Support TLS 1.3
kristiankielhofner opened this issue · 1 comments
We have initial IDF 5.1 support and it has a new mbedtls implementation that supports TLS 1.3. Unfortunately, it errors on HTTP stream to WIS/nginx when TLS 1.3 is enabled:
E (07:52:30.725) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x6C00
E (07:52:30.726) esp-tls: Failed to open new connection
E (07:52:30.729) transport_base: Failed to open a new connection
E (07:52:30.737) HTTP_CLIENT: Connection failed, sock < 0
E (07:52:30.742) AUDIO_ELEMENT: [http_stream_writer] AEL_STATUS_ERROR_OPEN,-1
It appears ESP-TLS does not support TLS 1.3 yet. Initial support was added in master: espressif/esp-idf@7fd1378.
After manually initializing the Mbed TLS PSA library and enabling CONFIG_MBEDTLS_DEBUG in sdkconfig, there's a different error:
W (20:32:56.020) mbedtls: ssl_tls13_generic.c:653 x509_verify_cert() returned -9984 (-0x2700)
W (20:32:56.021) mbedtls: ssl_tls13_generic.c:693 got no CA chain
So it appears CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY doesn't work anymore with TLS 1.3. This appears to be because of MBEDTLS_SSL_VERIFY_NONE not doing what's expected. MBEDTLS_SSL_VERIFY_OPTIONAL still works.
With the following change, cert verification is no longer a problem:
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -571,7 +571,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
{
int ret = 0;
- int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ int authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
const char *ext_oid;```
But then we hit the next error in esp_tls:
E (21:34:34.251) transport_base: esp_tls_conn_read error, errno=Connection already in progress
E (21:34:34.252) WILLOW/HTTP: failed to get HTTP headers
At this point it's probably better to wait for a new IDF release where it is properly supported.