Page 1 of 1

esp_tls handshake failure (using client authentication)

Posted: Sat May 23, 2020 10:06 am
by PhaseSeeker
I'm trying to migrate some TLS code from esp8266 to esp32. In the original version, I used WifiClientSecure to take care of the whole handshake/authentication part; On the esp32, I tried to use the esp_tls library, however it keeps returning me "mbedtls_ssl_handshake returned -0x2700".
This is the code I used:

Code: Select all

#include <esp_tls.h>
#include <time.h>
#include <WiFi.h>
#include <sys/time.h>

const char* caCert = "-----BEGIN CERTIFICATE-----\n"\
                     "INSERT CERTIFICATE HERE"\
                     "-----END CERTIFICATE-----";

#define caCertLen 0x436

const char* clientCert = "-----BEGIN CERTIFICATE-----\n" \
                         "INSERT CLIENT CERTIFICATE HERE" \
                         "-----END CERTIFICATE-----";

#define clientCertLen 0x36F;

const char* clientKey = "-----BEGIN RSA PRIVATE KEY-----\n" \
                        "INSERT CLIENT KEY HERE" \
                        "-----END RSA PRIVATE KEY-----";

#define clientKeyLen 0x377;

struct tm tmp;

IPAddress ip(192, 168, 1, 4);
IPAddress srv(192, 168, 1, 7);
unsigned char nTentativi = 0;

void connect() {
      WiFi.config(ip, srv, IPAddress(255, 255, 255, 0), srv);
      WiFi.begin("AutoOpener", "password");
      while (nTentativi < 11) {
        if (WiFi.status() == WL_CONNECTED) {
      esp_tls_cfg_t conf;
      memset(&conf, 0, sizeof(esp_tls_cfg_t));
      conf.cacert_pem_buf = (const unsigned char*) caCert;
      conf.cacert_pem_bytes = caCertLen;
      conf.clientcert_pem_buf = (const unsigned char*) clientCert;
      conf.clientcert_pem_bytes = clientCertLen;
      conf.clientkey_pem_buf = (const unsigned char*) clientKey;
      conf.clientkey_pem_bytes = clientKeyLen;
      Serial.println("Certificates and keys loaded!");
      struct esp_tls *tls;
      while (nTentativi < 11) {
          tls = esp_tls_conn_new("", 12, 443, &conf);
          if(tls) {
        if(nTentativi < 11) {
          const char* dataBytes = "GET HTTP/1.0\r\n"\
                                  "User-Agent: 32\r\n"\
                                   "Connection: close\r\n\r\n";
          esp_tls_conn_write(tls, dataBytes, strlen(dataBytes));
          /*while(client.connected() && client.available()) {
(I know it could be written in a better way, I'm just trying to get it going before cleaning it up)
The client cert/key couple is correct (it's the same I used on the esp8266 and I also tried using it in a browser on my PC and it works)
This is the error reported in the Apache2 SSL logs on the server side:

Code: Select all

[Sat May 23 11:49:04.414825 2020] [ssl:info] [pid 13036] [client] AH01964: Connection to child 1 established (server RPiGate.local:443)
[Sat May 23 11:49:04.416677 2020] [ssl:debug] [pid 13036] ssl_engine_kernel.c(2122): [client] AH02044: No matching SSL virtual host for servername found (using default/first virtual host)
[Sat May 23 11:49:04.708514 2020] [ssl:info] [pid 13036] [client] AH02008: SSL library error 1 in handshake (server RPiGate.local:443)
[Sat May 23 11:49:04.708759 2020] [ssl:info] [pid 13036] SSL Library Error: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate (SSL alert number 43)
[Sat May 23 11:49:04.708876 2020] [ssl:info] [pid 13036] [client] AH01998: Connection closed to child 1 with abortive shutdown (server RPiGate.local:443)
Thanks in advance