search

espressif / esp-aws-iot

AWS IoT SDK for ESP32 based chipsets
Apache License 2.0
267 stars 164 forks source link

TLS 1.3 mbedtls_ssl_handshake returns -0x6C00 (CA-288) #179

Open aselafernando opened 1 year ago

aselafernando commented 1 year ago

Branch 202210.01-LTS IDF 5.0.1-stable

Running the tls_mutual_auth demo connecting to test.mosquitto.org:8884 I get a -0x6C00 error (Internal MBED TLS error).

I downloaded the root certificate for mosquitto.org and had the client certificate generated here https://test.mosquitto.org/ssl/

Key and CSR generated with

openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr

sdkconfig file used to compile: sdkconfig.txt

Here is the ESP log

I (12727) coreMQTT: Establishing a TLS session to test.mosquitto.org:8884.
I (13167) mbedtls: ssl_tls.c:3087 0x3ffcbf90: => handshake

I (13167) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13177) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13177) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_HELLO_REQUEST

I (13187) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13197) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13197) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_CLIENT_HELLO

I (13207) mbedtls: ssl_client.c:842 0x3ffcbf90: => write client hello

W (13217) mbedtls: ssl_tls13_generic.c:1464 0x3ffcbf90: Perform PSA-based ECDH computation.

W (13227) mbedtls: ssl_tls13_generic.c:1485 0x3ffcbf90: psa_generate_key() returned -27648 (-0x6c00)

I (13237) mbedtls: ssl_client.c:897 0x3ffcbf90: <= write client hello

I (13247) mbedtls: ssl_tls.c:3098 0x3ffcbf90: <= handshake

E (13247) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x6C00
I (13257) esp-tls-mbedtls: Certificate verified.
E (13257) esp-tls: Failed to open new connection
I (13277) coreMQTT: A clean MQTT connection is established. Cleaning up all the stored outgoing publishes.

I (13277) coreMQTT: Subscribing to the MQTT topic test/example/topic.
E (13287) coreMQTT: sendMessageVector: Unable to send packet: Network Error.
E (13297) coreMQTT: Failed to send SUBSCRIBE packet to broker with error = MQTTSendFailed.
I (13297) coreMQTT: Disconnecting the MQTT connection with test.mosquitto.org.
E (13307) coreMQTT: sendBuffer: Unable to send packet: Network Error.
E (13317) coreMQTT: Transport send failed for DISCONNECT packet.
E (13327) coreMQTT: Sending MQTT DISCONNECT failed with status=MQTTSendFailed.
I (13327) coreMQTT: Short delay before starting the next iteration...

If I use the non-AWS demo at esp-idf-v5.0.1\examples\protocols\mqtt\ssl_mutual_auth, I can connect with no issues.

aselafernando commented 1 year ago

Looks like the error is from psa_generate_key() when you have TLS 1.3 enabled.

After disabling TLS 1.3 I am able to connect. Is TLS 1.3 support broken?

Harshal5 commented 1 year ago

Hello @aselafernando,

Thank you for reporting the issue. Could you please try applying the attached patch to your esp-idf and check if you are able to establish a TLS 1.3 connection?

0001-esp-tls-fix-ssl-connection-and-read-issues-when-usin.patch

aselafernando commented 1 year ago

Hi @Harshal5 I tried the patch but got the following. Looks like these additions are missing a reference.

FAILED: esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj 
F:\Espressif\.espressif\tools\xtensa-esp32-elf\esp-2022r1-11.2.0\xtensa-esp32-elf\bin\xtensa-esp32-elf-gcc.exe -DMBEDTLS_CONFIG_FILE=\"mbedtls/esp_config.h\" -IF:/Espressif/projects/tls_mutual_auth/build/config -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp-tls-crypto -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/newlib/platform_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include/freertos -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/portable/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/heap/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/log/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/platform_port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_common/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/include/private -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps/sntp -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/lwip/src/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include/arch -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/library -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/esp_crt_bundle/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/http_parser -mlongcalls -Wno-frame-address  -fdiagnostics-color=always -ffunction-sections -fdata-sections -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-enum-conversion -gdwarf-4 -ggdb -Og -fmacro-prefix-map=F:/Espressif/projects/tls_mutual_auth=. 
-fmacro-prefix-map=F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1=/IDF -fstrict-volatile-bitfields -Wno-error=unused-but-set-variable -fno-jump-tables -fno-tree-switch-conversion -DconfigENABLE_FREERTOS_DEBUG_OCDAWARE=1 -std=gnu17 -Wno-old-style-declaration -D_GNU_SOURCE -DIDF_VER=\"v5.0.1-dirty\" -DESP_PLATFORM -D_POSIX_READER_WRITER_LOCKS -MD -MT 
esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -MF esp-idf\esp-tls\CMakeFiles\__idf_esp-tls.dir\esp_tls_mbedtls.c.obj.d -o esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -c F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_create_mbedtls_handle':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:116:5: error: unknown type name 'psa_status_t'; did you mean 'TaskStatus_t'?
  116 |     psa_status_t status;
      |     ^~~~~~~~~~~~
      |     TaskStatus_t
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:117:14: error: implicit declaration of function 'psa_crypto_init' [-Werror=implicit-function-declaration]
  117 |     status = psa_crypto_init();
      |              ^~~~~~~~~~~~~~~
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: error: 'PSA_SUCCESS' undeclared (first use in this function); did you mean 'XTHAL_SUCCESS'?
  118 |     if (status != PSA_SUCCESS) {
      |                   ^~~~~~~~~~~
      |                   XTHAL_SUCCESS
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: note: each undeclared identifier is reported only once for each function it appears in
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_mbedtls_read':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:233:21: error: 'MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET' undeclared (first use in this function); did you mean 'MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET'?
  233 |     } while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                     MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
cc1.exe: some warnings being treated as errors
Harshal5 commented 1 year ago

Thank you, got it! @aselafernando So, this arises because the tag v5.0.1 of ESP-IDF uses the v3.2.1 release of the mbedtls component.

As mentioned in their release notes , they have been constantly adding support and bugfixes for TLS1.3 and so the newer releases like v.3.4.0 (preferred) and v3.3.0 include a large extent of TLS1.3 support.

The newer version (v3.4.0) of mbedtls has been merged in the ESP-IDF master branch and would be backported to the ESP-IDF release/v5.0 branch. If possible, could you try the above patch by checking out the master branch of ESP-IDF and applying the patch?

nidrissi commented 1 year ago

I'm using ESP-IDF 5.1, which includes mbedtls v3.4.0, and I still get an error 0x6C00 (MBEDTLS_ERR_SSL_INTERNAL_ERROR) when trying to use the HTTPS client or server with TLS 1.3 enabled.

avrmp commented 10 months ago

Any updates here? We are hitting the same issue and need TLS 1.3 support for production

gh4emb commented 9 months ago

@aselafernando , @avrmp , see this issue: https://github.com/Mbed-TLS/mbedtls/issues/8401

then esp-idf example of inserting call to psa_crypto_init() in application: https://github.com/espressif/esp-idf/blob/master/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c