ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED on HTTP endpoint validation "*.logic.azure.com" because new random number is generated on second "Client Hello"

[jheba]

Hello,

I am getting Network error when communicating with the server, err=32794, description=ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED when validating azure logic apps as an HTTP endpoint

Affected firmware version: v1.15.x Works fine on v1.14.3

Steps to reproduce:

1. Create the simplest logic app with only two blocks as below:
2. rename the first block to something very short (like "ruuvi" or shorter) otherwise you'll run into problem described here (because the name becomes a part of the URL making it longer than 255 characters)
3. save the app
4. once the app is saved, copy an HTTP URL of the app from the first block
5. enter the URL as the HTTP endpoint for ruuvi gateway
6. click "Check" button to see the ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED error

It is not a blocker for me ATM - just letting you know as it indicates that potentially there is still a problem after introducing TLS 1.3 support. Please note that according to this report, the logic apps endpoint I am testing against, supports TLS 1.3.

[TheSomeMan]

Connection is closed by the server, it sends a fatal alert message of type 70 (MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION):

V (581583) mbedtls: ssl_msg.c:3989 dumping 'input record from network' (7 bytes)
V (581591) mbedtls: ssl_msg.c:3989 0000:  15 03 03 00 02 02 46                             ......F
I (581600) mbedtls: ssl_msg.c:5042 got an alert message, type: [2:70]
W (581608) mbedtls: ssl_msg.c:5049 is a fatal alert message (msg 70)
W (581615) mbedtls: ssl_msg.c:4191 mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
W (581624) mbedtls: ssl_tls13_generic.c:69 mbedtls_ssl_read_record() returned -30592 (-0x7780)
I (581634) mbedtls: ssl_tls13_client.c:2079 <= ssl_tls13_process_server_hello ( ServerHello )
I (581643) mbedtls: ssl_tls.c:3952 <= handshake
E (581649) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x7780 (SSL - A fatal alert message was received from our peer)
I (581660) esp-tls-mbedtls: (FFFF8880): SSL - A fatal alert message was received from our peer
E (581669) transport_base: [http_server] esp_tls_connect_async: [prod-16.norwayeast.logic.azure.com:443] esp_tls_conn_new_async: Failed, res=-1
I (581683) transport_base: [http_server] [prod-16.norwayeast.logic.azure.com] Unlock TLS saved session for ssl=0x3ffe4ef8, session=0x0
E (581696) HTTP_CLIENT: Connection failed
E (581701) HTTP_CLIENT: Connection failed: esp_tls_last_esp_err=32794 (ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED)
E (581711) http: [http_server/1] ./main/http.c:306 {http_wait_until_async_req_completed}: esp_http_client_perform failed, err=32794 (ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED)
E (581727) http: [http_server/1] ./main/http.c:318 {http_wait_until_async_req_completed}: esp_http_client_perform failed, err=32794 (ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED)
I (581750) gw_status: [http_server/1] RESUME RELAYING
I (581751) http_server: [http_server/1] Json resp: code=200, content:
{
        "status":       502,
        "message":      "Network error when communicating with the server, err=32794, description=ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED"
}

log4.txt

[TheSomeMan]

This problem was solved in mbedtls: Do not generate new random number while receiving HRR This commit is part of this pull request Do not generate new random number while receiving HRR, which was merged 2024-03-15 and included in mbedtls v3.6.0 (LTS)

[TheSomeMan]

@jheba could you check how it works now? Here is the test build: https://jenkins.ruuvi.com/job/ruuvi_gateway_esp-PR/1338/artifact/build/

[jheba]

Works great! Thanks!

Do you know when v1.15.1 will be out? Is there any roadmap publicly available?

[markoaamunkajo]

QA passed

[ojousima]

We're planning to release v1.15.1 to beta by the end of this week, and usually the beta is pushed to production in 2-3 weeks. Schedule depends on if issues are found in beta.

We don't have a public long-term roadmap for Gateway, we'll collect user feedback and see what features are most wanted before we start working on 1.16. If some bugs are found, we'll release bug fix patches, 1.15.2, .3 etc.