5 years, 3 months ago.

The certificate is not correctly signed by the trusted CA

Hi In trying to establish connection with google drive and read a file from it. I have couple of problems: 1. I can't use the MBEDTLS_SSL_VERIFY_REQUIRED and the mbedtls_ssl_conf_authmode() function it don't work ... only can use MBEDTLS_SSL_VERIFY_NONE or MBEDTLS_SSL_VERIFY_OPTIONAL why?

2. I get the following " ! The certificate is not correctly signed by the trusted CA" how can I fix it?

3. Where in the code I need to set the path to the file ?? ... I'm getting this error: HTTP/1.0 400 Bad Request

Here is the output:

Loading...5 4 3 2 1 PIKEOS_MON: error writing to channel err = 25 PIKEOS_MON: error writing to channel err = 25 0. Seeding the random number generator... SUCCESS: initialize the RNG and the session data 1. Loading the CA root certificate ... SUCCESS: initialize certificates (0 skipped) 2. Connecting to tcp/drive.google.com/443... PIKEOS_MON: error writing to channel err = 25 PIKEOS_MON: error writing to channel err = 25 SUCCESS: connecting to tcp. 3. Setting up the SSL/TLS structure... SUCCESS: setting up the SSL/TLS structure. 4. Performing the SSL/TLS handshake... 1111

Verifying certificate at depth 1: cert. version : 3 serial number : 01:E3:B4:9A:A1:8D:8A:A9:81:25:69:50:B8 issuer name : OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign subject name : C=US, O=Google Trust Services, CN=GTS CA 1O1 issued on : 2017-06-15 00:00:42 expires on : 2021-12-15 00:00:42 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication ! The certificate is not correctly signed by the trusted CA

Verifying certificate at depth 0: cert. version : 3 serial number : 9E:44:1B:49:08:8D:75:BB:02:00:00:00:00:40:A5:B4 issuer name : C=US, O=Google Trust Services, CN=GTS CA 1O1 subject name : C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com issued on : 2019-08-13 16:18:34 expires on : 2019-11-11 16:18:34 signed using : RSA with SHA-256 EC key size : 256 bits basic constraints : CA=false subject alt name : *.google.com, *.android.com, *.appengine.google.com, *.cloud.google.com, *.crowdsource.google.com, *.g.co, *.gcp.gvt2.com, *.gcpcdn.gvt1.com, *.ggpht.cn, *.gkecnapps.cn, *.google-analytics.com, *.google.ca, *.google.cl, *.google.co.in, *.google.co.jp, *.google.co.uk, *.google.com.ar, *.google.com.au, *.google.com.br, *.google.com.co, *.google.com.mx, *.google.com.tr, *.google.com.vn, *.google.de, *.google.es, *.google.fr, *.google.hu, *.google.it, *.google.nl, *.google.pl, *.google.pt, *.googleadapis.com, *.googleapis.cn, *.googlecnapps.cnNo verification issue for this certificate 2222

. TLS connection to drive.google.com established . Verifying peer X.509 certificate...server certificate: failed▒ ! The certificate is not correctly signed by the trusted CA

> Write to GET request server: 85 bytes written

GET https://drive.google.com/open?id=1oczNkbBaZoVvw508rHORg61aWcyypuU3 / HTTP/1.1

< Read from server: 1023 bytes read

HTTP/1.0 400 Bad Request Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1555 Date: Tue, 03 Sep 2019 06:07:21 GMT

<!DOCTYPE html> <html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 400 (Bad Request)!!1</title> <style>

• {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background: 386 bytes read

url(www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit- 303 bytes read

background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=www.google.com/><span id=logo aria-label=Google></span></a> <p><b>400.</b> <ins>That’s an error.</ins> <p>Your client has issued a malformed or illegal request. <ins>That’s all we know.</ins>

EOF

Here is the code:

