Mutual TLS using secure element ATECC608

am0xffff
Posts: 7
Joined: Wed Jun 14, 2023 3:42 pm

Mutual TLS using secure element ATECC608

Postby am0xffff » Wed Jun 14, 2023 4:27 pm

Hello,

we are trying to establish mTLS using the ATECC608 secure element, however the ssl handshake seems to be failing.

We are using esp-idf 5.1 as the documentation indicates that it is possible to configure the esp-http client to use the secure element (https://docs.espressif.com/projects/esp ... 08-for-tls).

The project is correctly configured to use the secure element and we can successfully establish an mTLS connection when manually initialising the ATECC608 (using the esp-cryptoauthlib component) and manually run the needed mbedtls operation.

The problems seem to begin when we try to use the http_client API. Below the snippet of code we use for the http operation:

Code: Select all

    esp_http_client_config_t config = {
        .host = endpoint,
        .port = port,
        .path = api,
        .transport_type = HTTP_TRANSPORT_OVER_SSL,
        .cert_pem = root_ca,
        .method = HTTP_METHOD_POST,
        .event_handler = _http_event_handler,
        .user_data = rxBuffer,
        .keep_alive_enable = true,
        .client_cert_pem = cert,
        .client_cert_len = strlen(cert) + 1,
        .use_secure_element = true
    }

    esp_http_client_handle_t client = esp_http_client_init(&config);
    esp_http_client_set_header(client, "Content-Type", "text/plain; charset=utf-8");
    esp_err_t err = esp_http_client_perform(client);
    if (err != ESP_OK) {
        ESP_LOGE(TAG, "HTTP POST request failed: %s", esp_err_to_name(err));
        ret = -1;
    }
    else {
        int status = esp_http_client_get_status_code(client);
        int64_t len = esp_http_client_get_content_length(client);
        ESP_LOGD(TAG, "HTTP POST Status = %d, content length = %"PRIu64, status, len);
        if (esp_http_client_is_complete_data_received(client)) {
            ESP_LOGD(TAG, "Received response (%d): %s", strlen(rxBuffer), rxBuffer);
        }
    }

    esp_http_client_cleanup(client);
The program initialises the Secure Element correctly, but fails during the handshake operation when calling esp_http_client_perform(). In particular, we tracked it down to ssl_state 16 (MBEDTLS_SSL_NEW_SESSION_TICKET).
Below the relevant console output:

Code: Select all

E (20430) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x7780
I (20440) esp-tls-mbedtls: (FFFF8880): SSL - A fatal alert message was received from our peer
I (20450) esp-tls-mbedtls: Certificate verified.
E (20450) esp-tls: Failed to open new connection
E (20460) transport_base: Failed to open a new connection
E (20470) HTTP_CLIENT: Connection failed, sock < 0
The reason why we need to use the http-client api is that we want to be able to perform an http-ota operation.

Many thanks,
Alex

Who is online

Users browsing this forum: No registered users and 145 guests