Random mbdetls error -0x2700 (FFFFD900): X509 - Certificate verification failed (IDFGH-13599)

[QuentinFarizon]

Answers checklist.

• [X] I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• [X] I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• [X] I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

v5.1.2

Espressif SoC revision.

ESP32

Operating System used.

Linux

How did you build your project?

Command line with idf.py

If you are using Windows, please specify command line type.

None

Development Kit.

ESP32-Pico-v4

Power Supply used.

USB

What is the expected behavior?

I expect to not get mbdetls errors

What is the actual behavior?

I started gettting mbedtls errors after updating a server certificate. This code is working on ESP32-S3 without issue, and it was working in ESP32 without issue with a previous server certificate.

I have a task that make call to an https server at interval It always succeeds to make the call the first time, but then it fails repeatedly, with like 5% of successful calls

On success:

I (15:56:02.268) HTTP_CLIENT: URL : https://<username>:@preprod-bokslink-api.boks.app/api/pcbs/4c75258a5a24/available-update
I (15:56:03.300) HTTP_CLIENT: HTTP Status = 200, content_length = 2

On error:

I (14:32:07.967) HTTP_CLIENT: URL : https://<username>/:@preprod-bokslink-api.boks.app/api/pcbs/4c7525894f90/available-update
0;31mE (14:32:08.108) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (14:32:08.109) esp-tls-mbedtls: Failed to verify peer certificate!
0;31mE (14:32:08.112) esp-tls: Failed to open new connection
0;31mE (14:32:08.118) transport_base: Failed to open a new connection
0;31mE (14:32:08.128) HTTP_CLIENT: Connection failed, sock < 0
0;31mE (14:32:08.131) HTTP_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT

Find below the full verbose log

Steps to reproduce.

In main.c : xTaskCreate(&check_and_perform_dfu_task, "check_and_perform_dfu_task", 8192, NULL, 2, NULL);

In task :

    esp_http_client_config_t config = {
        .url = url,
        .event_handler = _http_event_handler_dfu,
        .user_data = local_response_buffer,
        .auth_type = HTTP_AUTH_TYPE_BASIC,
        .cert_pem = (char *) server_root_cert_pem_start,
    };
    esp_http_client_handle_t client = esp_http_client_init(&config);
    esp_http_client_set_method(client, HTTP_METHOD_GET);
    esp_err_t err = esp_http_client_perform(client);

Debug Logs.

(21:19:17.245) HTTP_CLIENT: URL : https://50AjZzl3WgX3rAIMJs2TjZxvNUoe1MMm:@preprod-bokslink-api.boks.app/api/pcbs/4c75258a5a24/available-update
I (21:19:17.317) mbedtls: ssl_tls.c:3931 => handshake

I (21:19:17.318) mbedtls: ssl_msg.c:2370 => flush output

I (21:19:17.319) mbedtls: ssl_msg.c:2379 <= flush output

I (21:19:17.325) mbedtls: ssl_tls.c:3850 client state: MBEDTLS_SSL_HELLO_REQUEST

I (21:19:17.333) mbedtls: ssl_msg.c:2370 => flush output

I (21:19:17.339) mbedtls: ssl_msg.c:2379 <= flush output

I (21:19:17.345) mbedtls: ssl_tls.c:3850 client state: MBEDTLS_SSL_CLIENT_HELLO

I (21:19:17.354) mbedtls: ssl_client.c:938 => write client hello

D (21:19:17.361) mbedtls: ssl_client.c:742 client hello, current time: 1725311957

D (21:19:17.369) mbedtls: ssl_client.c:500 dumping 'client hello, random bytes' (32 bytes)

D (21:19:17.377) mbedtls: ssl_client.c:500 0000:  66 d6 2b d5 b5 d9 14 a5 64 90 43 b0 c2 4e b5 bf  f.+.....d.C..N..

