TSL Handshaking failed due to Error: Cert is self-signed

ddze7374
Posts: 3
Joined: Tue Dec 06, 2016 4:09 pm

TSL Handshaking failed due to Error: Cert is self-signed

Postby ddze7374 » Mon Apr 03, 2017 7:10 pm

Hi,
following the procedure to establish a TSL communication found in the UserManual 5A-ESP8266_SDK_SSL v1.4 (the most recent I could get) a CA certificate in DER format is flashed to the ESP8266-01 at the location 7C (7C000). The certificate is of a self-signed type.

Unfortunately, running the code flags an error
ca.cer 391
distinguished names: [broker], [broker]
distinguished names: [anon-org], [anon-org]
distinguished names: [machine], [machine]
a self-signed certificate that is not in the CA store
before 1490486400, tv_sec 1491244537, after 1963526400
distinguished names: [broker], [broker]
distinguished names: [anon-org], [anon-org]
distinguished names: [machine], [machine]
client handshake failed
Error: cert is self-signed

PORT CLOSED


So, I am not clear with the meaning of the messages. Are they telling that the certificate is not found in the flash (though the first lign detects the certificate ca.cer 391). Or it is that the ESP8266 handshaking routine cannot deal with the self-signed certificates.

I tried to look-up in the code but only traced the call to the espconn_secure_connect but cannot go beyond the declaration in the header file.
Appreciate any clarification.
Regards

User avatar
pratik
Posts: 383
Joined: Wed Jun 29, 2016 7:17 pm
Location: India
Contact:

Re: TSL Handshaking failed due to Error: Cert is self-signed

Postby pratik » Wed Apr 05, 2017 2:51 pm

Self-signed certificate is perfectly alright. You may want to dynamically assign it though, instead of putting it at a flash address, as that introduces possibilities of all kinds of errors such as flash read issues and misalignment.
If the ESP8266 is working as a server, the client needs to ignore the fact that the certificate is not a valid one. Browsers like Firefox will ask you to add a security exception in that case.
Regards,
Pratik Panda
Website: http://www.PratikPanda.com

Custom firmware, Knowledge base and freelancing (ESP8266/ESP32):
http://www.iot-bits.com

ddze7374
Posts: 3
Joined: Tue Dec 06, 2016 4:09 pm

Re: TSL Handshaking failed due to Error: Cert is self-signed

Postby ddze7374 » Thu Apr 06, 2017 6:53 am

Not long after my post, I solved that problem with the server authentication which now works fine, still thank you Pratik,
in particular for the suggestion of inserting it dynamically which is also good in a case of the certificate revocation.

By the way, do you happen to know anything about the error message during the client authentication

client handshake start.
espconn_mbedtls.c 652, type[private_key],length[1675]
client handshake failed!
Reason:[-0x7f00]


That one seems a lot more puzzling. I am using the TLSv1.2 during the handshake and inserted the private key-certificate at the location 7A.

Regards
Damir

User avatar
pratik
Posts: 383
Joined: Wed Jun 29, 2016 7:17 pm
Location: India
Contact:

Re: TSL Handshaking failed due to Error: Cert is self-signed

Postby pratik » Fri Apr 07, 2017 2:20 pm

No idea on this one, I have never had this one before!
I'll let you know if I can figure out what this is.
Regards,
Pratik Panda
Website: http://www.PratikPanda.com

Custom firmware, Knowledge base and freelancing (ESP8266/ESP32):
http://www.iot-bits.com

Who is online

Users browsing this forum: Google [Bot] and 2 guests