0

I need (because I was told to) to connect to an endpoint that ends up at gooogleapis.com without having a client certificate. RFC5246 says this is possible:

If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero.

But I have no idea how this can be done. I'm using mbedTLS 2.13.1 in an embedded system. The single example code I have uses a client certificate, and mbedTLS has no documentation about how to do otherwise.

  • Client certificates are not very common in usage, surely you can find an example where the library is used for some random website or REST API? What happens if you simply never specify a client cert when setting up? The ability of things like openssl on a pc to create and likely accept test connections may be useful to you here in order to figure out what is going on. – Chris Stratton Jun 19 '20 at 15:21
  • That's just the problem. There is no example code showing how to make a connection without specifying a client certificate. I've reached out to both mbedTLS and the vendor who supplied the mbedTLS library with their SDK. The vendor has now replied with a question as to which of their many processors I'm using, and I have responded to that. Maybe they will provide some help; I'm still digging into the source code and experiment, though. Like Thomas Edison, I can now tell you all kind of things that don't work. – user3337733 Jun 20 '20 at 18:03
  • I simply cannot believe you can't find a third party example of someone using this to fetch a random https webpage. – Chris Stratton Jun 21 '20 at 01:27
  • I think I finally found it in a newer version of mbedtls than what I was provided. It looks like the processor vendor didn't supply the complete mbedtls package. Looking at later versions, there is a 'programs' folder that has an example. The biggest problem is my lack of knowledge about SSL. I kept seeing things like 'CA cert' and then looking elsewhere because I I thought I couldn't use certificates at all. Apparently, that somehow related to the server to which I'm connecting, and not to my side, which is the client. – user3337733 Jun 22 '20 at 17:20
  • Of course, a server side cert is the ordinary case. But a CA cert is not unique to either client or server but rather a trust ancestor of one or the other or both. – Chris Stratton Jun 22 '20 at 19:40
  • I’m voting to close this question because the problem was simply a misunderstanding of the role of client vs server certs. – Chris Stratton Jun 22 '20 at 19:41

1 Answers1

1

I heard back TrustedFirmware, who now owns mbedTLS:

If you don't want to provision a client certificate in your TLS client, all you have to do is to not call mbedtls_ssl_conf_own_cert() in your client code. Then the library will send an empty certificate list as required by the standard.

Actually in the example code you have, if you look at the second and third argument in the call to mbedtls_ssl_conf_own_cert(), you should be able to remove all references to those arguments, and end up with a functional example without client certificates.

This seems to work.