Manuel,
Thanks to your response, we were able to find the error. It looks like part of the network stack provided to us was setting the auth mode argument to `MBEDTLS_SSL_VERIFY_REQUIRED`. Changing it to instead use `MBEDTLS_SSL_VERIFY_NONE` fixed the issue and I can
now receive back pages served over HTTPS.
I really appreciate the quick response and pointing us in the right direction. Thanks again.
Michael Reutman
Senior Embedded Software Engineer
NovaTech Automation
261 Brodhead Rd.
Bethlehem, PA 18017
novatechautomation.com | NovaTechLinkedIn
NovaTech Automation is Net Zero committed.
#KeepItCool
Receipt of this email implies compliance with our terms
and conditions.
From: Manuel Pegourie-Gonnard <Manuel.Pegourie-Gonnard@arm.com>
Sent: Wednesday, October 2, 2024 3:30 AM
To: mbed-tls@lists.trustedfirmware.org; Michael Reutman <michael.reutman@novatechautomation.com>
Cc: Gary Nelson <gary.nelson@novatechautomation.com>
Subject: Re: Client Certificate Request Question
Hi Michael,
This is absolutely the right place for general use questions.
Indeed authentication of the client by the server is entirely optional in TLS. Actually I'm a bit surprised that you're seeing this, because by default the server doesn't request a certificate from the client.
You'll probably want to look for any call to `mbedtls_ssl_conf_authmode()` or `mbedtls_ssl_set_hs_authmode()` in your server's code and remove them. (You could also change the last argument to `MBEDTLS_SSL_VERIFY_NONE`, but since tha's the default, removing
the calls should work just as well.)
Hope this helps,
Manuel.
From: Michael Reutman via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 01 October 2024 22:45
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Cc: Gary Nelson <gary.nelson@novatechautomation.com>
Subject: [mbed-tls] Client Certificate Request Question
Hello,
I’m running into an issue with using Mbed-TLS on an embedded device of ours and I’m curious if anyone would be able to point me in the right direction. If this is the wrong channel for general use questions, let me know and I’ll search elsewhere. As a forewarning,
I’m still getting my bearings around the nuts and bolts of Mbed-TLS and network security; apologies if I misstate something or jumble things up.
Our device uses Mbed-TLS 3.0.0; ideally I’d like to upgrade this to a newer version, but this version was included in a SDK package for our device and I’d like to get some basic functionality proven out first before trying to reintegrate a newer version into
the rest of provided code. The current goal is to get our device to serve a web page over HTTPS with TLS.
What we currently see is that the initial hello client and server messages are exchanged without issue, but the connection is rejected after the server requests a certificate from the client. In some browsers, this opens a prompt where you can select a given
certificate on the machine; in others, it skips this prompt and sends a response back with an empty certificate. In both instances, the server will return an error and deny the connection.
This seems like some sort of user configuration error, given your average web page served over HTTPS on the internet avoids making this request. The literature I’ve been able to find so far also seems to suggest this request is entirely optional. Is there some
option I’m overlooking that makes the server skip asking the client for its certificate and lets connection continue on?
Michael Reutman
Senior Embedded Software Engineer
NovaTech Automation
261 Brodhead Rd.
Bethlehem, PA 18017
novatechautomation.com | NovaTechLinkedIn
NovaTech Automation is Net Zero committed.
#KeepItCool
Receipt of this email implies compliance with our terms
and conditions.