TLS Handshake error after migrating from SPM to TFM in SDK 2.1.0

Question

HI I had some great support in t his ticket so I will try my luck again. We want to migrate our application from SPM to TFM. We use SDK 2.1.0. We communicate with the cloud using mTLS, setting up our socket as following: static int setup_socket(const char *server_name, const char *server_ip, int port, int *sock, struct sockaddr *address, socklen_t addressLen, int ca_certificate_tag, SOCKET_MANAGER_PEER_VERIFY_t verifyMode) { const sa_family_t family = AF_INET; int ret = 0; memset(address, 0, addressLen); net_sin(address)->sin_family = AF_INET; net_sin(address)->sin_port = htons(port); zsock_inet_pton(family, server_ip, &net_sin(address)->sin_addr); struct timeval timeout = { .tv_sec = 5 }; sec_tag_t sec_tag_list_2[] = { CA2_CERTIFICATE_TAG, CREDENTIAL_PK_CERTIFICATE_TAG }; *sock = zsock_socket(family, SOCK_STREAM, IPPROTO_TLS_1_2); if (*sock >= 0) { ret = zsock_setsockopt(*sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list_2, sizeof(sec_tag_list_2)); if (ret < 0) { LOG_ERR("Failed to set secure option (%d)", -errno); return -errno; } // Set up TLS peer verification / int verify = verifyMode; ret = zsock_setsockopt(*sock, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify)); if (ret < 0) { LOG_ERR("Failed to set TLS_PEER_VERIFY option (%d)", -errno); ret = -errno; } if( server_name != NULL ){ ret = zsock_setsockopt(*sock, SOL_TLS, TLS_HOSTNAME, server_name, strlen(server_name)); if (ret < 0) { LOG_ERR("Failed to set TLS_HOSTNAME option (%d)", -errno); ret = -errno; } } if( m_enable_timeout ) { ret = zsock_setsockopt(*sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)); if (ret < 0) { LOG_ERR("Failed to set receive timeout (%d)", -errno); ret = -errno; } ret = zsock_setsockopt(*sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)); if (ret < 0) { LOG_ERR("Failed to set send timeout (%d)", -errno); ret = -errno; } } if ( ret >= 0 ) { LOG_INF("Set TLS socketopt successful"); } } if (*sock < 0) { LOG_ERR("Failed to create HTTP socket (%d)", -errno); return -errno; } return ret; } This is pretty similar to your psa tls sample . We used the following (relevant) KConfig Options with SPM: CONFIG_SPM=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=59000 CONFIG_BASE64=y CONFIG_THREAD_NAME=y CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=1 CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y CONFIG_MBEDTLS_MAC_MD5_ENABLED=n # Networking CONFIG_NET_CONFIG_SETTINGS=y CONFIG_NET_HOSTNAME_ENABLE=y CONFIG_NET_HOSTNAME_UNIQUE=y CONFIG_NET_HOSTNAME="XXXX_" CONFIG_NETWORKING=y CONFIG_NET_LOG=y CONFIG_NET_NATIVE=y CONFIG_NET_UDP=y CONFIG_NET_TCP=y CONFIG_NET_IPV4=y CONFIG_NET_IPV6=n CONFIG_NET_SOCKETS_OFFLOAD=n CONFIG_NET_SOCKETS=y CONFIG_NET_SOCKETS_POSIX_NAMES=n CONFIG_NET_SOCKETS_POLL_MAX=4 CONFIG_NET_DHCPV4=y CONFIG_NET_SOCKETS_SOCKOPT_TLS=y CONFIG_NET_TCP_ISN_RFC6528=n CONFIG_NET_TCP_MAX_SEND_WINDOW_SIZE=1152 CONFIG_NET_CONTEXT_RCVTIMEO=y CONFIG_NET_CONTEXT_SNDTIMEO=y CONFIG_NET_MAX_CONN=8 CONFIG_NET_MAX_CONTEXTS=8 CONFIG_NET_PKT_TX_COUNT=42 CONFIG_NET_PKT_RX_COUNT=42 CONFIG_NET_BUF_DATA_SIZE=256 This works fine and stable in the field. I added two log files that show the TSL handshake in that case (not complete) - one with MBED TLS debug enabled, one with TCP debug enabled. Fullscreen 5226.TLS_Handshake_With_SPM_TCPDEBUG.txt Download [00:00:15.971,343] socket_manager: DNS resolved successfully [00:00:15.971,405] socket_manager: IP address of assets.yyyyyyy.xxxxxxxx.com is 18.159.121.71 [00:00:15.971,435] socket_manager: Trying to access 18.159.121.71 on port 443 [00:00:15.971,618] net_sock_tls: tls_alloc: (xxxxxxxx_com): Allocated TLS context, 0x20018714 [00:00:15.971,893] net_tcp: tcp_conn_ref: (xxxxxxxx_com): conn: 0x2003ad64, ref_count: 1 [00:00:15.971,923] net_tcp: tcp_conn_alloc: (xxxxxxxx_com): conn: 0x2003ad64 [00:00:15.972,137] net_sock: zsock_socket_internal: (xxxxxxxx_com): socket: ctx=0x200164e0, fd=4 [00:00:15.972,259] socket_manager: Set TLS socketopt successful [00:00:15.972,503] net_tcp: net_tcp_connect: (xxxxxxxx_com): context: 0x200164e0, local: 0.0.0.0, remote: 18.159.121.71 [00:00:15.972,900] net_tcp: net_tcp_connect: (xxxxxxxx_com): conn: 0x2003ad64 src: 172.20.10.9, dst: 18.159.121.71 [00:00:15.973,052] net_tcp: tcp_in: (xxxxxxxx_com): [LISTEN Seq=488095434 Ack=0] [00:00:15.973,724] net_tcp: tcp_send: (xxxxxxxx_com): SYN Seq=488095434 Len=0 [00:00:15.974,060] net_tcp: tcp_in: (xxxxxxxx_com): LISTEN->SYN_SENT [00:00:16.078,521] net_tcp: tcp_in: (rx_q[0]): SYN,ACK Seq=3671282458 Ack=488095435 Len=0 [SYN_SENT Seq=488095435 Ack=0] [00:00:16.078,582] net_tcp: tcp_options_check: (rx_q[0]): len=4 [00:00:16.078,613] net_tcp: tcp_options_check: (rx_q[0]): opt: 2, opt_len: 4 [00:00:16.078,643] net_tcp: tcp_options_check: (rx_q[0]): MSS=1410 [00:00:16.078,674] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.078,704] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.078,887] net_tcp: tcp_send_timer_cancel: (rx_q[0]): SYN Seq=488095434 Len=0 [00:00:16.079,223] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488095435 Ack=3671282459 Len=0 [00:00:16.079,406] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488095435 Ack=3671282459 Len=0 [00:00:16.079,620] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488095435 Ack=3671282459 Len=0 [00:00:16.079,956] net_tcp: tcp_in: (rx_q[0]): SYN_SENT->ESTABLISHED [00:00:16.080,200] net_tcp: net_tcp_connect: (xxxxxxxx_com): conn: 0x2003ad64, ret=0 [00:00:16.080,261] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:16.099,700] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:16.099,822] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.099,853] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 122 bytes (total 122) [00:00:16.099,884] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=122 [00:00:16.100,311] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=488095435 Ack=3671282459 Len=122 [00:00:16.100,524] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=488095435 Ack=3671282459 Len=122 [00:00:16.100,769] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=488095435 Ack=3671282459 Len=122 [00:00:16.101,226] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 total=122, unacked_len=122, send_win=1280, mss=1410 [00:00:16.101,257] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:16.101,287] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:00:16.101,318] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.132,873] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671282459 Ack=488095557 Len=0 [ESTABLISHED Seq=488095435 Ack=3671282459] [00:00:16.132,904] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.132,965] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.132,995] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=122 [00:00:16.133,056] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.133,087] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=0, unacked_len=0, send_win=1280, mss=1410 [00:00:16.133,117] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:16.133,148] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:16.133,178] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.133,850] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671282459 Ack=488095557 Len=90 [ESTABLISHED Seq=488095557 Ack=3671282459] [00:00:16.133,880] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.133,911] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.134,246] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488095557 Ack=3671282549 Len=0 [00:00:16.134,460] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488095557 Ack=3671282549 Len=0 [00:00:16.134,674] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488095557 Ack=3671282549 Len=0 [00:00:16.134,979] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x200391e8, st=0, user_data=(nil) [00:00:16.138,214] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671282549 Ack=488095557 Len=1410 [ESTABLISHED Seq=488095557 Ack=3671282549] [00:00:16.138,244] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.138,305] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.138,641] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488095557 Ack=3671283959 Len=0 [00:00:16.138,854] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488095557 Ack=3671283959 Len=0 [00:00:16.139,099] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488095557 Ack=3671283959 Len=0 [00:00:16.139,770] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x200391e8, st=0, user_data=(nil) [00:00:16.140,472] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671283959 Ack=488095557 Len=1410 [ESTABLISHED Seq=488095557 Ack=3671283959] [00:00:16.140,502] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.140,533] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.140,655] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:16.141,479] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK Seq=488095557 Ack=3671285369 Len=0 [00:00:16.141,693] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK Seq=488095557 Ack=3671285369 Len=0 [00:00:16.141,906] net_tcp: tcp_send: (xxxxxxxx_com): ACK Seq=488095557 Ack=3671285369 Len=0 [00:00:16.172,302] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671285369 Ack=488095557 Len=1410 [ESTABLISHED Seq=488095557 Ack=3671285369] [00:00:16.172,363] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.172,393] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.172,729] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488095557 Ack=3671286779 Len=0 [00:00:16.172,943] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488095557 Ack=3671286779 Len=0 [00:00:16.173,187] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488095557 Ack=3671286779 Len=0 [00:00:16.173,492] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:16.203,430] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671286779 Ack=488095557 Len=788 [ESTABLISHED Seq=488095557 Ack=3671286779] [00:00:16.203,460] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:00:16.203,491] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.203,857] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488095557 Ack=3671287567 Len=0 [00:00:16.204,071] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488095557 Ack=3671287567 Len=0 [00:00:16.204,284] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488095557 Ack=3671287567 Len=0 [00:00:16.204,620] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:16.346,618] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:16.346,923] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.346,954] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 988 bytes (total 988) [00:00:16.346,984] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=988 [00:00:16.347,686] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=488095557 Ack=3671287567 Len=988 [00:00:16.347,900] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=488095557 Ack=3671287567 Len=988 [00:00:16.348,144] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=488095557 