/* ------ FILE PROLOGUE ------ */

/ ***************

• @copyright
• (C) Copyright SYSGO AG.
• Ulm, Germany
• All rights reserved.
• /

/* ----- FILE INCLUSION ------ */

1. if !defined(MBEDTLS_CONFIG_FILE)
2. include "mbedtls/config.h"
3. else
4. include MBEDTLS_CONFIG_FILE
5. endif

1. if defined(MBEDTLS_PLATFORM_C)
2. include "mbedtls/platform.h"
3. else
4. include <stdio.h>
5. include <stdlib.h>
6. define mbedtls_time time
7. define mbedtls_time_t time_t
8. define mbedtls_fprintf fprintf
9. define mbedtls_printf printf
10. endif

1. if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " "not defined.\n"); return( 0 ); }
2. else

1. include "lwipopts.h"
2. include "lwip/sockets.h"
3. include "lwip/inet.h"
4. include "lwip/netdb.h"

1. include "mbedtls/net_sockets.h"
2. include "mbedtls/debug.h"
3. include "mbedtls/ssl.h"
4. include "mbedtls/entropy.h"
5. include "mbedtls/ctr_drbg.h"
6. include "mbedtls/error.h"
7. include "mbedtls/certs.h"

1. include <string.h>
2. include <unistd.h>

1. include <stdio.h>

1. include <string.h>

1. include <sys/types.h>

1. include <sys/socket.h>

1. include <sys/ioctl.h>

/*

• Do not forget to:
• -Disable the Fire wall or add the appropriate rule(in the destination computer)
• -Verify the destination computer address(don't use localhost IP)
• -Verify the server listens to the exact same IP address.
• /

1. define HTTPS_SERVER_PORT "443" /< The HTTPS server port */
2. define SERVER_NAME "drive.google.com" /< The domain name of the HTTPS server */ #define SERVER_NAME "www.guardknox.com" /< The domain name of the HTTPS server */ #define LOCAL_SERV "192.168.1.27" #define LOCAL_SERV "10.0.8.31"
3. define GET_REQUEST "GET https://drive.google.com/open?id=1oczNkbBaZoVvw508rHORg61aWcyypuU3 / HTTP/1.1\r\n\r\n" ??? why not 1.1
4. define RECV_BUFFER_SIZE 600

const char HTTPS_PATH[] = "/open?id=1oczNkbBaZoVvw508rHORg61aWcyypuU3"; path to file const char HTTPS_PATH[] = "/media/uploads/mbed_official/hello.txt"; path to file const size_t HTTPS_PATH_LEN = sizeof(HTTPS_PATH) - 1;

char buffer[RECV_BUFFER_SIZE]; /< The response buffer */

1. define DEBUG_LEVEL 0

/* personalization string for the drbg */ const char *DRBG_PERS = "mbedTLS_client";

