toverainc/willow

Support TLS 1.3

kristiankielhofner opened this issue · 1 comments

We have initial IDF 5.1 support and it has a new mbedtls implementation that supports TLS 1.3. Unfortunately, it errors on HTTP stream to WIS/nginx when TLS 1.3 is enabled:

E (07:52:30.725) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x6C00
E (07:52:30.726) esp-tls: Failed to open new connection
E (07:52:30.729) transport_base: Failed to open a new connection
E (07:52:30.737) HTTP_CLIENT: Connection failed, sock < 0
E (07:52:30.742) AUDIO_ELEMENT: [http_stream_writer] AEL_STATUS_ERROR_OPEN,-1

It appears ESP-TLS does not support TLS 1.3 yet. Initial support was added in master: espressif/esp-idf@7fd1378.

After manually initializing the Mbed TLS PSA library and enabling CONFIG_MBEDTLS_DEBUG in sdkconfig, there's a different error:

W (20:32:56.020) mbedtls: ssl_tls13_generic.c:653 x509_verify_cert() returned -9984 (-0x2700)
W (20:32:56.021) mbedtls: ssl_tls13_generic.c:693 got no CA chain

So it appears CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY doesn't work anymore with TLS 1.3. This appears to be because of MBEDTLS_SSL_VERIFY_NONE not doing what's expected. MBEDTLS_SSL_VERIFY_OPTIONAL still works.
With the following change, cert verification is no longer a problem:

--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -571,7 +571,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
 {
     int ret = 0;
-    int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    int authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
     mbedtls_x509_crt *ca_chain;
     mbedtls_x509_crl *ca_crl;
     const char *ext_oid;```

But then we hit the next error in esp_tls:

E (21:34:34.251) transport_base: esp_tls_conn_read error, errno=Connection already in progress
E (21:34:34.252) WILLOW/HTTP: failed to get HTTP headers

At this point it's probably better to wait for a new IDF release where it is properly supported.