问题描述
我正在尝试在我的 IoT 项目中实施 SSL 客户端。我已将在 STM32Cube_FW_F7_V1.15.0 中找到的 SSL_Client 示例复制到我的项目中,并且能够成功编译。但是 SSL 握手失败并显示 -0x7780 MbedTLS_ERR_SSL_FATAL_ALERT_MESSAGE。我附上控制台调试输出:
. seeding the random number generator... ok
. Loading the CA root certificate ... ok (1 skipped)
. Connecting to tcp/www.google.de/443... ok
. Setting up the SSL/TLS structure... ok
. Performing the SSL/TLS handshake...=> handshake
client state: 0
=> flush output
<= flush output
client state: 1
=> flush output
<= flush output
=> write client hello
client hello,max version: [3:3]
dumping 'client hello,random bytes' (32 bytes)
0000: 88 d9 c4 b1 4f 82 ef a2 74 80 5c 6e 3f c4 29 ca ....O...t.\n?.).
0010: a4 8d 61 2b f6 37 ec 93 39 cb 7d d0 39 5a 67 9b ..a+.7..9.}.9Zg.
client hello,session id len.: 0
dumping 'client hello,session id' (0 bytes)
client hello,add ciphersuite: c02b
client hello,add ciphersuite: c031
client hello,add ciphersuite: c02d
client hello,add ciphersuite: 00a8
client hello,got 4 ciphersuites (excluding SCSVs)
adding EMPTY_RENEGOTIATION_INFO_SCSV
client hello,compress len.: 1
client hello,compress alg.: 0
client hello,adding server name extension: mbed TLS Server 1
client hello,adding signature_algorithms extension
client hello,adding supported_elliptic_curves extension
client hello,adding supported_point_formats extension
client hello,adding encrypt_then_mac extension
client hello,adding extended_master_secret extension
client hello,total extension length: 62
=> write handshake message
=> write record
output record: msgtype = 22,version = [3:3],msglen = 117
dumping 'output record sent to network' (122 bytes)
0000: 16 03 03 00 75 01 00 00 71 03 03 88 d9 c4 b1 4f ....u...q......O
0010: 82 ef a2 74 80 5c 6e 3f c4 29 ca a4 8d 61 2b f6 ...t.\n?.)...a+.
0020: 37 ec 93 39 cb 7d d0 39 5a 67 9b 00 00 0a c0 2b 7..9.}.9Zg.....+
0030: c0 31 c0 2d 00 a8 00 ff 01 00 00 3e 00 00 00 16 .1.-.......>....
0040: 00 14 00 00 11 6d 62 65 64 20 54 4c 53 20 53 65 .....mbed TLS Se
0050: 72 76 65 72 20 31 00 0d 00 0a 00 08 04 03 04 01 rver 1..........
0060: 03 03 03 01 00 0a 00 04 00 02 00 17 00 0b 00 02 ................
0070: 01 00 00 16 00 00 00 17 00 00 ..........
=> flush output
message length: 122,out_left: 122
ssl->f_send() returned 122 (-0xffffff86)
<= flush output
<= write record
<= write handshake message
<= write client hello
client state: 2
=> flush output
<= flush output
=> parse server hello
=> read record
=> fetch input
in_left: 0,nb_want: 5
in_left: 0,nb_want: 5
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
<= fetch input
dumping 'input record header' (5 bytes)
0000: 15 03 03 00 02 .....
input record: msgtype = 21,msglen = 2
=> fetch input
in_left: 5,nb_want: 7
in_left: 5,nb_want: 7
ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
<= fetch input
dumping 'input record from network' (7 bytes)
0000: 15 03 03 00 02 02 28 ......(
got an alert message,type: [2:40]
is a fatal alert message (msg 40)
mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
mbedtls_ssl_read_record() returned -30592 (-0x7780)
<= handshake
Failed
! mbedtls_ssl_handshake returned -0x7780
解决方法
客户端你好,添加服务器扩展名:mbed TLS Server 1
客户端使用 SNI 扩展来表示它想与 mbed TLS Server 1
通话。 www.google.de
端口 443 上的服务器可以响应为 www.google.de
、google.de
以及 Google 控制的一堆其他名称,但它确实知道 mbed TLS Server 1
,因此它会发送一个表示无法完成握手的致命警报。
您可以按原样使用示例客户端与源代码应该在它旁边的示例服务器通信。要联系另一台服务器,您需要更改或删除对 mbedtls_ssl_set_hostname
的调用。