Important changes to forums and questions
All forums and questions are now archived. To start a new conversation or read the latest updates go to forums.mbed.com.
5 years, 10 months ago.
TLS client Failed to verify server certificate
I returned the following error while validating the server certificate.That error as folows: ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700) mbedtls_ssl_handshake() returned -0x2700
my client CA is packed by sever.It‘s “cacert.pem”,i put it in ”TLS_PEM_CA”,Then I enable server certificate validation.But i meet some error just like this.Can you help me? ssl_tls.c:4643: |1| x509_verify_cert() returned -9984 (-0x2700) mbedtls_ssl_handshake() returned -0x2700
1 Answer
5 years, 10 months ago.
Hi Carmelo,
Please note, that the Mbed TLS forum is located [here](https://forums.mbed.com/c/mbed-tls). Sorry for delayed reply.
In continuation to our conversation in https://github.com/ARMmbed/mbedtls/issues/139 , Have you set the correct trusted ca certificate and defined MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES in your configuration?
Regards
My server certificate was generated by myself using OPENSSL.And which example i used “mbed-os-example-tls-tls”has not defined MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES in your configuration.I changed that Ethernet to easy-connect.it doesn't matter.
posted by 18 Jan 2019Ok, so since you set `cacert.pem` as TLS_PEM_CA, it's probably not a matter of trusted root certificate.
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES is not defined by default. You should define it explicitely. It is not related to the networking stack you are using. Please add the following to the mbedtls_entropy_config.h file of your application:
- define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES