esp_tls handshake failure (using client authentication)
Posted: Sat May 23, 2020 10:06 am
I'm trying to migrate some TLS code from esp8266 to esp32. In the original version, I used WifiClientSecure to take care of the whole handshake/authentication part; On the esp32, I tried to use the esp_tls library, however it keeps returning me "mbedtls_ssl_handshake returned -0x2700".
This is the code I used:
(I know it could be written in a better way, I'm just trying to get it going before cleaning it up)
The client cert/key couple is correct (it's the same I used on the esp8266 and I also tried using it in a browser on my PC and it works)
This is the error reported in the Apache2 SSL logs on the server side:
Thanks in advance
This is the code I used:
Code: Select all
#include <esp_tls.h>
#include <time.h>
#include <WiFi.h>
#include <sys/time.h>
const char* caCert = "-----BEGIN CERTIFICATE-----\n"\
"INSERT CERTIFICATE HERE"\
"-----END CERTIFICATE-----";
#define caCertLen 0x436
const char* clientCert = "-----BEGIN CERTIFICATE-----\n" \
"INSERT CLIENT CERTIFICATE HERE" \
"-----END CERTIFICATE-----";
#define clientCertLen 0x36F;
const char* clientKey = "-----BEGIN RSA PRIVATE KEY-----\n" \
"INSERT CLIENT KEY HERE" \
"-----END RSA PRIVATE KEY-----";
#define clientKeyLen 0x377;
struct tm tmp;
IPAddress ip(192, 168, 1, 4);
IPAddress srv(192, 168, 1, 7);
unsigned char nTentativi = 0;
void connect() {
WiFi.mode(WIFI_STA);
WiFi.config(ip, srv, IPAddress(255, 255, 255, 0), srv);
WiFi.begin("AutoOpener", "password");
while (nTentativi < 11) {
if (WiFi.status() == WL_CONNECTED) {
break;
}
nTentativi++;
delay(100);
}
esp_tls_cfg_t conf;
memset(&conf, 0, sizeof(esp_tls_cfg_t));
conf.cacert_pem_buf = (const unsigned char*) caCert;
conf.cacert_pem_bytes = caCertLen;
conf.clientcert_pem_buf = (const unsigned char*) clientCert;
conf.clientcert_pem_bytes = clientCertLen;
conf.clientkey_pem_buf = (const unsigned char*) clientKey;
conf.clientkey_pem_bytes = clientKeyLen;
Serial.println("Certificates and keys loaded!");
struct esp_tls *tls;
while (nTentativi < 11) {
tls = esp_tls_conn_new("192.168.1.7", 12, 443, &conf);
if(tls) {
break;
}
nTentativi++;
delay(10);
}
if(nTentativi < 11) {
const char* dataBytes = "GET http://192.168.1.7/index.php?id=RPI1 HTTP/1.0\r\n"\
"Host: 192.168.1.7\r\n"\
"User-Agent: 32\r\n"\
"Connection: close\r\n\r\n";
esp_tls_conn_write(tls, dataBytes, strlen(dataBytes));
/*while(client.connected() && client.available()) {
Serial.print(client.read());
}*/
Serial.println("OPEN");
}
esp_tls_conn_delete(tls);
};
The client cert/key couple is correct (it's the same I used on the esp8266 and I also tried using it in a browser on my PC and it works)
This is the error reported in the Apache2 SSL logs on the server side:
Code: Select all
[Sat May 23 11:49:04.414825 2020] [ssl:info] [pid 13036] [client 192.168.1.4:58685] AH01964: Connection to child 1 established (server RPiGate.local:443)
[Sat May 23 11:49:04.416677 2020] [ssl:debug] [pid 13036] ssl_engine_kernel.c(2122): [client 192.168.1.4:58685] AH02044: No matching SSL virtual host for servername 192.168.1.7 found (using default/first virtual host)
[Sat May 23 11:49:04.708514 2020] [ssl:info] [pid 13036] [client 192.168.1.4:58685] AH02008: SSL library error 1 in handshake (server RPiGate.local:443)
[Sat May 23 11:49:04.708759 2020] [ssl:info] [pid 13036] SSL Library Error: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate (SSL alert number 43)
[Sat May 23 11:49:04.708876 2020] [ssl:info] [pid 13036] [client 192.168.1.4:58685] AH01998: Connection closed to child 1 with abortive shutdown (server RPiGate.local:443)