Ack=3671287567 Len=988 [00:00:16.349,609] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 total=988, unacked_len=988, send_win=1280, mss=1410 [00:00:16.349,639] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:16.349,670] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:00:16.349,731] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.377,288] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671287567 Ack=488096545 Len=0 [ESTABLISHED Seq=488095557 Ack=3671287567] [00:00:16.377,319] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 31616 to 1280 [00:00:16.377,380] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.377,410] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=988 [00:00:16.377,471] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.377,532] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=0, unacked_len=0, send_win=1280, mss=1410 [00:00:16.377,563] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:16.377,593] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:16.377,624] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.443,847] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:16.444,000] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.444,030] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 267 bytes (total 267) [00:00:16.444,061] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=267 [00:00:16.444,519] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=488096545 Ack=3671287567 Len=267 [00:00:16.444,763] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=488096545 Ack=3671287567 Len=267 [00:00:16.444,976] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=488096545 Ack=3671287567 Len=267 [00:00:16.445,617] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 total=267, unacked_len=267, send_win=1280, mss=1410 [00:00:16.445,648] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:16.445,678] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:00:16.445,709] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:16.472,076] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671287567 Ack=488096812 Len=0 [ESTABLISHED Seq=488096545 Ack=3671287567] [00:00:16.472,106] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 33592 to 1280 [00:00:16.472,137] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.472,198] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=267 [00:00:16.472,259] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:16.472,290] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=0, unacked_len=0, send_win=1280, mss=1410 [00:00:16.472,320] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:16.472,351] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:16.472,381] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.338,012] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:17.338,134] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.338,165] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 84 bytes (total 84) [00:00:17.338,195] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=84 [00:00:17.338,592] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=488096812 Ack=3671287567 Len=84 [00:00:17.338,806] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=488096812 Ack=3671287567 Len=84 [00:00:17.339,050] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=488096812 Ack=3671287567 Len=84 [00:00:17.339,447] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 total=84, unacked_len=84, send_win=1280, mss=1410 [00:00:17.339,477] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:17.339,508] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:00:17.339,569] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.339,630] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:17.339,752] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.339,782] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 6 bytes (total 90) [00:00:17.339,813] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=6 [00:00:17.339,843] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=6 [00:00:17.339,874] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.341,796] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:17.341,888] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.341,949] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 45 bytes (total 135) [00:00:17.341,979] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=51 [00:00:17.342,010] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=51 [00:00:17.342,041] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.393,554] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671287567 Ack=488096896 Len=0 [ESTABLISHED Seq=488096812 Ack=3671287567] [00:00:17.393,585] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 33592 to 1280 [00:00:17.393,646] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.393,676] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=84 [00:00:17.393,737] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.393,768] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=51, unacked_len=0, send_win=1280, mss=1410 [00:00:17.393,798] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:17.393,829] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=51 [00:00:17.394,256] net_tcp: tcp_out_ext: (rx_q[0]): ACK,PSH Seq=488096896 Ack=3671287567 Len=51 [00:00:17.394,470] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK,PSH Seq=488096896 Ack=3671287567 Len=51 [00:00:17.394,714] net_tcp: tcp_send: (rx_q[0]): ACK,PSH Seq=488096896 Ack=3671287567 Len=51 [00:00:17.395,080] net_tcp: tcp_send_data: (rx_q[0]): conn: 0x2003ad64 total=51, unacked_len=51, send_win=1280, mss=1410 [00:00:17.395,111] net_tcp: tcp_send_data: (rx_q[0]): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:17.395,141] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:17.395,202] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.417,083] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671287567 Ack=488096947 Len=0 [ESTABLISHED Seq=488096896 Ack=3671287567] [00:00:17.417,114] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 33592 to 1280 [00:00:17.417,144] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.417,205] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=51 [00:00:17.417,266] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.417,297] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=0, unacked_len=0, send_win=1280, mss=1410 [00:00:17.417,327] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:17.417,388] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:17.417,419] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.423,248] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671287567 Ack=488096947 Len=6 [ESTABLISHED Seq=488096947 Ack=3671287567] [00:00:17.423,278] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 33592 to 1280 [00:00:17.423,309] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.423,675] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488096947 Ack=3671287573 Len=0 [00:00:17.423,889] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488096947 Ack=3671287573 Len=0 [00:00:17.424,102] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488096947 Ack=3671287573 Len=0 [00:00:17.424,438] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:17.426,391] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671287573 Ack=488096947 Len=45 [ESTABLISHED Seq=488096947 Ack=3671287573] [00:00:17.426,422] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 33592 to 1280 [00:00:17.426,452] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.426,818] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488096947 Ack=3671287618 Len=0 [00:00:17.427,032] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488096947 Ack=3671287618 Len=0 [00:00:17.427,246] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488096947 Ack=3671287618 Len=0 [00:00:17.427,551] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:17.429,107] xxxxxxxx_cloud_client: HTTP GET request on assets.yyyyyyy.xxxxxxxx.com/v1 [00:00:17.429,809] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200164e0, cb: 0x2f711, user_data: (nil) [00:00:17.429,901] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.429,962] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x2003ad64 Queued 133 bytes (total 133) [00:00:17.429,992] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=133 [00:00:17.430,389] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=488096947 Ack=3671287618 Len=133 [00:00:17.430,633] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=488096947 Ack=3671287618 Len=133 [00:00:17.430,847] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=488096947 Ack=3671287618 Len=133 [00:00:17.431,304] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 total=133, unacked_len=133, send_win=1280, mss=1410 [00:00:17.431,365] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x2003ad64 send_data_timer=0, send_data_retries=0 [00:00:17.431,396] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:00:17.431,427] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x2003ad64 window_full=0 [00:00:17.519,226] net_tcp: tcp_in: (rx_q[0]): ACK Seq=3671287618 Ack=488097080 Len=0 [ESTABLISHED Seq=488096947 Ack=3671287618] [00:00:17.519,256] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 35568 to 1280 [00:00:17.519,287] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.519,348] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 len_acked=133 [00:00:17.519,378] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.519,409] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 total=0, unacked_len=0, send_win=1280, mss=1410 [00:00:17.519,439] net_tcp: tcp_in: (rx_q[0]): conn: 0x2003ad64 send_data_timer=1, send_data_retries=0 [00:00:17.519,500] net_tcp: tcp_unsent_len: (rx_q[0]): unsent_len=0 [00:00:17.519,531] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.624,298] net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3671287618 Ack=488097080 Len=746 [ESTABLISHED Seq=488097080 Ack=3671287618] [00:00:17.624,328] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 35568 to 1280 [00:00:17.624,359] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x2003ad64 window_full=0 [00:00:17.624,725] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=488097080 Ack=3671288364 Len=0 [00:00:17.624,938] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=488097080 Ack=3671288364 Len=0 [00:00:17.625,152] net_tcp: tcp_send: (rx_q[0]): ACK Seq=488097080 Ack=3671288364 Len=0 [00:00:17.625,457] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x200164e0, pkt=0x2003922c, st=0, user_data=(nil) [00:00:17.629,516] xxxxxxxx_cloud_client: All response data received (717 bytes) [00:00:17.629,547] xxxxxxxx_cloud_client: Appending data to a total of 27. [00:00:17.629,577] xxxxxxxx_cloud_client: Response status OK [00:00:17.629,608] xxxxxxxx_cloud_client: Request finished. Sent 104, received (27/27). [00:00:17.629,669] xxxxxxxx_cloud_client: mTLS current_time: 1669638406 Fullscreen 3162.TLS_Handshake_With_SPM_MBEDTLSDEBUG.txt Download [00:00:27.729,858] socket_manager: