0

I'm trying to port the azure-iot-sdk-c to an stm32f767zi board and have been having a modest amount of success. However now that the program is at the point where it is attempting an SSL handshake with the server mbedtls is failing to verify the certificate that I supplied against the servers certificate. The log line is:

x509_verify_cert() returned -9984 (-0x2700)

Which translates to an MBEDTLS_ERR_X509_CERT_VERIFY_FAILED error

I've tried different supplying different certificates(Baltimore CyberTrust Root, Microsoft IT TLS CA 1, using the certificate that gets sent to verify) but all of them fail with the same error.

I've narrowed the failure down to mbedtls_rsa_rsassa_pkcs1_v15_verify() from the mbedtls library which fails with the error:

MBEDTLS_ERR_RSA_INVALID_PADDING

Since I assume that LwIP and mbedtls are working correctly, I'm left to believe that the certificate I'm supplying or one of my configurations are wrong but I don't know enough about mbedtls/ssl to figure know which configuration/certificate I should be using.

Overall my question would be, is the certificate I was using for trying to connect (the Baltimore CyberTrust Root) the right certificate to use, and is there any obvious settings in mbedtls that I didn't set?

Xelynega
  • 3
  • 1

1 Answers1

0

You should look at the file certs.c in the Azure IoT SDK. In there you will find the trusted certificates. Pass those to the SetOption in the SDK using the keyword OPTION_TRUSTED_CERT. See the sample iothub_convenience_sample in the repository. It demonstrates this process. Note it passes all of the certificates in the chain.

I have successfully used the MbedTLS to validate the server certificate using this technique. However, make sure you have cloned the SDK recently. There was recently a fix in the MbedTLS adapter. I don't recall if it will impact this scenario but best be on the safe side.

Mark Radbourne
  • 528
  • 3
  • 12