D (21:19:17.387) mbedtls: ssl_client.c:500 0010:  40 5b 5a e8 8e f1 2c 82 28 f1 2d 5e a9 1d f7 23  @[Z...,.(.-^...#

D (21:19:17.398) mbedtls: ssl_client.c:525 dumping 'session id' (0 bytes)

D (21:19:17.405) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02c, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

D (21:19:17.416) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c030, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

D (21:19:17.427) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0ad, TLS-ECDHE-ECDSA-WITH-AES-256-CCM

D (21:19:17.437) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c024, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

D (21:19:17.448) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c028, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

D (21:19:17.459) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c00a, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

D (21:19:17.470) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c014, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

D (21:19:17.481) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0af, TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8

D (21:19:17.491) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c05d, TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384

D (21:19:17.502) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c061, TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384

D (21:19:17.513) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c049, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

D (21:19:17.524) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04d, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

D (21:19:17.535) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02b, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

D (21:19:17.546) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02f, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

D (21:19:17.557) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0ac, TLS-ECDHE-ECDSA-WITH-AES-128-CCM

D (21:19:17.568) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c023, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

D (21:19:17.579) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c027, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

D (21:19:17.589) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c009, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

D (21:19:17.600) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c013, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

D (21:19:17.611) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0ae, TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8

D (21:19:17.622) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c05c, TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256

D (21:19:17.633) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c060, TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256

D (21:19:17.644) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c048, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

D (21:19:17.655) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04c, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

D (21:19:17.666) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 009d, TLS-RSA-WITH-AES-256-GCM-SHA384

D (21:19:17.676) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c09d, TLS-RSA-WITH-AES-256-CCM

D (21:19:17.686) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 003d, TLS-RSA-WITH-AES-256-CBC-SHA256

D (21:19:17.696) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 0035, TLS-RSA-WITH-AES-256-CBC-SHA

D (21:19:17.706) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c032, TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384

D (21:19:17.717) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02a, TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384

D (21:19:17.728) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c00f, TLS-ECDH-RSA-WITH-AES-256-CBC-SHA

D (21:19:17.738) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02e, TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384

D (21:19:17.749) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c026, TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384

D (21:19:17.760) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c005, TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA

D (21:19:17.771) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0a1, TLS-RSA-WITH-AES-256-CCM-8

D (21:19:17.781) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c05f, TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384

D (21:19:17.792) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c063, TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384

D (21:19:17.802) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c051, TLS-RSA-WITH-ARIA-256-GCM-SHA384

D (21:19:17.813) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04b, TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384

D (21:19:17.824) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04f, TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384

D (21:19:17.835) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c03d, TLS-RSA-WITH-ARIA-256-CBC-SHA384

D (21:19:17.845) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 009c, TLS-RSA-WITH-AES-128-GCM-SHA256

D (21:19:17.855) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c09c, TLS-RSA-WITH-AES-128-CCM

D (21:19:17.865) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 003c, TLS-RSA-WITH-AES-128-CBC-SHA256

D (21:19:17.875) mbedtls: ssl_client.c:383 client hello, add ciphersuite: 002f, TLS-RSA-WITH-AES-128-CBC-SHA

D (21:19:17.886) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c031, TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256

D (21:19:17.896) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c029, TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256

D (21:19:17.907) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c00e, TLS-ECDH-RSA-WITH-AES-128-CBC-SHA

D (21:19:17.918) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c02d, TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256

D (21:19:17.928) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c025, TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256

D (21:19:17.939) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c004, TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA

D (21:19:17.950) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c0a0, TLS-RSA-WITH-AES-128-CCM-8

D (21:19:17.960) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c05e, TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256

D (21:19:17.971) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c062, TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256

D (21:19:17.982) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c050, TLS-RSA-WITH-ARIA-128-GCM-SHA256

D (21:19:17.992) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04a, TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256

D (21:19:18.003) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c04e, TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256

D (21:19:18.014) mbedtls: ssl_client.c:383 client hello, add ciphersuite: c03c, TLS-RSA-WITH-ARIA-128-CBC-SHA256

D (21:19:18.024) mbedtls: ssl_client.c:401 adding EMPTY_RENEGOTIATION_INFO_SCSV

D (21:19:18.032) mbedtls: ssl_client.c:410 client hello, got 59 cipher suites

D (21:19:18.039) mbedtls: ssl_client.c:54 client hello, adding server name extension: preprod-bokslink-api.boks.app