DNS resolved successfully [00:00:27.729,919] socket_manager: IP address of assets.yyyyyyy.xxxxxx.com is 18.159.99.150 [00:00:27.729,949] socket_manager: Trying to access 18.159.99.150 on port 443 [00:00:27.730,133] net_sock_tls: tls_alloc: (xxxxxx_com): Allocated TLS context, 0x20017c70 [00:00:27.730,590] net_sock: zsock_socket_internal: (xxxxxx_com): socket: ctx=0x20015a38, fd=4 [00:00:27.730,712] socket_manager: Set TLS socketopt successful [00:00:27.788,787] net_sock_tls: tls_debug: (xxxxxx_com): ssl_tls.c:5312: |2| => handshake [00:00:27.788,848] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1789: |2| => flush output [00:00:27.788,940] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1801: |2| <= flush output [00:00:27.789,001] net_sock_tls:com): [00:00:27.789,062] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1789: |2| => flush output [00:00:27.789,123] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1801: |2| <= flush output [00:00:27.789,215] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:4192: |2| client state: 1 [00:00:27.789,276] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0933: |2| => write client hello [00:00:27.789,520] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0855: |3| client hello, current time: 1669639809 [00:00:27.789,855] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0998: |3| dumping 'client hello, random bytes' (32 bytes) [00:00:27.790,313] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0998: |3| 0000: 63 84 ae 81 d2 ee eb 8e d1 e9 99 c2 dd aa 4e 0a c.............N. [00:00:27.790,771] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0998: |3| 0010: 43 e1 49 0d e3 9b d2 14 6b 70 8d 32 ba c0 c5 74 C.I.....kp.2...t [00:00:27.790,893] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1058: |3| client hello, session id len.: 0 [00:00:27.790,985] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1059: |3| dumping 'client hello, session id' (0 bytes) [00:00:27.791,137] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x9d (TLS-RSA-WITH-AES-256-GCM-SHA384) [00:00:27.791,259] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x3d (TLS-RSA-WITH-AES-256-CBC-SHA256) [00:00:27.791,412] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x35 (TLS-RSA-WITH-AES-256-CBC-SHA) [00:00:27.791,534] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x9c (TLS-RSA-WITH-AES-128-GCM-SHA256) [00:00:27.791,687] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x3c (TLS-RSA-WITH-AES-128-CBC-SHA256) [00:00:27.791,839] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1125: |3| client hello, add ciphersuite: 0x2f (TLS-RSA-WITH-AES-128-CBC-SHA) [00:00:27.791,931] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1140: |3| client hello, got 6 ciphersuites (excluding SCSVs) [00:00:27.792,022] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1150: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV [00:00:27.792,114] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1160: |3| client hello, compress len.: 1 [00:00:27.792,205] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1161: |3| client hello, compress alg.: 0 [00:00:27.792,327] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0107: |3| client hello, adding server name extension: assets.yyyyyyy.xxxxxx.com [00:00:27.792,419] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:0225: |3| client hello, adding signature_algorithms extension [00:00:27.792,541] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1309: |3| client hello, total extension length: 58 [00:00:27.792,602] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2218: |2| => write handshake message [00:00:27.792,785] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2369: |2| => write record [00:00:27.792,968] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2458: |3| output record: msgtype = 22, version = [3:3], msglen = 117 [00:00:27.793,029] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1789: |2| => flush output [00:00:27.793,151] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1807: |2| message length: 122, out_left: 122 [00:00:27.794,067] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1814: |2| ssl->f_send() returned 122 (-0xffffff86) [00:00:27.794,128] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1842: |2| <= flush output [00:00:27.794,219] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2514: |2| <= write record [00:00:27.794,494] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2346: |2| <= write handshake message [00:00:27.794,555] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1346: |2| <= write client hello [00:00:27.794,647] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1789: |2| => flush output [00:00:27.794,708] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1801: |2| <= flush output [00:00:27.794,769] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:4192: |2| client state: 2 [00:00:27.794,860] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:1919: |2| => parse server hello [00:00:27.794,921] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3546: |2| => read record [00:00:27.794,982] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1573: |2| => fetch input [00:00:27.795,104] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1728: |2| in_left: 0, nb_want: 5 [00:00:27.865,020] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20015a38, pkt=0x20039284, st=0, user_data=(nil) [00:00:27.868,194] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20015a38, pkt=0x20039240, st=0, user_data=(nil) [00:00:27.868,621] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20015a38, pkt=0x200391fc, st=0, user_data=(nil) [00:00:27.868,927] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 