How to use mbedTLS without a client certificate

I remove the calls having to do with the client certs and key in the hope that would be sufficient. However, what I see in the debug output leads me to believe the connection isn't even getting to the point of attempting client certificate authentication at all, but is stumbling on verifying server certificates. It looks like the first 3 certificates verify, but there is a problem with the 4th. This is all quite new to me, so I could be totally misinterpreting the debug output. Is there a way to do TLS 1.2 without any certificates at all?

SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 4967 in file .ssl_tls.c

ssl_get_next_record() returned -29312 (-0x7280)
, at line 4338 in file .ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 3302 in file .ssl_cli.c
failed
! mbedtls_ssl_handshake returned -7280

I thought I should give you the background behind this request. I originally connected to Google's Firebase using the example code provided, and all was well. We then switched to a different endpoint, googleapis.com, which seems to not like the client certificate I was using (which was the one provided in the example, and which worked just fine with Firebase). Our software architect informed me I should not be using a client certificate, and that the vast majority of IoT devices like ours do not use  a client certificate. I've been unable to find an example for mbedTLS that does not use a client certificate, or to figure out how to do it myself. When originally tried using the certificate from the example with hte new googleapis.com endpoint, here is the output I got (there are a few of my own debug statements in the trace, as well, and there are multiple tasks output at the same time, but hopefully it's not too badly garbled):

Initializing PHY...
Link UP 100 MBit Full duplex
Getting IP address from DHCP...
DHCP_STATE_BOUND
hostCNameTas IPv4 Address : 192.168.180.78
IPv4 Netmask : 255.255.255.0
IPv4 Gateway : 192.168.180.1
k Looking up CName for '16662.lb.invue-am.com'
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
hostCNameTask Looking up CName for '16662.lb.invue-am.com'
hostCNameTask CName 'dev-ir4-sso.invue-am.com'
AM_task AMMessageHeader
"GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive

"
transmitting config request

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to dev-ir4-sso.invue-am.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok

SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9D:77:CD:F4:0C:06:19:16:B6:E3
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1D2
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0):
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c
ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]
[ Record expansion is 29 ]

. Verifying peer X.509 certificate... Server Verification skipped
. Peer certificate information ...
cert. version : 3
serial number : D1:B2:1B:04:84:E5:BF:5D:0A:00:00:00:00:34:93:20
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1D2
subject name : CN=dev-ir4-sso.invue-am.com
issued on : 2020-05-15 18:33:44
expires on : 2020-08-13 18:33:44
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dev-ir4-sso.invue-am.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

> Write to server: 'GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive

'
236 bytes written

GET /embeddedv1/config/kas/0203cc1fc4040006?kasFirmware=019306212020172700 HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: dev-ir4-sso.invue-am.com
Accept-Encoding: identity
Connection: keep-alive

read_request 197 Header:
'HTTP/1.1 200 OK
access-control-allow-origin: *
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-type: application/octet-stream; charset=utf-8
etag: W/"62-1uAAylrO8FBct649sAnpL0iMgmc"
Date: Sun, 21 Jun 2020 21:31:50 GMT
Server: Google Frontend
Content-Length: 98'
HTTPS REQUEST OK
processIncomingMessages, AM message processing takes place here
processEthMsg_hdrRev1
hdrHdr.messageHeaderRev 1
hdrHdr.productId 0203
hdrHdr.productMsgTokenRev 01
flags 01
msgToken 16
status 00

==============================================
---> COMMAND msgTkn_kasFirmwareURL_e msg received.
processEthMsg_hdrRev1 Outgoing downloadRequestHeader
"GET /ir4-kas-firmware/019306042020102700Application.bin HTTP/1.1
User-Agent: mbedTLS 2.13.1
Accept: */*
Cache-Control: no-cache
Host: storage.googleapis.com
Accept-Encoding: identity
Connection: keep-alive

"

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok

SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
, at line 4967 in file .ssl_tls.c

ssl_get_next_record() returned -29312 (-0x7280)
, at line 4338 in file .ssl_tls.c

mbedtls_ssl_read_record() returned -29312 (-0x7280)
, at line 3302 in file .ssl_cli.c
failed
! mbedtls_ssl_handshake returned -7280
https_client_tls_xchg retval -4

. Seeding the random number generator...
. Loading the CA root certificate ... ok (0 skipped)
. Loading the client cert and key... ok

Connecting to storage.googleapis.com/443
. Setting up the SSL/TLS structure...

SSL state connect : 0 ok

SSL state connect : 0
. Performing the SSL/TLS handshake...
Verify requested for (Depth 1):
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
cert. version : 3
serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8
issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1
issued on : 2017-06-15 00:00:42
expires on : 2021-12-15 00:00:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Verify requested for (Depth 0):
cert. version : 3
serial number : 10:7A:C6:83:CE:BF:51:0F:08:00:00:00:00:43:54:D8
issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1
subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com
issued on : 2020-05-26 15:27:50
expires on : 2020-08-18 15:27:50
signed using : RSA with SHA-256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : *.storage.googleapis.com, *.appspot.com.storage.googleapis.com, *.commondatastorage.googleapis.com, *.content-storage-download.googleapis.com, *.content-storage-upload.googleapis.com, *.content-storage.googleapis.com, *.googleapis.com, *.storage-download.googleapis.com, *.storage-upload.googleapis.com, *.storage.select.googleapis.com, commondatastorage.googleapis.com, storage.googleapis.com, storage.select.googleapis.com, unfiltered.news
key usage : Digital Signature
ext key usage : TLS Web Server Authentication
This certificate has no flags

x509_verify_cert() returned -9984 (-0x2700)
, at line 5713 in file .ssl_tls.c

I cut it off at this point, as it just keeps repeating the same failed attempt.

Thanks, Sabina. It’s the MIMXRT1062DVJ6A. MCUXpresso 11.1.1, SDK 2.6.2.

Jeff Thompson | Senior Electrical Engineer-Firmware

+1 704 752 6513 x1394

www.invue.com