subnet { gateway: 192.168.137.1, mask: Mask(24) }, dns: Some(192.168.137.1), secondary_dns: None })
We are connected!
Making HTTP request
Start tls connect
Write to connection
Read from connection
HTTP/1.1 200 OK
Date: Fri, 14 Apr 2023 14:04:31 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000
Content-Length: 2051
Connection: close
Content-Type: application/json

{"HTTPS":"on","SSL_SERVER_S_DN_CN":"certauth.cryptomix.com","SSL_SERVER_I_DN_C":"US","SSL_SERVER_I_DN_O":"Let's Encrypt","SSL_SERVER_I_DN_CN":"R3","SSL_CLIENT_S_DN_CN":"esp-mbedtls","SSL_CLIENT_I_DN_CN":"esp-mbedtls.local","SSL_CLIENT_I_DN_O":"Server Certificate","SSL_SERVER_SAN_DNS_0":"certauth.cryptomix.com","SSL_VERSION_INTERFACE":"mod_ssl\/2.4.41","SSL_VERSION_LIBRARY":"OpenSSL\/1.1.1f","SSL_PROTOCOL":"TLSv1.3","SSL_SECURE_RENEG":"true","SSL_COMPRESS_METHOD":"NULL","SSL_CIPHER":"TLS_AES_256_GCM_SHA384","SSL_CIPHER_EXPORT":"false","SSL_CIPHER_USEKEYSIZE":"256","SSL_CIPHER_ALGKEYSIZE":"256","SSL_CLIENT_VERIFY":"FAILED:unable to verify the first certificate","SSL_CLIENT_M_VERSION":"1","SSL_CLIENT_M_SERIAL":"01","SSL_CLIENT_V_START":"Apr 13 21:46:56 2023 GMT","SSL_CLIENT_V_END":"Apr 12 21:46:56 2024 GMT","SSL_CLIENT_V_REMAIN":"365","SSL_CLIENT_S_DN":"CN=esp-mbedtls","SSL_CLIENT_I_DN":"O=Server Certificate,CN=esp-mbedtls.local","SSL_CLIENT_A_KEY":"rsaEncryption","SSL_CLIENT_A_SIG":"sha256WithRSAEncryption","SSL_CLIENT_CERT_RFC4523_CEA":"{ serialNumber 1, issuer rdnSequence:\"O=Server Certificate,CN=esp-mbedtls.local\" }","SSL_SERVER_M_VERSION":"3","SSL_SERVER_M_SERIAL":"0320F49350E2EB81C9F8EA4820C2021F2BFC","SSL_SERVER_V_START":"Mar  8 02:07:24 2023 GMT","SSL_SERVER_V_END":"Jun  6 02:07:23 2023 GMT","SSL_SERVER_S_DN":"CN=certauth.cryptomix.com","SSL_SERVER_I_DN":"CN=R3,O=Let's Encrypt,C=US","SSL_SERVER_A_KEY":"rsaEncryption","SSL_SERVER_A_SIG":"sha256WithRSAEncryption","SSL_SESSION_ID":"326a2f70d4d95eb8d72c128739c16a11f5712892a9e4b4a572615c36af7db666","SSL_SESSION_RESUMED":"Initial","HTTP_HOST":"certauth.cryptomix.com","SERVER_SIGNATURE":"","SERVER_SOFTWARE":"Apache","SERVER_NAME":"certauth.cryptomix.com","SERVER_ADDR":"62.210.201.125","SERVER_PORT":"443","REMOTE_ADDR":"84.59.185.27","REQUEST_SCHEME":"https","REMOTE_PORT":"63039","GATEWAY_INTERFACE":"CGI\/1.1","SERVER_PROTOCOL":"HTTP\/1.0","REQUEST_METHOD":"GET","QUERY_STRING":"","REQUEST_URI":"\/json\/","REQUEST_TIME_FLOAT":1681481071.264,"REQUEST_TIME":1681481071}

Done

But the handshake takes forever to complete - also on ESP32 it still doesn't seem to work

bjoernQ · 2023-04-17T14:33:52Z

Some interesting observations - probably more as a note to self:

got the sync version to work by compiling the Xtensa libs with Clang
the async example didn't work because there was an "ICMP Fragmentation needed" - next hop max is 1492 while esp-wifi defaults to 1514 - changing the MTU in esp-wifi to 1492 made it work (should be handled by smoltcp I guess - apparently with sync the MTU limit isn't hit because we can send data immediately over the wire there

bjoernQ · 2023-04-18T11:30:33Z

After rebasing this should work now

AnthonyGrondin · 2023-04-18T15:01:30Z

Great! I'm gonna test it on my side and finish this PR.
Thanks for the bugfix

AnthonyGrondin · 2023-04-18T20:12:15Z

Oops didn't mean to do that.

esp-mbedtls/src/lib.rs

- Add example for sync esp32s3 - Enable usage of encrypted key with password - Move certificates to a struct

AnthonyGrondin · 2023-04-18T23:46:10Z

Everything seems to work for now. I'm waiting for a first review before doing the other examples.

Not sure if it's related to this PR, but it seems like the closing of connection isn't done properly.
This can be viewed by either resetting the chip many times, or by flashing the chip multiple times in a row, after a connection is done.

