search

espressif / esp-aws-iot

AWS IoT SDK for ESP32 based chipsets
Apache License 2.0
256 stars 153 forks source link

TLS 1.3 mbedtls_ssl_handshake returns -0x6C00 (CA-288) #179

Open aselafernando opened 1 year ago

aselafernando commented 1 year ago

Branch 202210.01-LTS IDF 5.0.1-stable

Running the tls_mutual_auth demo connecting to test.mosquitto.org:8884 I get a -0x6C00 error (Internal MBED TLS error).

I downloaded the root certificate for mosquitto.org and had the client certificate generated here https://test.mosquitto.org/ssl/

Key and CSR generated with

openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr

sdkconfig file used to compile: sdkconfig.txt

Here is the ESP log

I (12727) coreMQTT: Establishing a TLS session to test.mosquitto.org:8884.
I (13167) mbedtls: ssl_tls.c:3087 0x3ffcbf90: => handshake

I (13167) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13177) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13177) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_HELLO_REQUEST

I (13187) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13197) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13197) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_CLIENT_HELLO

I (13207) mbedtls: ssl_client.c:842 0x3ffcbf90: => write client hello

W (13217) mbedtls: ssl_tls13_generic.c:1464 0x3ffcbf90: Perform PSA-based ECDH computation.

W (13227) mbedtls: ssl_tls13_generic.c:1485 0x3ffcbf90: psa_generate_key() returned -27648 (-0x6c00)

I (13237) mbedtls: ssl_client.c:897 0x3ffcbf90: <= write client hello

I (13247) mbedtls: ssl_tls.c:3098 0x3ffcbf90: <= handshake

E (13247) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x6C00
I (13257) esp-tls-mbedtls: Certificate verified.
E (13257) esp-tls: Failed to open new connection
I (13277) coreMQTT: A clean MQTT connection is established. Cleaning up all the stored outgoing publishes.

I (13277) coreMQTT: Subscribing to the MQTT topic test/example/topic.
E (13287) coreMQTT: sendMessageVector: Unable to send packet: Network Error.
E (13297) coreMQTT: Failed to send SUBSCRIBE packet to broker with error = MQTTSendFailed.
I (13297) coreMQTT: Disconnecting the MQTT connection with test.mosquitto.org.
E (13307) coreMQTT: sendBuffer: Unable to send packet: Network Error.
E (13317) coreMQTT: Transport send failed for DISCONNECT packet.
E (13327) coreMQTT: Sending MQTT DISCONNECT failed with status=MQTTSendFailed.
I (13327) coreMQTT: Short delay before starting the next iteration...

If I use the non-AWS demo at esp-idf-v5.0.1\examples\protocols\mqtt\ssl_mutual_auth, I can connect with no issues.

aselafernando commented 1 year ago

Looks like the error is from psa_generate_key() when you have TLS 1.3 enabled.

After disabling TLS 1.3 I am able to connect. Is TLS 1.3 support broken?

Harshal5 commented 1 year ago

Hello @aselafernando,

Thank you for reporting the issue. Could you please try applying the attached patch to your esp-idf and check if you are able to establish a TLS 1.3 connection?

0001-esp-tls-fix-ssl-connection-and-read-issues-when-usin.patch

aselafernando commented 1 year ago

Hi @Harshal5 I tried the patch but got the following. Looks like these additions are missing a reference.

FAILED: esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj 
F:\Espressif\.espressif\tools\xtensa-esp32-elf\esp-2022r1-11.2.0\xtensa-esp32-elf\bin\xtensa-esp32-elf-gcc.exe -DMBEDTLS_CONFIG_FILE=\"mbedtls/esp_config.h\" -IF:/Espressif/projects/tls_mutual_auth/build/config -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp-tls-crypto -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/newlib/platform_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include/freertos -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/portable/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/heap/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/log/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/platform_port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_common/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/include/private -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps/sntp -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/lwip/src/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include/arch -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/library -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/esp_crt_bundle/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/http_parser -mlongcalls -Wno-frame-address  -fdiagnostics-color=always -ffunction-sections -fdata-sections -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-enum-conversion -gdwarf-4 -ggdb -Og -fmacro-prefix-map=F:/Espressif/projects/tls_mutual_auth=. 
-fmacro-prefix-map=F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1=/IDF -fstrict-volatile-bitfields -Wno-error=unused-but-set-variable -fno-jump-tables -fno-tree-switch-conversion -DconfigENABLE_FREERTOS_DEBUG_OCDAWARE=1 -std=gnu17 -Wno-old-style-declaration -D_GNU_SOURCE -DIDF_VER=\"v5.0.1-dirty\" -DESP_PLATFORM -D_POSIX_READER_WRITER_LOCKS -MD -MT 
esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -MF esp-idf\esp-tls\CMakeFiles\__idf_esp-tls.dir\esp_tls_mbedtls.c.obj.d -o esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -c F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_create_mbedtls_handle':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:116:5: error: unknown type name 'psa_status_t'; did you mean 'TaskStatus_t'?
  116 |     psa_status_t status;
      |     ^~~~~~~~~~~~
      |     TaskStatus_t
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:117:14: error: implicit declaration of function 'psa_crypto_init' [-Werror=implicit-function-declaration]
  117 |     status = psa_crypto_init();
      |              ^~~~~~~~~~~~~~~
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: error: 'PSA_SUCCESS' undeclared (first use in this function); did you mean 'XTHAL_SUCCESS'?
  118 |     if (status != PSA_SUCCESS) {
      |                   ^~~~~~~~~~~
      |                   XTHAL_SUCCESS
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: note: each undeclared identifier is reported only once for each function it appears in
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_mbedtls_read':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:233:21: error: 'MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET' undeclared (first use in this function); did you mean 'MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET'?
  233 |     } while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                     MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
cc1.exe: some warnings being treated as errors
Harshal5 commented 1 year ago

Thank you, got it! @aselafernando So, this arises because the tag v5.0.1 of ESP-IDF uses the v3.2.1 release of the mbedtls component.

As mentioned in their release notes , they have been constantly adding support and bugfixes for TLS1.3 and so the newer releases like v.3.4.0 (preferred) and v3.3.0 include a large extent of TLS1.3 support.

The newer version (v3.4.0) of mbedtls has been merged in the ESP-IDF master branch and would be backported to the ESP-IDF release/v5.0 branch. If possible, could you try the above patch by checking out the master branch of ESP-IDF and applying the patch?

nidrissi commented 11 months ago

I'm using ESP-IDF 5.1, which includes mbedtls v3.4.0, and I still get an error 0x6C00 (MBEDTLS_ERR_SSL_INTERNAL_ERROR) when trying to use the HTTPS client or server with TLS 1.3 enabled.

avrmp commented 5 months ago

Any updates here? We are hitting the same issue and need TLS 1.3 support for production

gh4emb commented 5 months ago

@aselafernando , @avrmp , see this issue: https://github.com/Mbed-TLS/mbedtls/issues/8401

then esp-idf example of inserting call to psa_crypto_init() in application: https://github.com/espressif/esp-idf/blob/master/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c