[bug #54827] altcp_mbedtls_bio_recv returns MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #54827] altcp_mbedtls_bio_recv returns MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT

Simon Goldschmidt
URL:
  <https://savannah.nongnu.org/bugs/?54827>

                 Summary: altcp_mbedtls_bio_recv returns
MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: richmond_umagat
            Submitted on: Fri 12 Oct 2018 10:13:12 AM UTC
                Category: apps
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.1.0

    _______________________________________________________

Details:

Hi,


I'm trying to support connectivity with Azure IoT using mbedTLS with LWIP but
TLS handshake fails in ssl_parse_server_hello() with
MBEDTLS_ERR_SSL_WANT_READ.

Below is the callstack:
ssl_parse_server_hello() at ssl_cli.c:1484
mbedtls_ssl_read_record() at ssl_tls.c:3817
mbedtls_ssl_read_record_layer() at ssl_tls.c:3956
mbedtls_ssl_fetch_input() at ssl_tls.c:2433
ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len ) at
LWIP's altcp_mbedtls_bio_recv(void *ctx, unsigned char *buf, size_t len)
return MBEDTLS_ERR_SSL_WANT_READ;

Hypothesis:
Azure IoT Hub sends a certificate chain of 4 certificates. I think it might be
related to this.

Some context below:
1. I have already supported connectivity with AWS IoT, AWS Greengrass and GCP
IoT with mbedTLS+LWIP.
2. I am able to connect successfully to my Azure IoT Hub using MQTT.FX with
the same MQTT settings and TLS ca, certificates and private key. (so there is
no issue with cloud settings nor with the MQTT and TLS credentials.)

Any insights will be appreciated. Thank you!




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54827>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54827] altcp_mbedtls_bio_recv returns MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT

Simon Goldschmidt
Follow-up Comment #1, bug #54827 (project lwip):

Sorry, but this is not enough info to tell anything about the problem.

altcp_mbedtls_bio_recv() returning MBEDTLS_ERR_SSL_WANT_READ means there is no
more buffered data on this connection.

Did you miss RX data somewhere? What do you see in 'lwip_stats', any 'err'
counters set?

I don't assume this can be easily reproduced without an Azure account?

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54827>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54827] altcp_mbedtls_bio_recv returns MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT

Simon Goldschmidt
Follow-up Comment #2, bug #54827 (project lwip):

I looked into debugging mbedTLS and found that the issue is caused by
MBEDTLS_SSL_MAX_CONTENT_LEN and MBEDTLS_MPI_MAX_SIZE.

mbedtls_ssk_parse_certificate
mbedtls_x509_crt_parse_der
x509_crt_parse_der_core
mbedtls_pk_parse_subpubkey
pk_get_rsapubkey
mbedtls_rsa_complete
rsa_check_context
MBEDTLS_ERR_RSA_BAD_INPUT_DATA

To connect to Azure IoT Hub, the following mbedTLS settings must be set to a
minimum of:
MBEDTLS_MPI_MAX_SIZE 512
MBEDTLS_SSL_MAX_CONTENT_LEN 3584

Note that for Amazon IoT/Greengrass and Google IoT, the following is
sufficient
MBEDTLS_MPI_MAX_SIZE 256
MBEDTLS_SSL_MAX_CONTENT_LEN 3072

Please close the bug as this is not an LWIP issue. Thank you.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54827>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54827] altcp_mbedtls_bio_recv returns MBEDTLS_ERR_SSL_WANT_READ when connecting to Azure IoT

Simon Goldschmidt
Update of bug #54827 (project lwip):

                  Status:                    None => Invalid                
             Assigned to:                    None => goldsimon              
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #3:

OK, thanks.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54827>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel