How to use mbedTLS without a client certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use mbedTLS without a client certificate

Jump to solution
4,485 Views
jeffthompson
Contributor V

How do I use mbedTLS if I do not have client certificate? According to RFC5246, this is possible if I send certificate list of zero length, but I don't see how to do this from the example code.

Tags (1)
0 Kudos
1 Solution
4,388 Views
jeffthompson
Contributor V

I heard back from TrustedFirmware, which now owns mbedTLS:

if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty certificate list as required by the standard.

 

Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments, and end up with a functional example without client certificates.

I've now implemented this change and that part seems to be working from what I can see at the moment.

View solution in original post

0 Kudos
5 Replies
4,389 Views
jeffthompson
Contributor V

I heard back from TrustedFirmware, which now owns mbedTLS:

if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty certificate list as required by the standard.

 

Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments, and end up with a functional example without client certificates.

I've now implemented this change and that part seems to be working from what I can see at the moment.

0 Kudos
4,388 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello Jeffery,

Hope you are doing well.

Could you please confirm the microcontroller you are using, so that I may view the correct example?

Best Regards,

Sabina

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

----------------------------------------------------------------------------------------------------------------------- 

0 Kudos
4,388 Views
jeffthompson
Contributor V

I remove the calls having to do with the client certs and key in the hope that would be sufficient. However, what I see in the debug output leads me to believe the connection isn't even getting to the point of attempting client certificate authentication at all, but is stumbling on verifying server certificates. It looks like the first 3 certificates verify, but there is a problem with the 4th. This is all quite new to me, so I could be totally misinterpreting the debug output. Is there a way to do TLS 1.2 without any certificates at all?

SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication


Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 4967 in file .ssl_tls.c

ssl_get_next_record() returned -29312 (-0x7280)
, at line 4338 in file .ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 3302 in file .ssl_cli.c
failed
! mbedtls_ssl_handshake returned -7280

0 Kudos
4,388 Views
jeffthompson
Contributor V

I thought I should give you the background behind this request. I originally connected to Google's Firebase using the example code provided, and all was well. We then switched to a different endpoint, googleapis.com, which seems to not like the client certificate I was using (which was the one provided in the example, and which worked just fine with Firebase). Our software architect informed me I should not be using a client certificate, and that the vast majority of IoT devices like ours do not use  a client certificate. I've been unable to find an example for mbedTLS that does not use a client certificate, or to figure out how to do it myself. When originally tried using the certificate from the example with hte new googleapis.com endpoint, here is the output I got (there are a few of my own debug statements in the trace, as well, and there are multiple tasks output at the same time, but hopefully it's not too badly garbled):

Initializing PHY...
Link UP 100 MBit Full duplex
Getting IP address from DHCP...
DHCP_STATE_BOUND
hostCNameTas IPv4 Address : 192.168.180.78
IPv4 Netmask : 255.255.255.0
IPv4 Gateway : 192.168.180.1
k Looking up CName for '16662.lb.invue-am.com'
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
hostCNameTask Looking up CName for '16662.lb.invue-am.com'
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
AM_task AMMessageHeader
"GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive

"
transmitting config request

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to dev-ir4-sso.invue-am.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok


SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication


Verify requested for (Depth 0):
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c
ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]
[ Record expansion is 29 ]

. Verifying peer X.509 certificate... Server Verification skipped
. Peer certificate information ...
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

> Write to server: 'GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive

'
236 bytes written

GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive


read_request 197 Header:
'HTTP/1.1 200 OK
access-control-allow-origin: *
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-type: application/octet-stream; charset=utf-8
etag: W/"62-1uAAylrO8FBct649sAnpL0iMgmc"
Date: Sun, 21 Jun 2020 21:31:50 GMT
Server: Google Frontend
Content-Length: 98'
HTTPS REQUEST OK
processIncomingMessages, AM message processing takes place here
processEthMsg_hdrRev1
hdrHdr.messageHeaderRev 1
hdrHdr.productId 0203
hdrHdr.productMsgTokenRev 01
flags 01
msgToken 16
status 00

==============================================
---> COMMAND msgTkn_kasFirmwareURL_e msg received.
processEthMsg_hdrRev1 Outgoing downloadRequestHeader
"GET /ir4-kas-firmware/019306042020102700Application.bin HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: storage.googleapis.com
Accept-Encoding: identity
Connection: keep-alive

"

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok


SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication


Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 4967 in file .ssl_tls.c

ssl_get_next_record() returned -29312 (-0x7280)
, at line 4338 in file .ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 3302 in file .ssl_cli.c
failed
! mbedtls_ssl_handshake returned -7280
https_client_tls_xchg retval -4

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok


SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication


Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

I cut it off at this point, as it just keeps repeating the same failed attempt.

0 Kudos
4,386 Views
jeffthompson
Contributor V

Thanks, Sabina. It’s the MIMXRT1062DVJ6A. MCUXpresso 11.1.1, SDK 2.6.2.

Jeff Thompson | Senior Electrical Engineer-Firmware

+1 704 752 6513 x1394

www.invue.com

0 Kudos