0, nb_want: 5 [00:00:27.869,079] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) [00:00:27.869,140] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1776: |2| <= fetch input [00:00:27.869,323] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3281: |3| input record: msgtype = 22, version = [3:3], msglen = 85 [00:00:27.869,384] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1573: |2| => fetch input [00:00:27.869,476] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1728: |2| in_left: 5, nb_want: 90 [00:00:27.869,659] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 5, nb_want: 90 [00:00:27.869,812] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 85 (-0xffffffab) [00:00:27.869,873] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1776: |2| <= fetch input [00:00:27.870,025] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2662: |3| handshake message: msglen = 85, type = 2, hslen = 85 [00:00:27.870,574] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3620: |2| <= read record [00:00:27.870,697] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2002: |3| dumping 'server hello, version' (2 bytes) [00:00:27.870,880] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2002: |3| 0000: 03 03 .. [00:00:27.871,002] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2026: |3| server hello, current time: 2123527078 [00:00:27.871,124] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2036: |3| dumping 'server hello, random bytes' (32 bytes) [00:00:27.871,582] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2036: |3| 0000: 7e 92 73 a6 ef 8a cf 16 a1 6f 69 42 44 d8 ea 30 ~.s......oiBD..0 [00:00:27.872,070] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2036: |3| 0010: cf 44 48 ef 26 e3 d3 84 b2 06 33 c6 32 65 43 1b .DH.&.....3.2eC. [00:00:27.872,161] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2108: |3| server hello, session id len.: 32 [00:00:27.872,283] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2109: |3| dumping 'server hello, session id' (32 bytes) [00:00:27.872,741] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2109: |3| 0000: 92 f0 4c a3 03 67 3e 5e 65 ff 50 2c fb 1c 04 26 ..L..g>^e.P,...& [00:00:27.873,199] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2109: |3| 0010: 4f 5a 71 95 96 ca 16 2d 71 a7 55 61 31 02 3b 42 OZq....-q.Ua1.;B [00:00:27.873,321] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2148: |3| no session has been resumed [00:00:27.873,413] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2151: |3| server hello, chosen ciphersuite: 009c [00:00:27.873,504] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2152: |3| server hello, compress alg.: 0 [00:00:27.873,626] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2191: |3| server hello, chosen ciphersuite: TLS-RSA-WITH-AES-128-GCM-SHA256 [00:00:27.873,718] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2216: |2| server hello, total extension length: 9 [00:00:27.873,809] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2367: |3| unknown extension found: 0 (ignoring) [00:00:27.873,901] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2238: |3| found renegotiation extension [00:00:27.873,962] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:2428: |2| <= parse server hello [00:00:27.874,023] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1789: |2| => flush output [00:00:27.874,084] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1801: |2| <= flush output [00:00:27.874,176] net_sock_tls: tls_debug: (xxxxxx_com): ssl_cli.c:4192: |2| client state: 3 [00:00:27.874,237] net_sock_tls: tls_debug: (xxxxxx_com): ssl_tls.c:2291: |2| => parse certificate [00:00:27.874,298] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3546: |2| => read record [00:00:27.874,359] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1573: |2| => fetch input [00:00:27.874,481] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1728: |2| in_left: 0, nb_want: 5 [00:00:27.874,633] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 0, nb_want: 5 [00:00:27.874,786] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 5 (-0xfffffffb) [00:00:27.874,847] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1776: |2| <= fetch input [00:00:27.875,000] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3281: |3| input record: msgtype = 22, version = [3:3], msglen = 4968 [00:00:27.875,061] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1573: |2| => fetch input [00:00:27.875,183] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1728: |2| in_left: 5, nb_want: 4973 [00:00:27.875,976] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 5, nb_want: 4973 [00:00:27.876,373] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 1405 (-0xfffffa83) [00:00:27.876,770] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 1410, nb_want: 4973 [00:00:27.876,953] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 1410 (-0xfffffa7e) [00:00:27.925,933] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20015a38, pkt=0x200391fc, st=0, user_data=(nil) [00:00:27.926,330] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 2820, nb_want: 4973 [00:00:27.926,483] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 1410 (-0xfffffa7e) [00:00:27.953,277] net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20015a38, pkt=0x200391fc, st=0, user_data=(nil) [00:00:27.953,552] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1753: |2| in_left: 4230, nb_want: 4973 [00:00:27.953,704] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1756: |2| ssl->f_recv(_timeout)() returned 743 (-0xfffffd19) [00:00:27.953,765] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:1776: |2| <= fetch input [00:00:27.953,948] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:2662: |3| handshake message: msglen = 4968, type = 11, hslen = 4968 [00:00:27.961,456] net_sock_tls: tls_debug: (xxxxxx_com): ssl_msg.c:3620: |2| <= read record [00:00:27.963,439] net_sock_tls: tls_debug: (xxxxxx_com): ssl_tls.c:1976: |3| peer certificate #1: ... ... Now, we want to migrate from TFM using the following KConfig: CONFIG_BUILD_WITH_TFM=y CONFIG_MBEDTLS_TLS_LIBRARY=y CONFIG_MBEDTLS_X509_CSR_WRITE_C=y CONFIG_MBEDTLS_X509_CREATE_C=y CONFIG_MBEDTLS_PK_WRITE_C=y CONFIG_MBEDTLS_ECP_C=y CONFIG_BASE64=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=59000 (Notworking KConfig stays the same) I get a 'net_sock_tls: TLS handshake error: -4c' right at the beginning. I understand that enabling TFM will implicitly enable a custom nordic security backend that is substantially different to the MBED TLS backend used with SPM. How can i understand the differences between the old MbedTLS config coming with SPM and the new one when using TFM? Could you take a look at the logs andhelp me understand what part of the TLS handshake goes wrong? Which KConfig is needed to make it work again? Here are the logs with TFM Fullscreen 7774.TLS_Handshake_With_TFM.txt Download [00:01:46.739,746] socket_manager: DNS resolved successfully [00:01:46.739,807] socket_manager: IP address of assets.yyyyyyyy.xxxxxxxx.com is 18.159.99.150 [00:01:46.739,837] socket_manager: Trying to access 18.159.99.150 on port 443 [00:01:46.739,990] net_sock_tls: tls_alloc: (xxxxxxxx_com): Allocated TLS context, 0x20015b3c [00:01:46.740,295] net_tcp: tcp_conn_ref: (xxxxxxxx_com): conn: 0x20038634, ref_count: 1 [00:01:46.740,325] net_tcp: tcp_conn_alloc: (xxxxxxxx_com): conn: 0x20038634 [00:01:46.740,905] net_sock: zsock_socket_internal: (xxxxxxxx_com): socket: ctx=0x200136d8, fd=4 [00:01:46.741,027] socket_manager: Set TLS socketopt successful [00:01:46.741,638] net_tcp: net_tcp_connect: (xxxxxxxx_com): context: 0x200136d8, local: 0.0.0.0, remote: 18.159.99.150 [00:01:46.742,797] net_tcp: net_tcp_connect: (xxxxxxxx_com): conn: 0x20038634 src: 172.20.10.9, dst: 18.159.99.150 [00:01:46.742,950] net_tcp: tcp_in: (xxxxxxxx_com): [LISTEN Seq=3189679833 Ack=0] [00:01:46.743,225] net_tcp: tcp_out_ext: (xxxxxxxx_com): SYN Seq=3189679833 Len=0 [00:01:46.743,377] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): SYN Seq=3189679833 Len=0 [00:01:46.743,621] net_tcp: tcp_send: (xxxxxxxx_com): SYN Seq=3189679833 Len=0 [00:01:46.743,957] net_tcp: tcp_in: (xxxxxxxx_com): LISTEN->SYN_SENT [00:01:46.911,926] net_tcp: tcp_in: (rx_q[0]): SYN,ACK Seq=602829136 Ack=3189679834 Len=0 [SYN_SENT Seq=3189679834 Ack=0] [00:01:46.911,987] net_tcp: tcp_options_check: (rx_q[0]): len=4 [00:01:46.912,017] net_tcp: tcp_options_check: (rx_q[0]): opt: 2, opt_len: 4 [00:01:46.912,048] net_tcp: tcp_options_check: (rx_q[0]): MSS=1410 [00:01:46.912,078] net_tcp: tcp_in: (rx_q[0]): Lowering send window from 29200 to 1280 [00:01:46.912,109] net_tcp: tcp_window_full: (rx_q[0]): conn: 0x20038634 window_full=0 [00:01:46.912,292] net_tcp: tcp_send_timer_cancel: (rx_q[0]): SYN Seq=3189679833 Len=0 [00:01:46.912,628] net_tcp: tcp_out_ext: (rx_q[0]): ACK Seq=3189679834 Ack=602829137 Len=0 [00:01:46.912,841] net_tcp: tcp_send_process_no_lock: (rx_q[0]): ACK Seq=3189679834 Ack=602829137 Len=0 [00:01:46.913,055] net_tcp: tcp_send: (rx_q[0]): ACK Seq=3189679834 Ack=602829137 Len=0 [00:01:46.913,360] net_tcp: tcp_in: (rx_q[0]): SYN_SENT->ESTABLISHED [00:01:46.913,421] net_tcp: net_tcp_connect: (xxxxxxxx_com): conn: 0x20038634, ret=0 [00:01:46.913,482] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200136d8, cb: 0x30cc5, user_data: (nil) [00:01:46.925,109] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_tls.c:3211: |4| The SSL configuration is tls12 only. [00:01:46.929,229] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_tls.c:5312: |2| => handshake [00:01:46.929,290] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1964: |2| => flush output [00:01:46.929,351] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1976: |2| <= flush output [00:01:46.929,412] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:4192: |2| client state: 0 [00:01:46.929,473] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1964: |2| => flush output [00:01:46.929,534] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1976: |2| <= flush output [00:01:46.929,626] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:4192: |2| client state: 1 [00:01:46.929,687] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0933: |2| => write client hello [00:01:46.929,779] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0988: |3| client hello, max version: [3:3] [00:01:46.930,938] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0998: |3| dumping 'client hello, random bytes' (32 bytes) [00:01:46.931,427] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0998: |3| 0000: 25 6d c5 70 e2 80 80 59 65 0d f2 58 d6 0f 5d d9 %m.p...Ye..X..]. [00:01:46.931,884] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0998: |3| 0010: 77 0b 5c 8e b7 bc c1 55 f5 ad c2 7e 35 0c d4 08 w.\....U...