Hi,

I was referring to below URLs for understanding key exchange using certificate in TLS framework:

https://tls12.xargs.org/

https://tls13.xargs.org/

I have some confusion related to above TLS 1.2 and 1.3 flows and require guidance from your side accordingly. I understand the key exchange using  certificates highly depends on configuration and capabilities setup.


But then how do we know what goes on a TLS connection based on configuration and setup capabilities? What are the different configurations and when should we set them?

I need the same details with reference to a TLS connection setup from a client in our codebase while other for EAP TLS using the below example available in the url below:
https://github.com/prplfoundation/hostap/blob/master/eap_example/eap_example_peer.c

Firstly in the above code we do see a lot of configuration and initialization like below:

eap_cb.get_config = peer_get_config;
eap_cb.get_bool = peer_get_bool;
eap_cb.set_bool = peer_set_bool;
eap_cb.get_int = peer_get_int;
eap_cb.set_int = peer_set_int;
eap_cb.get_eapReqData = peer_get_eapReqData;
eap_cb.set_config_blob = peer_set_config_blob;
eap_cb.get_config_blob = peer_get_config_blob;
eap_cb.notify_pending = peer_notify_pending;


Whereas our client code which connects to the cloud using certificates to obtain some data in below mentioned way:


keyman_creds_for_purpose() - get the creds read and parse the crt.pem, key.pem and trusted_ca.pem files. It make uses of below APis:readfile() - read the file from key storageparse_private_key()  & mbedtls_pk_parse_key() - I believe it is for parsing the keys read from file

Setup MBed TLS

mbedtls_ssl_config_init() - Initialize mbedtls_ssl_configmbedtls_ctr_drbg_init() - CTR_DRBG context initialization
mbedtls_ctr_drbg_seed() 
mbedtls_ssl_conf_rng()
mbedtls_ssl_conf_ca_chain()
mbedtls_ssl_conf_own_cert()
mbedtls_ssl_conf_authmode()
t_socket()

I am quite new to this code so could have missed or provided wrong info - but I hope I give the overall picture of code implementation - note that this client code  is a working code with no issues.

My queries are mentioned below:

1) Does the same TLS message flow occur in both cases - our client code and EAP TLS? If not then what's the difference in-between them?

2) How do we understand exact implementation and message flows?

3) What are the different ways to implement TLS connection using certs?

4) Any additional information that can helpful to me like - some references to tutorials / examples / guide would be an added advantage

Thanks in advance.


Regards,

Prakash