3 years, 1 month ago.

TLS fails in the https://os.mbed.com/users/coisme/code/Mbed-to-Azure-IoT-Hub/ sample

I modified the code to use my client certs and tested it on K64F. I get the following output from the latest mbed-os . The original mbed-os also generated the same output. The datetime output looks weird: Mbed to Azure IoT Hub: version is 0.10

Opening network interface... Connected to the network successfully. IP address: 10.1.10.65

Time is now Wed Aug 21 17:41:06 2019 Connecting to host hublora.azure-devices.net:8883 ... [DBG ][TLSW]: mbedtls_ssl_conf_ca_chain() [INFO][TLSW]: Starting TLS handshake with hublora.azure-devices.net [DBG ][TLSW]: mbedtls_ssl_setup() [DBG ][TLSW]: Verifying certificate at depth 2:

[DBG ][TLSW]: cert. version : 3 serial number : 02:00:00:B9 issuer name : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root subject name : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root issued on : 2000-05-12 18:46:00 expires on : 2025-05-12 23:59:00 signed using : RSA with SHA1 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=3 key usage : Key Cert Sign, CRL Sign

[INFO][TLSW]: ! The certificate validity has expired ! The certificate validity starts in the future

[DBG ][TLSW]: Verifying certificate at depth 1:

[DBG ][TLSW]: cert. version : 3 serial number : 0F:2C:10:C9:5B:06:C0:93:7F:B8:D4:49:F8:3E:85:69 issuer name : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root subject name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 issued on : 2016-05-20 12:51:57 expires on : 2024-05-20 12:51:57 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing certificate policies : Any Policy

[INFO][TLSW]: ! The certificate validity has expired ! The certificate validity starts in the future

[DBG ][TLSW]: Verifying certificate at depth 0:

[DBG ][TLSW]: cert. version : 3 serial number : 20:00:05:DD:5F:F5:41:2A:B7:FB:B1:05:62:00:00:00:05:DD:5F issuer name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 subject name : CN=*.azure-devices.net issued on : 2019-04-12 22:59:46 expires on : 2020-04-12 22:59:46 signed using : RSA with SHA-256 RSA key size : 2048 bits subject alt name : dNSName : *.azure-devices.net dNSName : *.amqpws.azure-devices.net dNSName : *.su.management-azure-devices.net key usage : Digital Signature, Key Encipherment, Data Encipherment ext key usage : TLS Web Client Authentication, TLS Web Server Authentication certificate policies : ???

[INFO][TLSW]: ! The certificate validity has expired ! The certificate validity starts in the future

[DBG ][TLSW]: ssl_tls.c:6781: |1| x509_verify_cert() returned -9984 (-0x2700)

[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed ERROR from MQTTNetwork connect is -3011

1 Answer

3 years, 1 month ago.

Hi Sudhir,

As you can see from the error:

"The certificate validity has expired ! The certificate validity starts in the future" The certificates validity is ion the future. However, in fact they are valid, which probably means that your system time is not set correct.

Regards,

Mbed OS support

Ron

You are correct because I disabled the has date_time and it worked. However that points to a bug in mbed tls because the code sets the time correctly, and prints it correctly. The relevant code from https://os.mbed.com/users/coisme/code/Mbed-to-Azure-IoT-Hub/ is as follows. printf("Connected to the network successfully. IP address: %s\r\n", network->get_ip_address()); printf("\r\n");

sync the real time clock (RTC) { NTPClient ntp(network); ntp.set_server("time.google.com", 123); time_t now = ntp.get_timestamp(); if (now <= 0) { printf("Failed to retrieve the time from time.google.com:123\r\n"); return 1; } set_time(now); printf("Time is now %s", ctime(&now)); }

posted by Sudhir Kshirsagar 25 Aug 2019

It isn't an issue in Mbed TLS, as Mbed TLS takes the system time. Note that Mbed TLS uses gmtime_r for checking the validity of certificates, while mbed_rtc module uses get\set timeofday. This could not be synched together.

posted by Ron Eldor 25 Aug 2019