Usage of MbedTLS with TCP sockets

ligert123 · May 9, 2021, 7:41am

Hello, i have been trying to setup an encrypted TCP server connection using MbedTLS and i have been having trouble getting it working.
I keep receiving: MbedTLS error code -31104: SSL - Processing of the ServerHello handshake message failed whenever the client attempts to do its handshake.
Why would this be occurring?
server

function loopSecure(port, db)
        server = Sockets.listen(port)
        control_channel = Channel(10)
        task = @async begin
            while true
                if(isready(control_channel))
                    val = take!(control_channel)
                    if(val == false)
                        break
                    end
                end
                conn = TCPSocket()
                err = -1
                while(err != 0)
                    err = Sockets.accept_nonblock(server,conn)
                    sleep(0.001)
                end
                @debug "Accepted " conn err
                @async begin
                    @debug "Secure Connection Start"
                    entropy = MbedTLS.Entropy()
                    rng = MbedTLS.CtrDrbg()
                    MbedTLS.seed!(rng, entropy)
                    ctx = MbedTLS.SSLContext()
                    conf = MbedTLS.SSLConfig()
        
                    MbedTLS.config_defaults!(conf)
                    MbedTLS.authmode!(conf, MbedTLS.MBEDTLS_SSL_VERIFY_REQUIRED)
                    MbedTLS.rng!(conf, rng)
                    MbedTLS.ca_chain!(conf)
                    MbedTLS.setup!(ctx, conf)
                    MbedTLS.set_bio!(ctx, conn)
                    MbedTLS.handshake(ctx)

                    state = 0
                    time_start = 0
                    while true
                        if(processConnection(conn, db) )
                            state = 0
                        else
                            if(state == 0)
                                time_start = now()
                                state = 1
                            elseif(state == 1)
                                if(now() - time_start >= Minute(1))
                                    @debug "Connection Timeout." conn
                                    break

                                end
                                
                            end
                        end
                        sleep(0.1)
                    end
                end
            end
            close(server)
        end
        return server, control_channel
    end

client

client=Sockets.connect(8081)
entropy = MbedTLS.Entropy()
rng = MbedTLS.CtrDrbg()
MbedTLS.seed!(rng, entropy)
ctx = MbedTLS.SSLContext()
conf = MbedTLS.SSLConfig()
MbedTLS.config_defaults!(conf)
MbedTLS.authmode!(conf, MbedTLS.MBEDTLS_SSL_VERIFY_REQUIRED)
MbedTLS.rng!(conf, rng)
MbedTLS.ca_chain!(conf)
MbedTLS.setup!(ctx, conf)
MbedTLS.set_bio!(ctx, client)
MbedTLS.handshake(ctx)

write(client,buffer)
flush(client)
tmp = readavailable(client)

ligert123 · May 11, 2021, 1:43am

Is anyone able to help or able to point me to someone who could?

Sukera · May 11, 2021, 5:31am

At least on the client side, you’re writing to the wrong thing. MbedTLS does the writing to client for you, you just have to write to ctx after the handshake. See the example from the README for details.

I haven’t used MbedTLS for the server side yet, but I think you’re making the same mistake there - passing conn instead of ctx.

Are you using the non-blocking busy loop for accepting the connection on purpose? Personally, I’d use a single task for accepting connections and just pass the resulting socket into a Channel, from which processing threads take and process the connection (including TLS etc).

ligert123 · May 11, 2021, 6:37am

Thanks for the feedback, yeah i found that issue but i seem to be having an issue during the handshake so it never actually reached that bit of code properly.

Also i was using it that way because the blocking was blocking other server threads. I do like that idea of using the channel though, that should make it able to scale better i feel which is important for this task.
I feel the server may need extra code or something but i didnt see any real examples other than the one readme one

ligert123 · May 11, 2021, 7:06am

It seems to be a certificate issue, the SSLConfig needs to take in paths to a certificates public and private keys.
A certificate can be made on linux using openssl req -x509 -nodes -newkey rsa:2048 -keyout selfsigned_client.key -out selfsigned_client.cert
This will however not be able to work by default as it is not signed by a certificate authority, so you need to do MbedTLS.authmode!(conf, MbedTLS.MBEDTLS_SSL_VERIFY_NONE) after conf = MbedTLS.SSLConfig() to disable that check.
This should only be done for development purposes id assume though as its unsafe