[TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

JulienP_BL — Mon, 20 Nov 2023 12:51:30 GMT

Hi Simon.

To be honest I did not find either any code explicitly related to key size. I'll retry to find some, and will eventually add logs.

I'm using SDK 2.4.2.

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

Simonr — Mon, 20 Nov 2023 12:12:28 GMT

Okay, then it could very well be the TLS certificates that are wrong, but that's hard to confirm from my side. Are you able to print them out or something when you receive them and compare the certificates with what the peripheral should transmit. From the log you do see, it does seem to be too weak for your application to accept. The peer verification is indeed recommended for proper security, as not verifying the peer will make your client susceptible to certain attacks I believe.

Also, what SDK version are you using for development, because I'm not able to find the "certificate key too weak" line anywhere in the nRF Connect SDK v2.5.0.

Best regards,

Simon

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

JulienP_BL — Thu, 16 Nov 2023 14:15:48 GMT

Sorry, I did not answer your question: my project is a demo FW which is based on several samples indeed (HTTP, TCP, FTP). But as a result, my code is pretty different than the various samples used as a reference.

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

JulienP_BL — Thu, 16 Nov 2023 14:09:44 GMT

Hi Simon.

Thank you for your help.

I had already read the thread you mention before sending my question: it helped me solving an issue which is mentioned in that same thread by Eric (error -EINVAL = -22). So, setting CC3XX_BACKEND=y and OBERON_BACKEND=n in my project's config file solved this first issue indeed (error -EINVAL returned by `connect()` function).

Then, a new issue appeared: that's error MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which is returned by `mbedtls_ssl_handshake()` as described in my question. This issue is observed even with both "X_BACKEND" flag settings.

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

Simonr — Thu, 16 Nov 2023 12:56:08 GMT

Hi Julien

Is your project based on one of the samples in the nRF Connect SDK? We had a long case ongoing this summer with similar issues (here for reference). And we had some issues with the Oberon backend in terms of handling the key exchange that could end up causing this issue. What ended up fixing this issue back then was setting CC3XX_BACKEND=y and OBERON_BACKEND=n in your project's config file. If that doesn't help, please try reading the case I linked to and see if you find something helpful. And if you're still not able to resolve this we can suspect the TLS certificates being wrong.

Best regards,

Simon

RE: [TCP with TLS on nRF7002-DK] mbedtls_ssl_handshake() function returns error -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)

JulienP_BL — Wed, 15 Nov 2023 17:13:30 GMT

Additional information: there is no error anymore when I set TLS_PEER_VERIFY_OPTIONAL (and I'm able to communicate properly with the server).

This option is probably not recommended, I guess ! But does it confirm at least that the TLS certificates provided by my customer are wrong ?