Guardknox Certificate const char SSL_CA_PEM[] = "-BEGIN CERTIFICATE-\r\n" "MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx\r\n" "EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT\r\n" "EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp\r\n" "ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz\r\n" "NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH\r\n" "EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE\r\n" "AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw\r\n" "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD\r\n" "E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH\r\n" "/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy\r\n" "DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh\r\n" "GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR\r\n" "tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA\r\n" "AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE\r\n" "FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX\r\n" "WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu\r\n" "9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr\r\n" "gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo\r\n" "2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO\r\n" "LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI\r\n" "4uJEvlz36hz1\r\n" "-END CERTIFICATE-\r\n"; Local server certificate const char local_pem[] = "-BEGIN CERTIFICATE-\r\n" "MIID/TCCAuWgAwIBAgIJAOuzny4T/V9AMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\r\n" "BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX\r\n" "aWRnaXRzIFB0eSBMdGQxFTATBgNVBAMTDDE5Mi4xNjguMS4yNzAeFw0xOTA0MjQx\r\n" "MzUxMTFaFw0yMjAxMTcxMzUxMTFaMFwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT\r\n" "b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFTAT\r\n" "BgNVBAMTDDE5Mi4xNjguMS4yNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\r\n" "ggEBAM5BJDOhlmAE8g6WxWjS3xggSPWkG4D9V6Zn9WC3aqimrlV6f12aLwaQSj9w\r\n" "13HTbWVB89jVKNqx/me6INOxtFeuuoY6ch0SzsBMtTgTpzVOhC16XKAFhX4PhjOf\r\n" "VXhY3wPyTo2cZKXzerQNVvKKe2PJGyWhML7DsCg1gLGGZUlu4kBlj5ncZ7m4JGML\r\n" "I4L8pIqddLeZ1CDtKqoPTc5lhdrTE1LAt0af3m2AZLSpuYHfBvrsrZSENbQ5q9JS\r\n" "xxKWgISR8eVROaREkpBZpGS4zBe5N3lEdEdXOIGXl63synU2Ig4P6wjfQRxRsOqv\r\n" "Pu3j5m3yDaXs+SNYIfGv0dnpk1MCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUh3w/yveP\r\n" "CCBwNNge0gRHk81gKqgwgY4GA1UdIwSBhjCBg4AUh3w/yvePCCBwNNge0gRHk81g\r\n" "KqihYKReMFwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYD\r\n" "VQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFTATBgNVBAMTDDE5Mi4xNjgu\r\n" "MS4yN4IJAOuzny4T/V9AMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\r\n" "ADJIz0CF3wi95RU3a3QVhOR04pl0lO/fV9ou5YMcRhWVffhWdyuy8eGyKrOEbYPY\r\n" "IxLquDwIc37ZxV1XAbM5SsMBj4T/vBar2EkZsmabrBfG2ILP/OQ3kGyezAvKEEOa\r\n" "9N1ocnsozO0SbbThA+1JijA2cfmecfa39BMYnUp7gooD7gKWgFAemveLzJ7V9c06\r\n" "Vfsa3vadMmOC15hJrPEyCY1V5tL4SBcSFAg2lb8NVqg5knLh2Pa75VPHhBJ9Z+5a\r\n" "8GXSnVlLXHuxJuN2fxT/OOuccb9m3Ogyv8siyjMYwQBKNHsBNht/aWdqMYpULKwJ\r\n" "HcruD+hFGLalzEUWH3RAZI0=\r\n" "-END CERTIFICATE-\r\n";

