HTTPS on ESP32 S3 - Impossible to get a valid handshake #88137

JacqueminG · 2025-04-03T21:52:45Z

JacqueminG
Apr 3, 2025

Hi all.

I am quiet new on Zephyr (and I really like, hence my question).

Objective : make a BLE-Wifi bridge with an ESP32 S3 (REST-API)

To start on, I merged the WIFI sample (to have a connection) and the http get sample. To ensure that the RTC time is not an issue for TLS/SSL, I also added SNTP call.

I can easily connect through HTTP
No way to connect in secure mode... (google.com)

I tried many thing, including using fresh R1.der CA cert... in fact almost every "solutions" found on internet or propose by ChatGPT (which is not good at all for Zephyr by the way)
I am getting crazy...

Connected to **WIFI**
[00:00:17.277,000] <inf> net_sntp_client_sample: pool.ntp.org -> 82.64.230.205
[00:00:17.278,000] <inf> net_sntp_client_sample: Sending SNTP IPv4 request...
[00:00:17.312,000] <inf> net_sntp_client_sample: SNTP Time: 1743716109
Preparing HTTP GET request for http(s)://google.com:443/
getaddrinfo status: 0
addrinfo @0x3fcd7830: ai_family=1, ai_socktype=1, ai_protocol=6, sa_family=1, sin_port=1bb
IPv4 Address: 142.250.179.78
Setting TLS Socket
sock = 5
Setting Socket Options
Loading certificate : 1371
Time:1743716109
Connecting to server...
[00:00:17.350,000] <dbg> mbedtls: zephyr_mbedtls_debug: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1327: The SSL configuration is tls12 only.
--- some exchange stuff and messages dropped ---
--- certificate #1 is truncated due to log limitation ---
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: peer certificate #2:
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: cert. version     : 3
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: serial number     : 7F:F0:05:A0:7C:4C:DE:D1:00:AD:9D:66:A5:10:7B:98
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: issuer name       : C=US, O=Google Trust Services LLC, CN=GTS Root R1
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: subject name      : C=US, O=Google Trust Services, CN=WR2
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: issued  on        : 2023-12-13 09:00:00
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: expires on        : 2029-02-20 14:00:00
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: signed using      : RSA with SHA-256
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: RSA key size      : 2048 bits
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: basic constraints : CA=true, max_pathlen=0
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: key usage         : Digital Signature, Key Cert Sign, CRL Sign
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: certificate policies : ???
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: value of 'crt->rsa.N' (2048 bits) is:
[00:00:17.554,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834:  a9 ff 9c 7f 45 1e 70 a8 53 9f ca d9 e5 0d de 46
--- binary data of the cert---
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: peer certificate #3:
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: cert. version     : 3
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: serial number     : 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: issuer name       : C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: subject name      : C=US, O=Google Trust Services LLC, CN=GTS Root R1
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: issued  on        : 2020-06-19 00:00:42
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: expires on        : 2028-01-28 00:00:42
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: signed using      : RSA with SHA-256
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: RSA key size      : 4096 bits
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: basic constraints : CA=true
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: key usage         : Digital Signature, Key Cert Sign, CRL Sign
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: certificate policies : ???, ???, ???, ???
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834: value of 'crt->rsa.N' (4096 bits) is:
[00:00:17.555,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7834:  b6 11 02 8b 1e e3 a1 77 9b 3b dc bf 94 3e b7 95
--- binary data of the cert---

Finally... the error

[00:00:17.557,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:9807: Use configuration-specific verification callback
[00:00:17.560,000] <err> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:9858: x509_verify_cert() returned -9984 (-0x2700)
....
[00:00:17.562,000] <inf> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:9958: ! Certificate verification flags 00000008
[00:00:17.562,000] <wrn> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:4617: <= handshake
[00:00:17.562,000] <err> net_sock_tls: TLS handshake error: -0x2700
...
[00:00:17.567,000] <err> mbedtls: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_client.c:1250: bad server hello message
...
[00:00:17.568,000] <err> net_sock_tls: TLS handshake error: -0x7300

Can anyone help me solve this problem and get this HTTPS connection working?

The conf :

CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=1024
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_CPP=y
CONFIG_LOG=y
CONFIG_REQUIRES_FULL_LIBC=y

# WIFI
CONFIG_WIFI=y
CONFIG_WIFI_ESP32=y
CONFIG_ESP32_WIFI_STA_AUTO_DHCPV4=y
CONFIG_WIFI_NM=y
CONFIG_WIFI_NM_MAX_MANAGED_INTERFACES=1

# Network Configuration
CONFIG_NET_CONFIG_AUTO_INIT=n
CONFIG_NET_CONNECTION_MANAGER=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_IF_MAX_IPV4_COUNT=2
CONFIG_NET_IPV4=y
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_L2_WIFI_MGMT=y
CONFIG_NET_MGMT=y
CONFIG_NET_MGMT_EVENT=y
CONFIG_NET_MGMT_EVENT_INFO=y
CONFIG_NET_MGMT_EVENT_QUEUE_SIZE=10
CONFIG_NET_MGMT_EVENT_STACK_SIZE=4096
#CONFIG_NET_SOCKETS_SERVICE_STACK_SIZE=4096
CONFIG_NET_TCP=y
CONFIG_NET_UDP=y
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y