D (21:19:18.050) mbedtls: ssl_client.c:244 client hello, adding supported_groups extension

D (21:19:18.059) mbedtls: ssl_client.c:263 got supported group(001d)

D (21:19:18.065) mbedtls: ssl_client.c:295 NamedGroup: x25519 ( 1d )

D (21:19:18.072) mbedtls: ssl_client.c:263 got supported group(0017)

D (21:19:18.078) mbedtls: ssl_client.c:295 NamedGroup: secp256r1 ( 17 )

D (21:19:18.085) mbedtls: ssl_client.c:263 got supported group(0018)

D (21:19:18.092) mbedtls: ssl_client.c:295 NamedGroup: secp384r1 ( 18 )

D (21:19:18.099) mbedtls: ssl_client.c:263 got supported group(0019)

D (21:19:18.105) mbedtls: ssl_client.c:295 NamedGroup: secp521r1 ( 19 )

D (21:19:18.112) mbedtls: ssl_client.c:263 got supported group(001a)

D (21:19:18.119) mbedtls: ssl_client.c:295 NamedGroup: bp256r1 ( 1a )

D (21:19:18.125) mbedtls: ssl_client.c:263 got supported group(001b)

D (21:19:18.132) mbedtls: ssl_client.c:295 NamedGroup: bp384r1 ( 1b )

D (21:19:18.139) mbedtls: ssl_client.c:263 got supported group(001c)

D (21:19:18.145) mbedtls: ssl_client.c:295 NamedGroup: bp512r1 ( 1c )

D (21:19:18.152) mbedtls: ssl_client.c:315 dumping 'Supported groups extension' (16 bytes)

D (21:19:18.161) mbedtls: ssl_client.c:315 0000:  00 0e 00 1d 00 17 00 18 00 19 00 1a 00 1b 00 1c  ................

D (21:19:18.171) mbedtls: ssl_tls.c:9292 adding signature_algorithms extension

D (21:19:18.179) mbedtls: ssl_tls.c:9312 got signature scheme [603] ecdsa_secp521r1_sha512

D (21:19:18.187) mbedtls: ssl_tls.c:9321 sent signature scheme [603] ecdsa_secp521r1_sha512

D (21:19:18.196) mbedtls: ssl_tls.c:9312 got signature scheme [806] rsa_pss_rsae_sha512

D (21:19:18.204) mbedtls: ssl_tls.c:9312 got signature scheme [601] rsa_pkcs1_sha512

D (21:19:18.212) mbedtls: ssl_tls.c:9321 sent signature scheme [601] rsa_pkcs1_sha512

D (21:19:18.220) mbedtls: ssl_tls.c:9312 got signature scheme [503] ecdsa_secp384r1_sha384

D (21:19:18.229) mbedtls: ssl_tls.c:9321 sent signature scheme [503] ecdsa_secp384r1_sha384

D (21:19:18.237) mbedtls: ssl_tls.c:9312 got signature scheme [805] rsa_pss_rsae_sha384

D (21:19:18.245) mbedtls: ssl_tls.c:9312 got signature scheme [501] rsa_pkcs1_sha384

D (21:19:18.253) mbedtls: ssl_tls.c:9321 sent signature scheme [501] rsa_pkcs1_sha384

D (21:19:18.261) mbedtls: ssl_tls.c:9312 got signature scheme [403] ecdsa_secp256r1_sha256

D (21:19:18.270) mbedtls: ssl_tls.c:9321 sent signature scheme [403] ecdsa_secp256r1_sha256

D (21:19:18.279) mbedtls: ssl_tls.c:9312 got signature scheme [804] rsa_pss_rsae_sha256

D (21:19:18.287) mbedtls: ssl_tls.c:9312 got signature scheme [401] rsa_pkcs1_sha256

D (21:19:18.295) mbedtls: ssl_tls.c:9321 sent signature scheme [401] rsa_pkcs1_sha256

D (21:19:18.303) mbedtls: ssl_tls12_client.c:117 client hello, adding supported_point_formats extension