/* List of trusted root CA certificates

• currently only GlobalSign, the CA for developer.mbed.org
• To add more than one root, just concatenate them.
• / const char SSL_CA_PEM[] = "-BEGIN CERTIFICATE-\r\n" "MIIJEDCCB/igAwIBAgIQQGzhGzKJIgcCAAAAAD7OFTANBgkqhkiG9w0BAQsFADBC\r\n" "MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw\r\n" "EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTE5MDcyOTE3MjQ1OFoXDTE5MTAyNzE3MjQ1\r\n" "OFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT\r\n" "DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAMMDCou\r\n" "Z29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKYyqG26VUKGFq+b\r\n" "YuYrR4FiIH9fHNDzgdM79HseC5ksp66xUVoxIy/gDSXv4MQq2/i4lqQ3G6kO3ekL\r\n" "TF7Y8GKjgganMIIGozAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\r\n" "AwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6EV7v+4RUViiCodDL+qmOKXvD64w\r\n" "HwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswZAYIKwYBBQUHAQEEWDBW\r\n" "MCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxbzEwKwYIKwYB\r\n" "BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUUzFPMS5jcnQwggRqBgNVHREE\r\n" "ggRhMIIEXYIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2lu\r\n" "ZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CGCouY3Jvd2Rzb3VyY2Uu\r\n" "Z29vZ2xlLmNvbYIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIRKi5nY3BjZG4uZ3Z0\r\n" "MS5jb22CCiouZ2dwaHQuY26CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CCyouZ29v\r\n" "Z2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6CDiouZ29vZ2xlLmNv\r\n" "Lmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFygg8qLmdvb2dsZS5j\r\n" "b20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29tLmNvgg8qLmdvb2ds\r\n" "ZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUuY29tLnZuggsqLmdv\r\n" "b2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsqLmdvb2dsZS5odYIL\r\n" "Ki5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5wbIILKi5nb29nbGUu\r\n" "cHSCEiouZ29vZ2xlYWRhcGlzLmNvbYIPKi5nb29nbGVhcGlzLmNughEqLmdvb2ds\r\n" "ZWNuYXBwcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESouZ29vZ2xldmlkZW8u\r\n" "Y29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CEiouZ3N0YXRpY2NuYXBw\r\n" "cy5jboIKKi5ndnQxLmNvbYIKKi5ndnQyLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5j\r\n" "b22CDCoudXJjaGluLmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5v\r\n" "Y29va2llLmNvbYINKi55b3V0dWJlLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNv\r\n" "bYIRKi55b3V0dWJla2lkcy5jb22CByoueXQuYmWCCyoueXRpbWcuY29tghphbmRy\r\n" "b2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22CG2RldmVsb3Blci5h\r\n" "bmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboIE\r\n" "Zy5jb4IIZ2dwaHQuY26CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv\r\n" "b2dsZS5jb22CD2dvb2dsZWNuYXBwcy5jboISZ29vZ2xlY29tbWVyY2UuY29tghhz\r\n" "b3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yC\r\n" "CHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb22CD3lv\r\n" "dXR1YmVraWRzLmNvbYIFeXQuYmUwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYKKwYB\r\n" "BAHWeQIFAzAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8vY3JsLnBraS5nb29nL0dU\r\n" "UzFPMS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBj8tvN6DvMLM8LcoQn\r\n" "V2szpI1hd4+9daY4scdoVEvYjQAAAWw++od/AAAEAwBHMEUCIQDBCUbjEovr7cKW\r\n" "iDSW/dfOa5CCxJ9KQJtViD5uCMD8QgIgcvWR2bB0XNT6kVQa/YqoD0Wg5fK6B8mQ\r\n" "6qnLzlI9pCwAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWw+\r\n" "+oeNAAAEAwBHMEUCIQCSAf54Lcc8AZsr80mKvAtd+VKGkJz600STcfZ/v48nggIg\r\n" "A/C8DQXr3O7Hg/IY0tiZ9EuRMlM6NJ2rIsIU1P6mFe0wDQYJKoZIhvcNAQELBQAD\r\n" "ggEBAM8dBuS7TF+mRd929kTvnTXxcL1F4KUWIM6iNFCu8OwBBuXBdEE4Z6b5DKTl\r\n" "c7hvaUB8B6emin/9cDYhdGVxiXaxeK1hTh0za+dRun2xiXmmPjGuloFR7+iN26fu\r\n" "EEe9AiDCFTRmngs3D1TqiRvkwUPSu4EnuelzAyf0aaXYQ4v2CeZHAAofxYkysXDr\r\n" "J/JHelAfnmyVmRjQJb4SNdhPNzeDzrH8qV5DCNl1wDX1vxxvub4ja7Z5DW3sBeN4\r\n" "nqbNnOOLSN921mCfhhQuxuZ2ro70cEKephZKy0ue1qnqKR1m2buXMSKCc4MG/qzh\r\n" "rAQtx3t61jL6YpTPEZ477IKo60M=\r\n" "-END CERTIFICATE-\r\n";

/* GlobalSign Root certificate */ "-BEGIN CERTIFICATE-\n" "MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG\n" "A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\n" "b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw\n" "MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\n" "YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW\n" "YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" "DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc\n" "C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj\n" "SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj\n" "mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt\n" "Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl\n" "2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B\n" "Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT\n" "HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0\n" "dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow\n" "KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB\n" "BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv\n" "bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI\n" "hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s\n" "32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy\n" "XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3\n" "30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA\n" "SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G\n" "K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=\n" "-END CERTIFICATE-\n";

