MBedTLS + PSA cannot connect because RSA is default on (v3.1.0 -> v3.1.1)

Hi,

I would expect you should be able to use both yes, and I have not been able to find any references to this issue from before (though I must admit I have also not come across SHA384withECDSA before).

Is it so that you see the same issue in 3.1.0 and 3.1.1 where it does not work with CONFIG_MBEDTLS_RSA_C=y in the build, and it works in both cases with it not in the build? Can you share the generated .config for your project both with and without it?

Hi,

I would expect you should be able to use both yes, and I have not been able to find any references to this issue from before (though I must admit I have also not come across SHA384withECDSA before).

Is it so that you see the same issue in 3.1.0 and 3.1.1 where it does not work with CONFIG_MBEDTLS_RSA_C=y in the build, and it works in both cases with it not in the build? Can you share the generated .config for your project both with and without it?

Unfortunately I cannot turn CONFIG_MBEDTLS_RSA_C on when usind SDK v3.1.0, because I'm using PSA crypto:

CONFIG_MBEDTLS_RSA_C was assigned the value y, but got the value n. Missing dependencies:
OPENTHREAD || (!MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_LEGACY_CRYPTO_C && NRF_SECURITY) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" && MBEDTLS && 0)

So, I attached two config files. One with v3.1.0 (RSA off) and one with v.3.1.1 (RSA on by default). The latter doesn't work with ECDSA certificates but it can be fixed by CONFIG_MBEDTLS_RSA_C=n.

config_files.zip

Hi,

I see. But you can turn it off with 3.1.1? In 3.1.0 and before you had a dependency on !MBEDTLS_USE_PSA_CRYPTO for MBEDTLS_RSA_C here, but this was removed in 3.1.1. I will look more into this.

Yes, exactly. I can turn RSA off on v3.1.1 and then connecting to ECDSA-cert server works again.

I see. The dependency I mentionnedin my previous post was there to signal that RSA is not supported for TLS/DTLS and X.509 for PSA, and while that was removed it is still the case. I recommend that you set MBEDTLS_RSA_C=n as from what I understand you have no need for RSA.

OK, fair enough. But most peculiar is that when RSA stays on (CONFIG_MBEDTLS_RSA_C=y), I actually can connect to a server that has RSA certificate :).