The given error is:

WARN - esp_wifi_internal_tx 12290
start connection task
Device capabilities: Ok(EnumSet(Client | AccessPoint))
Starting wifi
Wifi started!
About to connect...
Wifi connected!
Waiting to get IP address...
Got IP: 192.168.69.163/24
connecting...
connect error: ConnectionReset

esp-mbedtls/src/lib.rs

AnthonyGrondin · 2023-04-19T06:58:27Z

I'm wondering if we should unify it under a single function to reduce duplication. Most of the body for Session::new() in blocking (sync) and async is essentially the same.

bjoernQ · 2023-04-19T07:17:04Z

I'm wondering if we should unify it under a single function to reduce duplication. Most of the body for Session::new() in blocking (sync) and async is essentially the same.

Agreed - I think I wanted to do it like that in the beginning but when the problems with the pre-compiled binaries kicked in I just went that way

The new examples seem to work fine for me on ESP32-S3 - the other examples need adjustments because of the changes to the constructor

Great work!

- Fix existing examples to use the new Certificates struct

bjoernQ · 2023-04-24T07:50:44Z

Nice! Seems like the new examples for ESP32 and ESP32-C3 are missing an `use esp_mbedtls::Certificates;´ - I probably should setup CI in this repo

@MabezDev works fine with our Rust 1.68 but with Rust 1.69 I see it gets stuck at the connection to the access point on ESP32-S3, again 😢 I tried tinkering with opt-level and lto etc. without success

AnthonyGrondin · 2023-04-25T02:45:22Z

I added the imports that I missed. I've only tested on esp32s3, as it's the only device I have on hand.

I think some optimizations could be made, by not allocating memory for certificates, if we don't use them. This would be especially useful when not using client certificates, but I'm not sure about the behavior of freeing memory that hasn't been allocated, when dropping the Session struct.

bjoernQ · 2023-04-25T06:32:22Z

I tested on ESP32 and ESP32-C3 - everything fine now.

I'd say this is fine to get merged now. The suggested optimization totally makes sense - if some memory isn't allocated there would be a null-pointer which should get checked in drop before the call to free

Would be perfectly fine to do the optimization in a follow-up PR and we merge this - not sure what option you'd prefer. Just let me know and I'll approve and merge this

AnthonyGrondin · 2023-04-25T10:47:10Z

I think we should merge this, then do the optimizations in another PR.

I've implemented the functionnalities that I needed, and I would leave you with the optimization part.

bjoernQ

LGTM

Add client authentication with certificates

9b92319

bjoernQ mentioned this pull request Apr 18, 2023

Fixes #4

Merged

AnthonyGrondin closed this Apr 18, 2023

AnthonyGrondin force-pushed the main branch from 9b92319 to 2d03e33 Compare April 18, 2023 20:06

AnthonyGrondin reopened this Apr 18, 2023

Merge branch 'main' of https://github.com/AnthonyGrondin/esp-mbedtls

994a536

AnthonyGrondin force-pushed the main branch from a0957a5 to 994a536 Compare April 18, 2023 20:13

AnthonyGrondin commented Apr 18, 2023

View reviewed changes

esp-mbedtls/src/lib.rs Outdated Show resolved Hide resolved

feat(mTLS): Enable client certificates for sync

e4ad3ca

- Add example for sync esp32s3 - Enable usage of encrypted key with password - Move certificates to a struct

bjoernQ reviewed Apr 19, 2023

View reviewed changes

esp-mbedtls/src/lib.rs Show resolved Hide resolved

bjoernQ reviewed Apr 19, 2023

View reviewed changes

esp-mbedtls/src/lib.rs Show resolved Hide resolved

bjoernQ reviewed Apr 19, 2023

View reviewed changes

esp-mbedtls/src/lib.rs Outdated Show resolved Hide resolved

bjoernQ reviewed Apr 19, 2023

View reviewed changes

esp-mbedtls/src/lib.rs Outdated Show resolved Hide resolved

AnthonyGrondin added 3 commits April 23, 2023 03:41

feat(mTLS): Unify SSL initialization

d9ecc0e

feat(mTLS): Add client certificate examples for esp32 and esp32c3

757a6d3

- Fix existing examples to use the new Certificates struct

feat(mTLS): Do not print error when reaching EOF

3b90ecc

AnthonyGrondin marked this pull request as ready for review April 23, 2023 08:21

fix(mTLS): Add missing import for examples on esp32 and esp32c3

26705ed

bjoernQ approved these changes Apr 25, 2023

View reviewed changes

bjoernQ merged commit f40e2a8 into esp-rs:main Apr 25, 2023

Add client authentication with certificates #3

Add client authentication with certificates #3

Uh oh!

Conversation

AnthonyGrondin commented Apr 13, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bjoernQ commented Apr 14, 2023

Uh oh!

bjoernQ commented Apr 14, 2023

Uh oh!

bjoernQ commented Apr 14, 2023

Uh oh!

bjoernQ commented Apr 17, 2023

Uh oh!

bjoernQ commented Apr 18, 2023

Uh oh!

AnthonyGrondin commented Apr 18, 2023

Uh oh!

AnthonyGrondin commented Apr 18, 2023

Uh oh!

Uh oh!

AnthonyGrondin commented Apr 18, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

AnthonyGrondin commented Apr 19, 2023

Uh oh!

bjoernQ commented Apr 19, 2023

Uh oh!

bjoernQ commented Apr 24, 2023

Uh oh!

AnthonyGrondin commented Apr 25, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bjoernQ commented Apr 25, 2023

Uh oh!

AnthonyGrondin commented Apr 25, 2023

Uh oh!

bjoernQ left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

AnthonyGrondin commented Apr 13, 2023 •

edited

Loading

AnthonyGrondin commented Apr 25, 2023 •

edited

Loading