"-BEGIN CERTIFICATE-\n" "MIIJEDCCB/igAwIBAgIQQGzhGzKJIgcCAAAAAD7OFTANBgkqhkiG9w0BAQsFADBC\n" "MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw\n" "EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTE5MDcyOTE3MjQ1OFoXDTE5MTAyNzE3MjQ1\n" "OFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT\n" "DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAMMDCou\n" "Z29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKYyqG26VUKGFq+b\n" "YuYrR4FiIH9fHNDzgdM79HseC5ksp66xUVoxIy/gDSXv4MQq2/i4lqQ3G6kO3ekL\n" "TF7Y8GKjgganMIIGozAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH\n" "AwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6EV7v+4RUViiCodDL+qmOKXvD64w\n" "HwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswZAYIKwYBBQUHAQEEWDBW\n" "MCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxbzEwKwYIKwYB\n" "BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUUzFPMS5jcnQwggRqBgNVHREE\n" "ggRhMIIEXYIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2lu\n" "ZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CGCouY3Jvd2Rzb3VyY2Uu\n" "Z29vZ2xlLmNvbYIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIRKi5nY3BjZG4uZ3Z0\n" "MS5jb22CCiouZ2dwaHQuY26CFiouZ29vZ2xlLWFuYWx5dGljcy5jb22CCyouZ29v\n" "Z2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6CDiouZ29vZ2xlLmNv\n" "Lmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFygg8qLmdvb2dsZS5j\n" "b20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29tLmNvgg8qLmdvb2ds\n" "ZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUuY29tLnZuggsqLmdv\n" "b2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsqLmdvb2dsZS5odYIL\n" "Ki5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5wbIILKi5nb29nbGUu\n" "cHSCEiouZ29vZ2xlYWRhcGlzLmNvbYIPKi5nb29nbGVhcGlzLmNughEqLmdvb2ds\n" "ZWNuYXBwcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESouZ29vZ2xldmlkZW8u\n" "Y29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CEiouZ3N0YXRpY2NuYXBw\n" "cy5jboIKKi5ndnQxLmNvbYIKKi5ndnQyLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5j\n" "b22CDCoudXJjaGluLmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5v\n" "Y29va2llLmNvbYINKi55b3V0dWJlLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNv\n" "bYIRKi55b3V0dWJla2lkcy5jb22CByoueXQuYmWCCyoueXRpbWcuY29tghphbmRy\n" "b2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22CG2RldmVsb3Blci5h\n" "bmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboIE\n" "Zy5jb4IIZ2dwaHQuY26CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv\n" "b2dsZS5jb22CD2dvb2dsZWNuYXBwcy5jboISZ29vZ2xlY29tbWVyY2UuY29tghhz\n" "b3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yC\n" "CHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb22CD3lv\n" "dXR1YmVraWRzLmNvbYIFeXQuYmUwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYKKwYB\n" "BAHWeQIFAzAvBgNVHR8EKDAmMCSgIqAghh5odHRwOi8vY3JsLnBraS5nb29nL0dU\n" "UzFPMS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBj8tvN6DvMLM8LcoQn\n" "V2szpI1hd4+9daY4scdoVEvYjQAAAWw++od/AAAEAwBHMEUCIQDBCUbjEovr7cKW\n" "iDSW/dfOa5CCxJ9KQJtViD5uCMD8QgIgcvWR2bB0XNT6kVQa/YqoD0Wg5fK6B8mQ\n" "6qnLzlI9pCwAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWw+\n" "+oeNAAAEAwBHMEUCIQCSAf54Lcc8AZsr80mKvAtd+VKGkJz600STcfZ/v48nggIg\n" "A/C8DQXr3O7Hg/IY0tiZ9EuRMlM6NJ2rIsIU1P6mFe0wDQYJKoZIhvcNAQELBQAD\n" "ggEBAM8dBuS7TF+mRd929kTvnTXxcL1F4KUWIM6iNFCu8OwBBuXBdEE4Z6b5DKTl\n" "c7hvaUB8B6emin/9cDYhdGVxiXaxeK1hTh0za+dRun2xiXmmPjGuloFR7+iN26fu\n" "EEe9AiDCFTRmngs3D1TqiRvkwUPSu4EnuelzAyf0aaXYQ4v2CeZHAAofxYkysXDr\n" "J/JHelAfnmyVmRjQJb4SNdhPNzeDzrH8qV5DCNl1wDX1vxxvub4ja7Z5DW3sBeN4\n" "nqbNnOOLSN921mCfhhQuxuZ2ro70cEKephZKy0ue1qnqKR1m2buXMSKCc4MG/qzh\n" "rAQtx3t61jL6YpTPEZ477IKo60M=\n" "-END CERTIFICATE-\n";