CONFIG_NET_PKT_RX_COUNT=32
CONFIG_NET_PKT_TX_COUNT=32
CONFIG_NET_BUF_RX_COUNT=32
CONFIG_NET_BUF_TX_COUNT=32
CONFIG_NET_MAX_CONTEXTS=8

# HTTP
#CONFIG_HTTP_CLIENT=y
CONFIG_POSIX_API=y
CONFIG_DNS_RESOLVER=y

# TLS configuration

CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=60000  
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=8192
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
#CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=3

# Network debug config
CONFIG_LOG_BUFFER_SIZE=18000
CONFIG_NET_LOG=y
CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_NET_CONFIG_CLOCK_SNTP_INIT=y
CONFIG_NET_CONFIG_SNTP_INIT_RESYNC=y

CONFIG_MBEDTLS_TLS_VERSION_1_2=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
CONFIG_MBEDTLS_CMAC=y


CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y

# SNTP
CONFIG_SNTP=y
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=n
CONFIG_SNTP_LOG_LEVEL_DBG=n
CONFIG_NET_SOCKETS_SERVICE=y

Answered by JacqueminG

Apr 5, 2025

Finally the problem is not originating in RAM or other MBED / TLS / ...

But simply in a conflict between BT and WIFI... Removing CONFIG_BT=y strongly enhance the wifi stability and allows the https request to solve properly...
So for info, concurrent wifi + ble on esp32 s3 is not stable enough to handle tls handshake (whatever the reason)

View full answer

jukkar · 2025-04-04T08:00:44Z

jukkar
Apr 4, 2025
Collaborator

Please check various TLS options here
https://docs.zephyrproject.org/latest/connectivity/networking/net_config_guide.html#tls-options
that could help with the connection.

1 reply

JacqueminG Apr 4, 2025
Author

I tried these options, w, w/o, increasing the values but nothing changed... I still have the same error...

I continue focused on the first error :
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700

it comes from x509_crt_verify_chain (what a surprise) that return at certain (not found) point :

/** Unavailable feature, e.g. RSA disabled for RSA key. */
#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980

So I added all the algo I could find :

CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
CONFIG_MBEDTLS_CIPHER_CAMELLIA_ENABLED=y
CONFIG_MBEDTLS_CIPHER_DES_ENABLED=y
CONFIG_MBEDTLS_CIPHER_CHACHA20_ENABLED=y
CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
CONFIG_MBEDTLS_CIPHER_MODE_XTS_ENABLED=y
CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y
CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y
CONFIG_MBEDTLS_CHACHAPOLY_AEAD_ENABLED=y

CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=y

CONFIG_MBEDTLS_MD5=y
CONFIG_MBEDTLS_SHA1=y
CONFIG_MBEDTLS_SHA224=y
CONFIG_MBEDTLS_SHA256=y
CONFIG_MBEDTLS_SHA384=y
CONFIG_MBEDTLS_SHA512=y
CONFIG_MBEDTLS_POLY1305=y

CONFIG_MBEDTLS_CMAC=y

and tried many thing for hours but nothing solve the issue...

Does somebody can recommend me a board that is for sure able to handle (RAM) TLS + WIFI + BLE stacks (so I can lost time on something that may works)

G

JacqueminG · 2025-04-05T20:50:43Z

JacqueminG
Apr 5, 2025
Author

Finally the problem is not originating in RAM or other MBED / TLS / ...

But simply in a conflict between BT and WIFI... Removing CONFIG_BT=y strongly enhance the wifi stability and allows the https request to solve properly...
So for info, concurrent wifi + ble on esp32 s3 is not stable enough to handle tls handshake (whatever the reason)

1 reply

rnicolas May 27, 2025

I also have the same error ( net_sock_tls: TLS handshake error: -0x2700), with the same board, but in my case I am not using BT at all. I'm just running a helper to configure the wifi, and trying to do a HTTPS POST.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

HTTPS on ESP32 S3 - Impossible to get a valid handshake #88137

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

HTTPS on ESP32 S3 - Impossible to get a valid handshake #88137

Uh oh!

Uh oh!

JacqueminG Apr 3, 2025

Replies: 2 comments · 2 replies

Uh oh!

jukkar Apr 4, 2025 Collaborator

Uh oh!

JacqueminG Apr 4, 2025 Author

Uh oh!

Uh oh!

JacqueminG Apr 5, 2025 Author

Uh oh!

rnicolas May 27, 2025

JacqueminG
Apr 3, 2025

Replies: 2 comments 2 replies

jukkar
Apr 4, 2025
Collaborator

JacqueminG Apr 4, 2025
Author

JacqueminG
Apr 5, 2025
Author