~5... [00:01:46.931,976] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1058: |3| client hello, session id len.: 0 [00:01:46.932,098] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1059: |3| dumping 'client hello, session id' (0 bytes) [00:01:46.932,189] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1140: |3| client hello, got 0 ciphersuites (excluding SCSVs) [00:01:46.932,281] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1150: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV [00:01:46.932,342] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1160: |3| client hello, compress len.: 1 [00:01:46.932,434] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1161: |3| client hello, compress alg.: 0 [00:01:46.932,525] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0225: |3| client hello, adding signature_algorithms extension [00:01:46.932,617] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0530: |3| client hello, adding max_fragment_length extension [00:01:46.932,708] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:0592: |3| client hello, adding extended_master_secret extension [00:01:46.932,800] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_cli.c:1309: |3| client hello, total extension length: 27 [00:01:46.932,861] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2393: |2| => write handshake message [00:01:46.932,983] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2544: |2| => write record [00:01:46.933,135] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2633: |3| output record: msgtype = 22, version = [3:3], msglen = 74 [00:01:46.933,258] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| dumping 'output record sent to network' (79 bytes) [00:01:46.933,715] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| 0000: 16 03 03 00 4a 01 00 00 46 03 03 25 6d c5 70 e2 ....J...F..%m.p. [00:01:46.934,173] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| 0010: 80 80 59 65 0d f2 58 d6 0f 5d d9 77 0b 5c 8e b7 ..Ye..X..].w.\.. [00:01:46.934,661] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| 0020: bc c1 55 f5 ad c2 7e 35 0c d4 08 00 00 02 00 ff ..U...~5........ [00:01:46.935,089] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| 0030: 01 00 00 1b 00 0d 00 0e 00 0c 06 03 06 01 05 03 ................ [00:01:46.935,546] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2638: |4| 0040: 05 01 04 03 04 01 00 01 00 01 04 00 17 00 00 ............... [00:01:46.935,577] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1964: |2| => flush output [00:01:46.935,699] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1982: |2| message length: 79, out_left: 79 [00:01:46.935,760] net_tcp: net_tcp_recv: (xxxxxxxx_com): context: 0x200136d8, cb: 0x30cc5, user_data: (nil) [00:01:46.935,852] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x20038634 window_full=0 [00:01:46.935,882] net_tcp: net_tcp_queue_data: (xxxxxxxx_com): conn: 0x20038634 Queued 79 bytes (total 79) [00:01:46.935,913] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=79 [00:01:46.936,309] net_tcp: tcp_out_ext: (xxxxxxxx_com): ACK,PSH Seq=3189679834 Ack=602829137 Len=79 [00:01:46.936,553] net_tcp: tcp_send_process_no_lock: (xxxxxxxx_com): ACK,PSH Seq=3189679834 Ack=602829137 Len=79 [00:01:46.936,798] net_tcp: tcp_send: (xxxxxxxx_com): ACK,PSH Seq=3189679834 Ack=602829137 Len=79 [00:01:46.937,194] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x20038634 total=79, unacked_len=79, send_win=1280, mss=1410 [00:01:46.937,225] net_tcp: tcp_send_data: (xxxxxxxx_com): conn: 0x20038634 send_data_timer=0, send_data_retries=0 [00:01:46.937,255] net_tcp: tcp_unsent_len: (xxxxxxxx_com): unsent_len=0 [00:01:46.937,316] net_tcp: tcp_window_full: (xxxxxxxx_com): conn: 0x20038634 window_full=0 [00:01:46.937,469] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:1989: |2| ssl->f_send() returned 79 (-0xffffffb1) [00:01:46.937,561] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2017: |2| <= flush output [00:01:46.937,591] net_sock_tls: tls_debug: (xxxxxxxx_com): ssl_msg.c:2689: |2| <= write record [00:01:46.937,683]

maluJ · Accepted Answer

Hi Hakon Unfortunately we did not get any useful information from you regarding this issue - so we figured it out ourselves and now share it with the community. This is the configuration we used to make it work: 
 # TFM / MBEDTLS
CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_PROFILE_TYPE_MINIMAL=y
CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y
CONFIG_PM_PARTITION_SIZE_TFM_INTERNAL_TRUSTED_STORAGE=0x2000

#MBEDTLS
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_BASE64=y
CONFIG_TFM_BL2=n
CONFIG_TFM_LOG_LEVEL_SILENCE=y
CONFIG_MBEDTLS_DHM_C=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=59000
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_PKCS1_V15=y

CONFIG_MBEDTLS_RSA_C=y

CONFIG_MBEDTLS_CMAC_C=n
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_GCM_C=y


# Disable unneeded crypto operations
CONFIG_MBEDTLS_SHA384_C=n
CONFIG_MBEDTLS_SHA512_C=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=n
CONFIG_MBEDTLS_CIPHER_MODE_CBC=n
CONFIG_MBEDTLS_CIPHER_MODE_CTR=n
CONFIG_MBEDTLS_CHACHA20_C=n
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
CONFIG_MBEDTLS_SSL_SRV_C=n
CONFIG_MBEDTLS_ECDH_C=n
CONFIG_MBEDTLS_PKCS1_V21=n
CONFIG_MBEDTLS_CCM_C=n
CONFIG_MBEDTLS_POLY1305_C=n We enabled TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ourselves in our own KConfig definition since CONFIG_TFM_PROFILE_TYPE_MINIMAL disables it.

TLS Handshake error after migrating from SPM to TFM in SDK 2.1.0

Top Replies