esp-tls: mbedtls_ssl_handshake returned -0x2700 (IDFGH-11375)

[InfiniteYuan]

we use different DNS record to point to endpoint cname

for example: xxx.com => yyy.com

this seem cause fail, because it look for yyy.com

I (10218) mqtt: \[STATE\] - MQTT_STATE_CONNECTING 
E (11169) esp-tls: mbedtls_ssl_handshake returned -0x2700 
I (11170) esp-tls: Failed to verify peer certificate! 
I (11170) esp-tls: verification info: ! The certificate Common Nam e (CN) does not match with the expected CN
E (11172) esp-tls: Failed to open new connection 
E (11173) TRANS_SSL: Failed to open a new connection

please help me

[david-cermak]

Hi @InfiniteYuan1

Would it help to create a certificate with CN=xxx.com and (as extension) alternative name yyy.com?

[InfiniteYuan]

it look that the implementation of lwip_gethostbyname is not able to got the alias list

there are other solution for this situation.

[david-cermak]

AFAIK there's no way to resolve DNS aliases through LwIP as is, so I can see two options: 1) Update LWIP/dns module to process nameservers in dns queries. 2) Send a separate udp packet with NS query and process responses in application code (which sounds better to me)

But still updating a certificate seems to me like the easiest option, there's no issue in having devices in field as it's the server certificate, client certificate can stay the same as well as the CA certificate for server verification in your device. Just update your backend the same way as if your server certificate expired.

[InfiniteYuan]

What shoudl we do use LWIP/dns module to process nameservers in dns queries? And send a separate udp packet?Can you provide some doc for me, thank you.

[david-cermak]

I would suggest to continue with this conversation on the forum to get more feedback from more knowledge people. Plus it's not in scope of esp-mqtt (nor issue with the library)

General idea is to took at dns packets and parse for NS entries (https://tools.ietf.org/html/rfc2929). I would not recommend updating dns module in lwip. As a separate query you can start with composing a packet (as outlined for example here https://github.com/tigerlyb/DNS-Lookup-Tool-in-Python/blob/master/dnslookup.py) and parse a response.

[SeanYang-7]

I have also encountered this problem when using the tls_mutual_auth routine, it is not clear why this problem occurs.

[euripedesrocha]

@LHYYSY I suggest that you open a new issue with the details of your problem. I also noticed that you are using coremqtt so this repository would not be the right place to ask.

Looking into your logs I can see the certificate could not be verified, check you have the correct certificates set.