D (21:19:18.313) mbedtls: ssl_tls12_client.c:318 client hello, adding encrypt_then_mac extension

D (21:19:18.322) mbedtls: ssl_tls12_client.c:350 client hello, adding extended_master_secret extension

D (21:19:18.331) mbedtls: ssl_tls12_client.c:383 client hello, adding session ticket extension

D (21:19:18.340) mbedtls: ssl_client.c:702 client hello, total extension length: 94

D (21:19:18.348) mbedtls: ssl_client.c:704 dumping 'client hello extensions' (94 bytes)

D (21:19:18.356) mbedtls: ssl_client.c:704 0000:  00 5e 00 00 00 22 00 20 00 00 1d 70 72 65 70 72  .^...". ...prepr

D (21:19:18.367) mbedtls: ssl_client.c:704 0010:  6f 64 2d 62 6f 6b 73 6c 69 6e 6b 2d 61 70 69 2e  od-bokslink-api.

D (21:19:18.378) mbedtls: ssl_client.c:704 0020:  62 6f 6b 73 2e 61 70 70 00 0a 00 10 00 0e 00 1d  boks.app........

D (21:19:18.388) mbedtls: ssl_client.c:704 0030:  00 17 00 18 00 19 00 1a 00 1b 00 1c 00 0d 00 0e  ................

D (21:19:18.399) mbedtls: ssl_client.c:704 0040:  00 0c 06 03 06 01 05 03 05 01 04 03 04 01 00 0b  ................

D (21:19:18.410) mbedtls: ssl_client.c:704 0050:  00 02 01 00 00 16 00 00 00 17 00 00 00 23        .............#

I (21:19:18.420) mbedtls: ssl_msg.c:2800 => write handshake message

I (21:19:18.427) mbedtls: ssl_msg.c:2960 => write record

D (21:19:18.433) mbedtls: ssl_msg.c:3044 output record: msgtype = 22, version = [3:3], msglen = 257

I (21:19:18.445) mbedtls: ssl_msg.c:3097 <= write record

I (21:19:18.449) mbedtls: ssl_msg.c:2921 <= write handshake message

I (21:19:18.456) mbedtls: ssl_client.c:1026 <= write client hello

I (21:19:18.463) mbedtls: ssl_msg.c:2370 => flush output

I (21:19:18.469) mbedtls: ssl_msg.c:2384 message length: 262, out_left: 262

I (21:19:18.479) mbedtls: ssl_msg.c:2391 ssl->f_send() returned 262 (-0xfffffefa)

I (21:19:18.485) mbedtls: ssl_msg.c:2418 <= flush output

I (21:19:18.491) mbedtls: ssl_tls.c:3850 client state: MBEDTLS_SSL_SERVER_HELLO

I (21:19:18.499) mbedtls: ssl_tls12_client.c:1205 => parse server hello

I (21:19:18.507) mbedtls: ssl_msg.c:4134 => read record

I (21:19:18.513) mbedtls: ssl_msg.c:2172 => fetch input

I (21:19:18.519) mbedtls: ssl_msg.c:2312 in_left: 0, nb_want: 5

I (21:19:18.526) mbedtls: ssl_msg.c:2332 in_left: 0, nb_want: 5

I (21:19:18.533) mbedtls: ssl_msg.c:2335 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (21:19:18.542) mbedtls: ssl_msg.c:2357 <= fetch input

D (21:19:18.548) mbedtls: ssl_msg.c:3881 input record: msgtype = 22, version = [0x303], msglen = 63

I (21:19:18.557) mbedtls: ssl_msg.c:2172 => fetch input

I (21:19:18.563) mbedtls: ssl_msg.c:2312 in_left: 5, nb_want: 68

I (21:19:18.570) mbedtls: ssl_msg.c:2332 in_left: 5, nb_want: 68

I (21:19:18.577) mbedtls: ssl_msg.c:2335 ssl->f_recv(_timeout)() returned 63 (-0xffffffc1)

I (21:19:18.586) mbedtls: ssl_msg.c:2357 <= fetch input

D (21:19:18.593) mbedtls: ssl_msg.c:3254 handshake message: msglen = 63, type = 2, hslen = 63

I (21:19:18.601) mbedtls: ssl_msg.c:4206 <= read record

D (21:19:18.607) mbedtls: ssl_tls12_client.c:1279 dumping 'server hello, version' (2 bytes)

D (21:19:18.615) mbedtls: ssl_tls12_client.c:1279 0000:  03 03                                            ..

