AnsweredAssumed Answered

TLS connection fails waiting for bytes after change cipher spec

Question asked by Jeffery Thompson on Jun 29, 2020
Latest reply on Jul 3, 2020 by Jeffery Thompson

I'm using MCUXpresso IDE 11.1.1, MCUXpresso SDK 2.6.2, mbedTLS 2.13.1, and lwIP2.12. I started with the example program, lwip_httpscli_mbedtls_freertos. We're not using a client-side certificate, so I've eliminated the mbedtls_ssl_conf_own_cert() function call , as well as the parsing of the client cert, done by function mbedtls_x509_crt_parse() and client key, done by function mbedtls_pk_parse_key(). I've also added the root certs from Google Trust Services example PEM file, roots.pem. See attached httpsclient.c file.

 

The LS connection fails when the server sends a 'change cipher spec' to the client. See attached TLS_Connection_Fail.txt log file, generated with DEBUG_LEVEL 5 specified in httpsclient.c. I've also included a Wireshark trace of the same connection attempt. It appears that mbedTLS wants 5 more bytes than the server is giving it.

 

Here are my questions.

 

  1. How the ciphersuites chosen in ksdk_mbedtls_config.h, also attached, are chosen. Could it be that one of the ciphersuites that is not included is needed?
  2. How do I know whether a ciphersuite not selected in ksdk_mbedtls_config.h can be supported?
  3. Is there some other explanation for the connection failure?

Outcomes