Closed fibjs closed 9 years ago
This fails because you don't provide use the 'top', but the one below.
Try this one instead.
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
thanks, it's solved.
@pjbakker whats 'top' ? Didn't understand what you meant.
@FarhanAhmad A certificate chain runs all the way from a child certificate to the 'top' (The CA certificate). In case of the issue above, the CA Chain provided to the application contained the certificate up to (but not including) the 'top' certificate. Without that top certificate, the chain could not be verified in full.
That said. I believe the behaviour of verification has been modified in more recent version, so you might now be able to provide a 'middle' certificate as trusted instead. Maybe @sbutcher-arm can comment on that?
@pjbakker I am facing the similar error('-9984 - X509 - Certificate verification failed, e.g. CRL, CA or signature check failed') at 'mbedtls_ssl_handshake' call. I am new to mbed tls, i dont know much fundamentals of it. I referred to programs/ssl/ssl_server2.c and ssl_client2.c files. Following is my scenario, please tell me if i am doing anything wrong.
1) I have my own ca.cert, server.cert, client.cert, server.key,client.key and ca.key files. Following is my piece of code at server side and client side:
`` int ret = mbedtls_x509_crt_parse_file(&cacert, ca_file); if (ret != 0) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d\n\n", ret ); goto exit; }
ret = mbedtls_x509_crt_parse_file(&srvcert, server_file);
if (ret != 0) {
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned %d\n\n", ret );
goto exit;
}
ret = mbedtls_pk_parse_keyfile(&pkey,serverkey_file,password);
if (ret != 0) {
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile server returned %d\n\n", ret );
goto exit;
}
.............. ..............
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit;
}
........................
.....................
// Performing the SSL/TLS handshake...
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret );
goto reset;
}
}
``
`` ret = mbedtls_x509_crt_parse_file(&cd->ca_cert, ca_cert_filename); if (ret != 0) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file of ca returned %d\n\n", ret ); exit(ret); }
ret = mbedtls_x509_crt_parse_file(&cd->client_cert, client_cert_filename);
if (ret != 0) {
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file of client returned %d\n\n", ret );
exit(ret);
}
ret = mbedtls_pk_parse_keyfile(&cd->client_pkey,client_key_filename,password);
if (ret != 0) {
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile client returned %d\n\n", ret );
exit(ret);
}
mbedtls_ssl_conf_authmode( &cd->conf, MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_conf_ca_chain( &cd->conf, &cd->ca_cert, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &cd->conf, &cd->client_cert, &cd->client_pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
exit(ret);
}
......................
........................
if( ( ret = mbedtls_ssl_setup( &cd->ssl, &cd->conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
freeClientTLSData(ret,cd);
exit(ret);
}
while( ( ret = mbedtls_ssl_handshake( &cd->ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
freeClientTLSData(ret,cd);
exit(ret);
}
}
``
Please let me if i am doing anything wrong at 'mbedtls_ssl_conf_ca_chain' , 'mbedtls_ssl_conf_own_cert' calls order or if any. And also which certificates(ca, client, server certs) are mainly required at both server and client side code.
Thanks in Advance.
My issue is resolved. I am facing it because of certificates I am using are invalid
@PravallikaKG yes, because you haven't self-signed them.
How you slove it,I meet something like it:ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700) mbedtls_ssl_handshake() returned -0x2700 Can you help me,thanks
@Carmeloning certificate verification failure can happen for many reasons. For example, you haven't set the correct trusted root certificate.
The error -0x2700 is MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
and returned when the certificate verification fails.
You should check the verification flags as well.
I had similar error when i was generating Root CA certificate from 1024-bit RSA key. I was using ESP32 board, How did you generate it? If u using RSA key how many bits it have?
@martinius96 As you can see in the default profile used for certificate verification, the minimal keysize allowed is 2048 bits. This is because a 1024 bit key size is unsecure.