D (21:19:18.625) mbedtls: ssl_tls12_client.c:1299 server hello, current time: 3630722084

D (21:19:18.634) mbedtls: ssl_tls12_client.c:1309 dumping 'server hello, random bytes' (32 bytes)

D (21:19:18.643) mbedtls: ssl_tls12_client.c:1309 0000:  d8 68 6c 24 1d 26 92 96 5d 1f 32 7b 5b 12 5c 9f  .hl$.&..].2{[.\.

D (21:19:18.654) mbedtls: ssl_tls12_client.c:1309 0010:  b4 25 9b 95 43 6c a9 59 44 4f 57 4e 47 52 44 01  .%..Cl.YDOWNGRD.

D (21:19:18.666) mbedtls: ssl_tls12_client.c:1372 server hello, session id len.: 0

D (21:19:18.673) mbedtls: ssl_tls12_client.c:1373 dumping 'server hello, session id' (0 bytes)

D (21:19:18.682) mbedtls: ssl_tls12_client.c:1397 no session has been resumed

D (21:19:18.690) mbedtls: ssl_tls12_client.c:1400 server hello, chosen ciphersuite: c02f

D (21:19:18.698) mbedtls: ssl_tls12_client.c:1401 server hello, compress alg.: 0

D (21:19:18.706) mbedtls: ssl_tls12_client.c:1436 server hello, chosen ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

I (21:19:18.717) mbedtls: ssl_tls12_client.c:1457 server hello, total extension length: 19

D (21:19:18.726) mbedtls: ssl_tls12_client.c:1542 found session_ticket extension

D (21:19:18.733) mbedtls: ssl_tls12_client.c:1477 found renegotiation extension

D (21:19:18.741) mbedtls: ssl_tls12_client.c:1529 found extended_master_secret extension

D (21:19:18.749) mbedtls: ssl_tls12_client.c:1556 found supported_point_formats extension

I (21:19:18.758) mbedtls: ssl_tls12_client.c:1673 <= parse server hello

I (21:19:18.765) mbedtls: ssl_msg.c:2370 => flush output

I (21:19:18.771) mbedtls: ssl_msg.c:2379 <= flush output

I (21:19:18.778) mbedtls: ssl_tls.c:3850 client state: MBEDTLS_SSL_SERVER_CERTIFICATE

I (21:19:18.786) mbedtls: ssl_tls.c:7522 => parse certificate

I (21:19:18.793) mbedtls: ssl_msg.c:4134 => read record

I (21:19:18.799) mbedtls: ssl_msg.c:2172 => fetch input

I (21:19:18.805) mbedtls: ssl_msg.c:2312 in_left: 0, nb_want: 5

I (21:19:18.812) mbedtls: ssl_msg.c:2332 in_left: 0, nb_want: 5

I (21:19:18.819) mbedtls: ssl_msg.c:2335 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (21:19:18.828) mbedtls: ssl_msg.c:2357 <= fetch input

D (21:19:18.834) mbedtls: ssl_msg.c:3881 input record: msgtype = 22, version = [0x303], msglen = 2597

I (21:19:18.843) mbedtls: ssl_msg.c:2172 => fetch input

I (21:19:18.849) mbedtls: ssl_msg.c:2312 in_left: 5, nb_want: 2602

I (21:19:18.858) mbedtls: ssl_msg.c:2332 in_left: 5, nb_want: 2602

I (21:19:18.863) mbedtls: ssl_msg.c:2335 ssl->f_recv(_timeout)() returned 2597 (-0xfffff5db)

