Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3 mbedtls_ssl_handshake returns -0x6C00 (CA-288) #179

Open
aselafernando opened this issue Apr 24, 2023 · 7 comments
Open

TLS 1.3 mbedtls_ssl_handshake returns -0x6C00 (CA-288) #179

aselafernando opened this issue Apr 24, 2023 · 7 comments

Comments

@aselafernando
Copy link

aselafernando commented Apr 24, 2023
edited
Loading

Branch 202210.01-LTS
IDF 5.0.1-stable

Running the tls_mutual_auth demo connecting to test.mosquitto.org:8884 I get a -0x6C00 error (Internal MBED TLS error).

I downloaded the root certificate for mosquitto.org and had the client certificate generated here https://test.mosquitto.org/ssl/

Key and CSR generated with

openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr

sdkconfig file used to compile:
sdkconfig.txt

Here is the ESP log

I (12727) coreMQTT: Establishing a TLS session to test.mosquitto.org:8884.
I (13167) mbedtls: ssl_tls.c:3087 0x3ffcbf90: => handshake

I (13167) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13177) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13177) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_HELLO_REQUEST

I (13187) mbedtls: ssl_msg.c:2016 0x3ffcbf90: => flush output

I (13197) mbedtls: ssl_msg.c:2028 0x3ffcbf90: <= flush output

I (13197) mbedtls: ssl_tls.c:3007 0x3ffcbf90: client state: MBEDTLS_SSL_CLIENT_HELLO

I (13207) mbedtls: ssl_client.c:842 0x3ffcbf90: => write client hello

W (13217) mbedtls: ssl_tls13_generic.c:1464 0x3ffcbf90: Perform PSA-based ECDH computation.

W (13227) mbedtls: ssl_tls13_generic.c:1485 0x3ffcbf90: psa_generate_key() returned -27648 (-0x6c00)

I (13237) mbedtls: ssl_client.c:897 0x3ffcbf90: <= write client hello

I (13247) mbedtls: ssl_tls.c:3098 0x3ffcbf90: <= handshake

E (13247) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x6C00
I (13257) esp-tls-mbedtls: Certificate verified.
E (13257) esp-tls: Failed to open new connection
I (13277) coreMQTT: A clean MQTT connection is established. Cleaning up all the stored outgoing publishes.


I (13277) coreMQTT: Subscribing to the MQTT topic test/example/topic.
E (13287) coreMQTT: sendMessageVector: Unable to send packet: Network Error.
E (13297) coreMQTT: Failed to send SUBSCRIBE packet to broker with error = MQTTSendFailed.
I (13297) coreMQTT: Disconnecting the MQTT connection with test.mosquitto.org.
E (13307) coreMQTT: sendBuffer: Unable to send packet: Network Error.
E (13317) coreMQTT: Transport send failed for DISCONNECT packet.
E (13327) coreMQTT: Sending MQTT DISCONNECT failed with status=MQTTSendFailed.
I (13327) coreMQTT: Short delay before starting the next iteration...

If I use the non-AWS demo at esp-idf-v5.0.1\examples\protocols\mqtt\ssl_mutual_auth, I can connect with no issues.
@github-actions github-actions bot changed the title mbedtls_ssl_handshake returns -0x6C00 mbedtls_ssl_handshake returns -0x6C00 (CA-288) Apr 24, 2023
@aselafernando
Copy link
Author

aselafernando commented Apr 24, 2023
edited
Loading

Looks like the error is from psa_generate_key() when you have TLS 1.3 enabled.

After disabling TLS 1.3 I am able to connect. Is TLS 1.3 support broken?

@aselafernando aselafernando changed the title mbedtls_ssl_handshake returns -0x6C00 (CA-288) TLS 1.3 mbedtls_ssl_handshake returns -0x6C00 (CA-288) Apr 25, 2023
@Harshal5
Copy link

Hello @aselafernando,

Thank you for reporting the issue.
Could you please try applying the attached patch to your esp-idf and check if you are able to establish a TLS 1.3 connection?

0001-esp-tls-fix-ssl-connection-and-read-issues-when-usin.patch

@aselafernando
Copy link
Author

Hi @Harshal5 I tried the patch but got the following. Looks like these additions are missing a reference.

