HTTPS Client and Server Not Working Well Together

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
ChMa_3922746
Level 5
Level 5
10 likes received 10 likes given 5 likes given

I am running concurrent HTTPS Server and Client on a CYW943907AEVAL1F eval board.  The code I am using is based upon these two SDK examples:

1) HTTPS server: /apps/demo/appliance:  configured for TLS, I use my browser to manually connect to it periodically (STA network)

2) HTTPS client:  httpbin_org.c: configured for TLS, the code periodically accesses a remote web server on the Internet (STA network)

Everything works fine for a period of time, but inevitably, I get the following TLS error:

mbedtls_ssl_handshake returned ffff8b80 (occurs at step 4) which translates to:

#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480  /**< No client certification received from the client, but required by the authentication mode. */

This error only affects the HTTPS server (web browser accesses fail and never recover).

However, the HTTPS client accesses to a remote web site continue to function normally.

The failure doesn't seem to correlate to the occurrence of simultaneous server and client accesses (which I thought might be the problem).  It is curious that doing a wiced_network_down then wiced_network_up doesn't solve the problem (nor does wiced_tls_deinit_identity( &tls_identity)😞 it seems that Server and Client continue to behave in the same way.  Only a reboot fixes things.

Has anyone pushed the device this far before and had dependable operation?

0 Likes
1 Solution

I came across the document "Cypress WICED Studio API Reference Guide".  It allows the conflict to be explained:  When running a client and server over TLS, installing the root certificates(s) using wiced_tls_init_root_ca_certificates() causes two effects:

1) For the client:  "RootCA certificates are ... loaded and verified against the peer server certificate"

2) For the server: "RootCA certificates are ... loaded and verified against the peer client certificate"

Hence, my test is failing because the server is now attempting to verify against the peer client certificate.  The peer client happens to be a browser.

I have verified that this is not a problem if I update the client and server certificates to be signed by the same CA.  Then, they both work together!

View solution in original post

2 Replies
ChMa_3922746
Level 5
Level 5
10 likes received 10 likes given 5 likes given

Well, here is a tidbit of information which is quite interesting:  When I comment out the following from the HTTPS client setup code, I don't seem to "lose" the server connection:

wiced_tls_init_root_ca_certificates( server_root_ca_certificate, strlen(server_root_ca_certificate) );

The command above sets-up the certificate (root CA) for the client:  By removing it, the client loses the ability to verify the server certificate.  But the TLS still works from a functional point of view.

Has anyone tried both server and client concurrently and found if the server root CA could be init'd?

0 Likes

I came across the document "Cypress WICED Studio API Reference Guide".  It allows the conflict to be explained:  When running a client and server over TLS, installing the root certificates(s) using wiced_tls_init_root_ca_certificates() causes two effects:

1) For the client:  "RootCA certificates are ... loaded and verified against the peer server certificate"

2) For the server: "RootCA certificates are ... loaded and verified against the peer client certificate"

Hence, my test is failing because the server is now attempting to verify against the peer client certificate.  The peer client happens to be a browser.

I have verified that this is not a problem if I update the client and server certificates to be signed by the same CA.  Then, they both work together!