I (21:19:18.872) mbedtls: ssl_msg.c:2357 <= fetch input

D (21:19:18.899) mbedtls: ssl_msg.c:3254 handshake message: msglen = 2597, type = 11, hslen = 2597

I (21:19:18.900) mbedtls: ssl_msg.c:4206 <= read record

D (21:19:18.906) mbedtls: ssl_tls.c:7205 peer certificate #1:

D (21:19:18.911) mbedtls: ssl_tls.c:7205 cert. version     : 3

D (21:19:18.915) mbedtls: ssl_tls.c:7205 serial number     : 04:8A:85:E9:CA:5B:97:1A:B2:48:30:0A:89:1F:C8:E2:54:D3

D (21:19:18.926) mbedtls: ssl_tls.c:7205 issuer name       : C=US, O=Let's Encrypt, CN=R10

D (21:19:18.934) mbedtls: ssl_tls.c:7205 subject name      : CN=preprod-bokslink-api.boks.app

D (21:19:18.943) mbedtls: ssl_tls.c:7205 issued  on        : 2024-08-24 23:44:58

D (21:19:18.951) mbedtls: ssl_tls.c:7205 expires on        : 2024-11-22 23:44:57

D (21:19:18.958) mbedtls: ssl_tls.c:7205 signed using      : RSA with SHA-256

D (21:19:18.966) mbedtls: ssl_tls.c:7205 RSA key size      : 2048 bits

D (21:19:18.973) mbedtls: ssl_tls.c:7205 basic constraints : CA=false

D (21:19:18.979) mbedtls: ssl_tls.c:7205 subject alt name  :

D (21:19:18.985) mbedtls: ssl_tls.c:7205     dNSName : preprod-bokslink-api.boks.app

D (21:19:18.993) mbedtls: ssl_tls.c:7205 key usage         : Digital Signature, Key Encipherment

D (21:19:19.002) mbedtls: ssl_tls.c:7205 ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

D (21:19:19.013) mbedtls: ssl_tls.c:7205 certificate policies : ???

D (21:19:19.020) mbedtls: ssl_tls.c:7205 value of 'crt->rsa.N' (2048 bits) is:

D (21:19:19.028) mbedtls: ssl_tls.c:7205  c1 77 bb 66 fe 27 fd da 69 83 f2 b6 d6 82 4d 98

D (21:19:19.036) mbedtls: ssl_tls.c:7205  f0 4f 85 c3 b2 c2 66 9d 1a f9 48 a8 b7 c0 4d fb

D (21:19:19.044) mbedtls: ssl_tls.c:7205  09 36 cc 7f 61 57 54 20 88 d8 e6 87 3e 7e 4b 51

D (21:19:19.053) mbedtls: ssl_tls.c:7205  16 69 91 40 7b cb 9d cd 97 a6 d3 4a 38 11 ea f3

D (21:19:19.061) mbedtls: ssl_tls.c:7205  43 80 d0 70 7e 37 ac 20 f8 00 79 e6 2e 01 89 2a

D (21:19:19.070) mbedtls: ssl_tls.c:7205  5a e0 44 0a c9 98 e7 a7 79 be 73 d0 59 d3 24 ec

D (21:19:19.078) mbedtls: ssl_tls.c:7205  3e cc 27 a8 1c 53 ce c3 28 0e f3 c6 30 7c 4c db

D (21:19:19.087) mbedtls: ssl_tls.c:7205  19 d9 7f b6 b6 df d1 b8 73 25 95 a4 5e e6 b7 9b

D (21:19:19.095) mbedtls: ssl_tls.c:7205  00 ba 57 0e eb 82 61 c7 67 87 34 a9 1f c9 54 1d

D (21:19:19.103) mbedtls: ssl_tls.c:7205  5c ed b4 c6 c7 e3 b6 2c 8b d7 f2 1a bb 7d b8 ad

D (21:19:19.112) mbedtls: ssl_tls.c:7205  4a 5c cc 07 02 79 eb 9f 0a 1e a4 1c 66 ac 18 be

D (21:19:19.120) mbedtls: ssl_tls.c:7205  f6 6d 51 6a 6b b4 15 73 fa e9 0a 9b 62 d1 aa 92