FAILED: esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj 
F:\Espressif\.espressif\tools\xtensa-esp32-elf\esp-2022r1-11.2.0\xtensa-esp32-elf\bin\xtensa-esp32-elf-gcc.exe -DMBEDTLS_CONFIG_FILE=\"mbedtls/esp_config.h\" -IF:/Espressif/projects/tls_mutual_auth/build/config -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp-tls-crypto -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/newlib/platform_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include/freertos -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/FreeRTOS-Kernel/portable/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/freertos/esp_additions/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/include/soc/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_hw_support/port/esp32/private_include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/heap/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/log/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/. -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/soc/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/hal/platform_port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/include/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_rom/esp32 -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_common/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/soc -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp_system/port/include/private -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/xtensa/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/include/apps/sntp -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/lwip/src/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/lwip/port/esp32/include/arch -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/port/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/mbedtls/library -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/mbedtls/esp_crt_bundle/include -IF:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/http_parser -mlongcalls -Wno-frame-address  -fdiagnostics-color=always -ffunction-sections -fdata-sections -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-enum-conversion -gdwarf-4 -ggdb -Og -fmacro-prefix-map=F:/Espressif/projects/tls_mutual_auth=. 
-fmacro-prefix-map=F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1=/IDF -fstrict-volatile-bitfields -Wno-error=unused-but-set-variable -fno-jump-tables -fno-tree-switch-conversion -DconfigENABLE_FREERTOS_DEBUG_OCDAWARE=1 -std=gnu17 -Wno-old-style-declaration -D_GNU_SOURCE -DIDF_VER=\"v5.0.1-dirty\" -DESP_PLATFORM -D_POSIX_READER_WRITER_LOCKS -MD -MT 
esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -MF esp-idf\esp-tls\CMakeFiles\__idf_esp-tls.dir\esp_tls_mbedtls.c.obj.d -o esp-idf/esp-tls/CMakeFiles/__idf_esp-tls.dir/esp_tls_mbedtls.c.obj -c F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_create_mbedtls_handle':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:116:5: error: unknown type name 'psa_status_t'; did you mean 'TaskStatus_t'?
  116 |     psa_status_t status;
      |     ^~~~~~~~~~~~
      |     TaskStatus_t
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:117:14: error: implicit declaration of function 'psa_crypto_init' [-Werror=implicit-function-declaration]
  117 |     status = psa_crypto_init();
      |              ^~~~~~~~~~~~~~~
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: error: 'PSA_SUCCESS' undeclared (first use in this function); did you mean 'XTHAL_SUCCESS'?
  118 |     if (status != PSA_SUCCESS) {
      |                   ^~~~~~~~~~~
      |                   XTHAL_SUCCESS
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:118:19: note: each undeclared identifier is reported only once for each function it appears in
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c: In function 'esp_mbedtls_read':
F:/Espressif/.espressif/frameworks/esp-idf-v5.0.1/components/esp-tls/esp_tls_mbedtls.c:233:21: error: 'MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET' undeclared (first use in this function); did you mean 'MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET'?
  233 |     } while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                     MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
cc1.exe: some warnings being treated as errors

@Harshal5
Copy link

Thank you, got it! @aselafernando
So, this arises because the tag v5.0.1 of ESP-IDF uses the v3.2.1 release of the mbedtls component.

As mentioned in their release notes , they have been constantly adding support and bugfixes for TLS1.3 and so the newer releases like v.3.4.0 (preferred) and v3.3.0 include a large extent of TLS1.3 support.

The newer version (v3.4.0) of mbedtls has been merged in the ESP-IDF master branch and would be backported to the ESP-IDF release/v5.0 branch. If possible, could you try the above patch by checking out the master branch of ESP-IDF and applying the patch?

@nidrissi
Copy link

I'm using ESP-IDF 5.1, which includes mbedtls v3.4.0, and I still get an error 0x6C00 (MBEDTLS_ERR_SSL_INTERNAL_ERROR) when trying to use the HTTPS client or server with TLS 1.3 enabled.

@avrmp
Copy link

avrmp commented Jan 6, 2024

Any updates here? We are hitting the same issue and need TLS 1.3 support for production

@gh4emb
Copy link

gh4emb commented Jan 31, 2024

@aselafernando , @avrmp , see this issue: Mbed-TLS/mbedtls#8401

then esp-idf example of inserting call to psa_crypto_init() in application: https://github.com/espressif/esp-idf/blob/master/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@avrmp @nidrissi @aselafernando @Harshal5 @gh4emb