[TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

Hello,

I'm trying to connect to a TCP server with TLS enabled, on nRF7002-DK.

By debugging step by step, I observed that `mbedtls_ssl_handshake()` function returned error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED). Error description is "Certificate verification failed, e.g. CRL, CA or signature check failed."

I searched similar issues on devzone and google, and it seems that this error could be due (beyond others things) to a CA certificate generated from 1024-bit RSA key (minimal key size should be 2048 bits, shouldn't it ?).

Running the following command tends to confirm that:
`openssl s_client -connect <hostname>:<port>`
(<hostname> is my customer's server)

The output mentions:
`verify error:num=66:EE certificate key too weak`
and a little bit further:
`a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA256`

Besides, the output mentions:
```
depth=0 [...] CN = some_domain.net
depth=1 [...] CN = Some Authority
```

Do you think that error MBEDTLS_ERR_X509_CERT_VERIFY_FAILED could be due to a wrong CA ? (by 'wrong' CA, I mean: 'wrong CA generated by the server')

Julien

  • Additional information: there is no error anymore when I set TLS_PEER_VERIFY_OPTIONAL (and I'm able to communicate properly with the server).

    This option is probably not recommended, I guess ! But does it confirm at least that the TLS certificates provided by my customer are wrong ?

  • Hi Julien

    Is your project based on one of the samples in the nRF Connect SDK? We had a long case ongoing this summer with similar issues (here for reference). And we had some issues with the Oberon backend in terms of handling the key exchange that could end up causing this issue. What ended up fixing this issue back then was setting CC3XX_BACKEND=y and OBERON_BACKEND=n in your project's  config file. If that doesn't help, please try reading the case I linked to and see if you find something helpful. And if you're still not able to resolve this we can suspect the TLS certificates being wrong.

    Best regards,

    Simon

  • Hi Simon.

    Thank you for your help.


    I had already read the thread you mention before sending my question: it helped me solving an issue which is mentioned in that same thread by Eric (error -EINVAL = -22). So, setting CC3XX_BACKEND=y and OBERON_BACKEND=n in my project's config file solved this first issue indeed (error -EINVAL returned by `connect()` function).

    Then, a new issue appeared: that's error MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which is returned by `mbedtls_ssl_handshake()` as described in my question. This issue is observed even with both "X_BACKEND" flag settings.

  • Sorry, I did not answer your question: my project is a demo FW which is based on several samples indeed (HTTP, TCP, FTP). But as a result, my code is pretty different than the various samples used as a reference.

  • Hi

    Okay, then it could very well be the TLS certificates that are wrong, but that's hard to confirm from my side. Are you able to print them out or something when you receive them and compare the certificates with what the peripheral should transmit. From the log you do see, it does seem to be too weak for your application to accept. The peer verification is indeed recommended for proper security, as not verifying the peer will make your client susceptible to certain attacks I believe.

    Also, what SDK version are you using for development, because I'm not able to find the "certificate key too weak" line anywhere in the nRF Connect SDK v2.5.0.

    Best regards,

    Simon

Related