D (21:19:19.129) mbedtls: ssl_tls.c:7205  c9 c8 c9 61 1f 2d ba 6e f7 18 b9 56 f6 67 ca 00

D (21:19:19.137) mbedtls: ssl_tls.c:7205  87 2f 9d f2 3e b1 ab 98 ee 49 1c d3 5e 15 e1 d7

D (21:19:19.145) mbedtls: ssl_tls.c:7205  51 ad 4a 91 45 b8 90 87 fb cb b2 f0 89 f8 cb e1

D (21:19:19.154) mbedtls: ssl_tls.c:7205  ca a5 66 ed 04 9d 57 60 a1 bf 11 54 52 a2 da 11

D (21:19:19.162) mbedtls: ssl_tls.c:7205 value of 'crt->rsa.E' (17 bits) is:

D (21:19:19.169) mbedtls: ssl_tls.c:7205  01 00 01

D (21:19:19.174) mbedtls: ssl_tls.c:7205 peer certificate #2:

D (21:19:19.181) mbedtls: ssl_tls.c:7205 cert. version     : 3

D (21:19:19.187) mbedtls: ssl_tls.c:7205 serial number     : 4B:A8:52:93:F7:9A:2F:A2:73:06:4B:A8:04:8D:75:D0

D (21:19:19.197) mbedtls: ssl_tls.c:7205 issuer name       : C=US, O=Internet Security Research Group, CN=ISRG Root X1

D (21:19:19.208) mbedtls: ssl_tls.c:7205 subject name      : C=US, O=Let's Encrypt, CN=R10

D (21:19:19.216) mbedtls: ssl_tls.c:7205 issued  on        : 2024-03-13 00:00:00

D (21:19:19.224) mbedtls: ssl_tls.c:7205 expires on        : 2027-03-12 23:59:59

D (21:19:19.231) mbedtls: ssl_tls.c:7205 signed using      : RSA with SHA-256

D (21:19:19.239) mbedtls: ssl_tls.c:7205 RSA key size      : 2048 bits

D (21:19:19.245) mbedtls: ssl_tls.c:7205 basic constraints : CA=true, max_pathlen=0

D (21:19:19.253) mbedtls: ssl_tls.c:7205 key usage         : Digital Signature, Key Cert Sign, CRL Sign

D (21:19:19.263) mbedtls: ssl_tls.c:7205 ext key usage     : TLS Web Client Authentication, TLS Web Server Authentication

D (21:19:19.274) mbedtls: ssl_tls.c:7205 certificate policies : ???

D (21:19:19.281) mbedtls: ssl_tls.c:7205 value of 'crt->rsa.N' (2048 bits) is:

D (21:19:19.288) mbedtls: ssl_tls.c:7205  cf 57 e5 e6 c4 54 12 ed b4 47 fe c9 27 58 76 46

D (21:19:19.297) mbedtls: ssl_tls.c:7205  50 28 8c 1d 3e 88 df 05 9d d5 b5 18 29 bd dd b5

D (21:19:19.305) mbedtls: ssl_tls.c:7205  5a bf fa f6 ce a3 be af 00 21 4b 62 5a 5a 3c 01

D (21:19:19.314) mbedtls: ssl_tls.c:7205  2f c5 58 03 f6 89 ff 8e 11 43 eb c1 b5 e0 14 07

D (21:19:19.322) mbedtls: ssl_tls.c:7205  96 8f 6f 1f d7 e7 ba 81 39 09 75 65 b7 c2 af 18

D (21:19:19.330) mbedtls: ssl_tls.c:7205  5b 37 26 28 e7 a3 f4 07 2b 6d 1a ff ab 58 bc 95

D (21:19:19.339) mbedtls: ssl_tls.c:7205  ae 40 ff e9 cb 57 c4 b5 5b 7f 78 0d 18 61 bc 17

D (21:19:19.347) mbedtls: ssl_tls.c:7205  e7 54 c6 bb 49 91 cd 6e 18 d1 80 85 ee a6 65 36

D (21:19:19.356) mbedtls: ssl_tls.c:7205  bc 74 ea bc 50 4c ea fc 21 f3 38 16 93 94 ba b0

D (21:19:19.364) mbedtls: ssl_tls.c:7205  d3 6b 38 06 cd 16 12 7a ca 52 75 c8 ad 76 b2 c2

D (21:19:19.373) mbedtls: ssl_tls.c:7205  9c 5d 98 45 5c 6f 61 7b c6 2d ee 3c 13 52 86 01

D (21:19:19.382) mbedtls: ssl_tls.c:7205  d9 57 e6 38 1c df 8d b5 1f 92 91 9a e7 4a 1c cc

D (21:19:19.389) mbedtls: ssl_tls.c:7205  45 a8 72 55 f0 b0 e6 a3 07 ec fd a7 1b 66 9e 3f

D (21:19:19.398) mbedtls: ssl_tls.c:7205  48 8b 71 84 71 58 c9 3a fa ef 5e f2 5b 44 2b 3c

D (21:19:19.406) mbedtls: ssl_tls.c:7205  74 e7 8f b2 47 c1 07 6a cd 9a b7 0d 96 f7 12 81

D (21:19:19.415) mbedtls: ssl_tls.c:7205  26 51 54 0a ec 61 f6 f7 f5 e2 f2 8a c8 95 0d 8d

D (21:19:19.423) mbedtls: ssl_tls.c:7205 value of 'crt->rsa.E' (17 bits) is:

D (21:19:19.430) mbedtls: ssl_tls.c:7205  01 00 01

D (21:19:19.435) mbedtls: ssl_tls.c:7289 Use configuration-specific verification callback

W (21:19:19.470) mbedtls: ssl_tls.c:7342 x509_verify_cert() returned -9984 (-0x2700)

I (21:19:19.471) mbedtls: ssl_msg.c:5115 => send alert message

D (21:19:19.475) mbedtls: ssl_msg.c:5116 send alert level=2 message=48

I (21:19:19.481) mbedtls: ssl_msg.c:2960 => write record

D (21:19:19.488) mbedtls: ssl_msg.c:3044 output record: msgtype = 21, version = [3:3], msglen = 2

I (21:19:19.497) mbedtls: ssl_msg.c:2370 => flush output

I (21:19:19.503) mbedtls: ssl_msg.c:2384 message length: 7, out_left: 7

I (21:19:19.516) mbedtls: ssl_msg.c:2391 ssl->f_send() returned 7 (-0xfffffff9)

I (21:19:19.518) mbedtls: ssl_msg.c:2418 <= flush output

I (21:19:19.525) mbedtls: ssl_msg.c:3097 <= write record

I (21:19:19.531) mbedtls: ssl_msg.c:5127 <= send alert message

D (21:19:19.537) mbedtls: ssl_tls.c:7446 ! Certificate verification flags 00000008

I (21:19:19.546) mbedtls: ssl_tls.c:3942 <= handshake

E (21:19:19.551) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (21:19:19.559) esp-tls-mbedtls: (FFFFD900): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
I (21:19:19.570) esp-tls-mbedtls: Failed to verify peer certificate!
E (21:19:19.578) esp-tls: Failed to open new connection
E (21:19:19.583) transport_base: Failed to open a new connection
E (21:19:19.593) HTTP_CLIENT: Connection failed, sock < 0
E (21:19:19.596) HTTP_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT

More Information.

No response

[QuentinFarizon]

Interesting : these errors happen only if I first successfully connect to a MQTT server, with TLS.

If I don't connect to MQTT, the HTTP SSL connection works perfectly

[chegewara]

Did you try to check free memory in both cases? TLS connections require a lot of free memory, close to 40kB IIRC.

[AdityaHPatwardhan]

Hi @QuentinFarizon Can you please provide certificate which started causing this issue? And yes, Please check the memory available with help of esp_get_free_heap_size esp_get_miniumum_free_heap_size() and as @chegewara has mentioned. If possible, please provide a small reproducible app that can reproduce this issue. Thanks

[AdityaHPatwardhan]

@QuentinFarizon Please feel free to re-open if the issue still persists. Thanks