@RonEld Thanks a lot.. finally i found it in codes.. I was 3 months solving problem why it isnt working and i was using 1024-bit rsa key... :( :D :-)
@Carmeloning证书验证失败可能由于多种原因而发生。例如,您尚未设置正确的受信任根证书。证书验证失败时返回 错误-0x2700 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED并返回。 您还应该检查验证标志。 I used the server to give me the root certificate in the browser test and the server handshake is able to pass,But when i use the Mbed. IT is faild and it return like this: Starting mbed-os-example-tls/tls-client Using Mbed OS 5.9.7 [EasyConnect] IPv4 mode [EasyConnect] Using WiFi (ESP8266) [EasyConnect] Connecting to WiFi GE [EasyConnect] Connected to Network successfully [EasyConnect] MAC address 84:0d:8e:97:40:ca [EasyConnect] IP address 192.168.1.15 Successfully connected to 39.108.211.173 at port 443 Starting the TLS handshake... ssl_tls.c:6717: |2| => handshake
ssl_cli.c:3386: |2| client state: 0
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:3386: |2| client state: 1
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:770: |2| => write client hello
ssl_tls.c:2764: |2| => write record
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2489: |2| message length: 189, out_left: 189
ssl_tls.c:2496: |2| ssl->f_send() returned 189 (-0xffffff43)
ssl_tls.c:2523: |2| <= flush output
ssl_tls.c:2922: |2| <= write record
ssl_cli.c:1085: |2| <= write client hello
ssl_cli.c:3386: |2| client state: 2
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_cli.c:1478: |2| => parse server hello
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 5, nb_want: 66
ssl_tls.c:2436: |2| in_left: 5, nb_want: 66
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 61 (-0xffffffc3)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3846: |2| <= read record
ssl_cli.c:1760: |2| server hello, total extension length: 17
ssl_cli.c:1949: |2| <= parse server hello
ssl_cli.c:3386: |2| client state: 3
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2483: |2| <= flush output
ssl_tls.c:4376: |2| => parse certificate
ssl_tls.c:3809: |2| => read record
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 0, nb_want: 5
ssl_tls.c:2436: |2| in_left: 0, nb_want: 5
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:2252: |2| => fetch input
ssl_tls.c:2412: |2| in_left: 5, nb_want: 877
ssl_tls.c:2436: |2| in_left: 5, nb_want: 877
ssl_tls.c:2438: |2| ssl->f_recv(_timeout)() returned 872 (-0xfffffc98)
ssl_tls.c:2458: |2| <= fetch input
ssl_tls.c:3846: |2| <= read record
Verifying certificate at depth 0:
cert. version : 1
serial number : 8D:9E:62:C5:CC:7A:BA:B6
issuer name : C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myCA
subject name : C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer
issued on : 2019-01-14 02:25:20
expires on : 2020-01-14 02:25:20
signed using : RSA with SHA1
RSA key size : 2048 bits
ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700)
ssl_tls.c:4180: |2| => send alert message
ssl_tls.c:2764: |2| => write record
ssl_tls.c:2471: |2| => flush output
ssl_tls.c:2489: |2| message length: 7, out_left: 7
ssl_tls.c:2496: |2| ssl->f_send() returned 7 (-0xfffffff9)
ssl_tls.c:2523: |2| <= flush output
ssl_tls.c:2922: |2| <= write record
ssl_tls.c:4193: |2| <= send alert message
ssl_tls.c:4740: |2| <= parse certificate
ssl_tls.c:6727: |2| <= handshake
mbedtls_ssl_handshake() returned -0x2700
FAIL ssl_tls.c:7495: |2| => free
ssl_tls.c:7560: |2| <= free
@Carmeloning Have you checked the verification flags? They are not shown in this log.
Without too much information in this log, I can guess two possible reasons for your failure:
mbedtls_ssl_conf_ca_chain()
.MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
in your configuration. SHA1 is considered not a secure hash, and by default not allowed to be used in certificates, in Mbed TLS
ssl client connect error:
certdata.txt
result: