Mutual TLS using secure element ATECC608
Posted: Wed Jun 14, 2023 4:27 pm
Hello,
we are trying to establish mTLS using the ATECC608 secure element, however the ssl handshake seems to be failing.
We are using esp-idf 5.1 as the documentation indicates that it is possible to configure the esp-http client to use the secure element (https://docs.espressif.com/projects/esp ... 08-for-tls).
The project is correctly configured to use the secure element and we can successfully establish an mTLS connection when manually initialising the ATECC608 (using the esp-cryptoauthlib component) and manually run the needed mbedtls operation.
The problems seem to begin when we try to use the http_client API. Below the snippet of code we use for the http operation:
The program initialises the Secure Element correctly, but fails during the handshake operation when calling esp_http_client_perform(). In particular, we tracked it down to ssl_state 16 (MBEDTLS_SSL_NEW_SESSION_TICKET).
Below the relevant console output:
The reason why we need to use the http-client api is that we want to be able to perform an http-ota operation.
Many thanks,
Alex
we are trying to establish mTLS using the ATECC608 secure element, however the ssl handshake seems to be failing.
We are using esp-idf 5.1 as the documentation indicates that it is possible to configure the esp-http client to use the secure element (https://docs.espressif.com/projects/esp ... 08-for-tls).
The project is correctly configured to use the secure element and we can successfully establish an mTLS connection when manually initialising the ATECC608 (using the esp-cryptoauthlib component) and manually run the needed mbedtls operation.
The problems seem to begin when we try to use the http_client API. Below the snippet of code we use for the http operation:
Code: Select all
esp_http_client_config_t config = {
.host = endpoint,
.port = port,
.path = api,
.transport_type = HTTP_TRANSPORT_OVER_SSL,
.cert_pem = root_ca,
.method = HTTP_METHOD_POST,
.event_handler = _http_event_handler,
.user_data = rxBuffer,
.keep_alive_enable = true,
.client_cert_pem = cert,
.client_cert_len = strlen(cert) + 1,
.use_secure_element = true
}
esp_http_client_handle_t client = esp_http_client_init(&config);
esp_http_client_set_header(client, "Content-Type", "text/plain; charset=utf-8");
esp_err_t err = esp_http_client_perform(client);
if (err != ESP_OK) {
ESP_LOGE(TAG, "HTTP POST request failed: %s", esp_err_to_name(err));
ret = -1;
}
else {
int status = esp_http_client_get_status_code(client);
int64_t len = esp_http_client_get_content_length(client);
ESP_LOGD(TAG, "HTTP POST Status = %d, content length = %"PRIu64, status, len);
if (esp_http_client_is_complete_data_received(client)) {
ESP_LOGD(TAG, "Received response (%d): %s", strlen(rxBuffer), rxBuffer);
}
}
esp_http_client_cleanup(client);
Below the relevant console output:
Code: Select all
E (20430) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x7780
I (20440) esp-tls-mbedtls: (FFFF8880): SSL - A fatal alert message was received from our peer
I (20450) esp-tls-mbedtls: Certificate verified.
E (20450) esp-tls: Failed to open new connection
E (20460) transport_base: Failed to open a new connection
E (20470) HTTP_CLIENT: Connection failed, sock < 0
Many thanks,
Alex