static void my_debug( void *ctx, int level, const char *file, int line, const char *str ) { ((void) level);

mbedtls_fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str ); fflush( (FILE *) ctx ); }

int my_entropy_func( void *data, unsigned char *output, size_t len ) { memset(output, 0, len); return 0; }

/**

• Certificate verification callback for mbed TLS
• Here we only use it to display information on each cert in the chain
• / static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) { const uint32_t buf_size = 1024; char *buf = new char[buf_size]; unsigned char buf[1024]; (void) data;

mbedtls_printf("\nVerifying certificate at depth %d:\n", depth); mbedtls_x509_crt_info(buf, sizeof(buf) - 1, " ", crt); mbedtls_printf("%s", buf);

if (*flags == 0) mbedtls_printf("No verification issue for this certificate\n"); else { mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", *flags); mbedtls_printf("%s\n", buf); }

return 0; }

int main( void ) { int cx; int ret, len; mbedtls_net_context server_fd; uint32_t flags; unsigned char buf[1024]; const char *pers = "ssl_client1"; int times = 5;

if (_lwip_init() != 0) { perror("_lwip_init"); exit(EXIT_FAILURE); }

printf("Loading..."); for (int var = 0; var < times; ++var) { printf("%d\r\n", times-var); sleep(1); }

mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_x509_crt cacert;

1. if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold(DEBUG_LEVEL);
2. endif

/* Fill the request buffer */ cx = snprintf(buffer, sizeof(buffer) - 1, "GET %s HTTP/1.1\nHost: %s\n\n", HTTPS_PATH, SERVER_NAME);

/********

• Initialize TLS-related stuf.
  • /

/*

• 0. Initialize the RNG and the session data
• / mbedtls_net_init( &server_fd ); mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); mbedtls_x509_crt_init( &cacert ); mbedtls_ctr_drbg_init( &ctr_drbg );

sleep(10);

mbedtls_printf( " 0. Seeding the random number generator...\r\n" ); fflush( stdout );

mbedtls_entropy_init( &entropy ); if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, my_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_ctr_drbg_seed returned %d\r\n", ret ); goto exit; }

mbedtls_printf( " SUCCESS: initialize the RNG and the session data \r\n" );

/*

• 1. Initialize certificates
• / mbedtls_printf( " 1. Loading the CA root certificate ...\r\n" ); fflush( stdout );

ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) SSL_CA_PEM, sizeof(SSL_CA_PEM) ); if( ret < 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_x509_crt_parse returned -0x%x\r\n", ret ); goto exit; }

mbedtls_printf( " SUCCESS: initialize certificates (%d skipped)\r\n", ret );

/*

• 2. Start the connection to the server through TCP
• / mbedtls_printf( " 2. Connecting to tcp/%s/%s...\r\n", SERVER_NAME, HTTPS_SERVER_PORT); fflush( stdout );

sleep(5);

if( ( ret = mbedtls_net_connect( &server_fd, SERVER_NAME, HTTPS_SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_net_connect returned %d\r\n", ret ); goto exit; }

mbedtls_printf( " SUCCESS: connecting to tcp.\r\n" );

/*

• 3. Setup stuff
• / mbedtls_printf( " 3. Setting up the SSL/TLS structure...\r\n" ); fflush( stdout );

if( ( ret = mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_ssl_config_defaults returned %d\r\n", ret ); goto exit; }

mbedtls_printf( " SUCCESS: setting up the SSL/TLS structure.\r\n" );

/* OPTIONAL is not optimal for security,

• but makes interop easier in this simplified example */ mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );

/*unsafe*/ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );

/* Configure certificate verification function to clear time/date flags */ mbedtls_ssl_conf_verify(&conf, my_verify, NULL);

1. if DEBUG_LEVEL > 0 mbedtls_ssl_conf_verify(&conf, my_verify, NULL); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_debug_set_threshold(DEBUG_LEVEL);
2. endif

if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_ssl_setup returned %d\r\n", ret ); goto exit; }

if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) { mbedtls_printf( " FAILED\n ! mbedtls_ssl_set_hostname returned %d\r\n", ret ); goto exit; }

mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );

/* Connect to the server */ mbedtls_printf("Connecting with %s\r\n", SERVER_NAME); server_fd.connect(SERVER_NAME, HTTPS_SERVER_PORT);

/*

• 4. Handshake
• / mbedtls_printf( " 4. Performing the SSL/TLS handshake...\r\n" ); fflush( stdout );

while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " FAILED\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret ); goto exit; } }

ret = mbedtls_ssl_write(&_ssl, (const unsigned char *) _buffer, _bpos); if (ret < 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { print_mbedtls_error("mbedtls_ssl_write", ret); onError(_tcpsocket, -1 ); } return; }

/* It also means the handshake is done, time to print info */ mbedtls_printf(" SUCCESS: TLS connection to %s established\r\n", SERVER_NAME);

/*

• 5. Verify the server certificate
• / mbedtls_printf( " 5. Verifying peer X.509 certificate..." );

char vrfy_buf[512]; mbedtls_x509_crt_info(vrfy_buf, sizeof(vrfy_buf), "\r ", mbedtls_ssl_get_peer_cert(&ssl)); mbedtls_printf("server certificate:\r\n%s\r", buf);

#if defined(UNSAFE) /* In real life, we probably want to bail out when ret != 0 */ flags = mbedtls_ssl_get_verify_result( &ssl ); if( flags != 0 ) {

mbedtls_printf( " failed\n" );

mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );

mbedtls_printf( "%s\n", vrfy_buf ); } else #endif mbedtls_printf( "success: certificate verification passed.\n" );

/*

• 6. Write the GET request
• / mbedtls_printf( " > Write to GET request server:" ); fflush( stdout );

len = sprintf( (char *) buf, GET_REQUEST );

while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); goto exit; } }

len = ret; mbedtls_printf( " %d bytes written\n\n%s", len, (char *) buf );

/*

• 7. Read the HTTP response
• / mbedtls_printf( " < Read from server:" ); fflush( stdout );

do { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len );

if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue;

if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ) break;

if( ret < 0 ) { mbedtls_printf( "failed\n ! mbedtls_ssl_read returned %d\n\n", ret ); break; }

if( ret == 0 ) { mbedtls_printf( "\n\nEOF\n\n" ); break; }

len = ret; mbedtls_printf( " %d bytes read\n\n%s", len, (char *) buf ); } while( 1 );

mbedtls_ssl_close_notify( &ssl );

exit:

1. ifdef MBEDTLS_ERROR_C if( ret != 0 ) { char error_buf[100]; mbedtls_strerror( ret, error_buf, 100 ); mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf ); }
2. endif

mbedtls_net_free( &server_fd );

mbedtls_x509_crt_free( &cacert ); mbedtls_ssl_free( &ssl ); mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy );

1. if defined(_WIN32) mbedtls_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar();
2. endif

return( ret ); }

1. endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C */