Fix #1025: Gateway erroneously forced to use TLS v1.3, preventing it …

…from establishing a connection using TLS v1.2, resulting in SSL_HANDSHAKE_FAILED when connecting to Azure IoT Hub (#1042)
ruuvi · May 6, 2024 · 097316e · 097316e
1 parent b7b1046
commit 097316e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
@@ -118,9 +118,19 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
     mbedtls_esp_enable_debug_log(&tls->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
 #endif
 
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2
+    mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#elif defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
+#else
+#error "TLS version not defined"
+#endif
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
     mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
+#elif defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_2)
+    mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#else
+#error "TLS version not defined"
 #endif
 
     if ((ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf)) != 0) {

diff --git a/components/mbedtls/mbedtls/library/ssl_client.c b/components/mbedtls/mbedtls/library/ssl_client.c
@@ -464,17 +464,21 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
     *out_len = 0;
     *binders_len = 0;
 
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: handshake->min_tls_version=%u", __func__, handshake->min_tls_version));
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: ssl->tls_version=%u", __func__, ssl->tls_version));
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     unsigned char propose_tls12 =
         (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2)
         &&
         (MBEDTLS_SSL_VERSION_TLS1_2 <= ssl->tls_version);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: propose_tls12=%u", __func__, propose_tls12));
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     unsigned char propose_tls13 =
         (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3)
         &&
         (MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version);
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: propose_tls13=%u", __func__, propose_tls12));
 #endif
 
     /*

diff --git a/components/mbedtls/mbedtls/library/ssl_tls.c b/components/mbedtls/mbedtls/library/ssl_tls.c
@@ -1391,7 +1391,10 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
     if ((ret = ssl_conf_check(ssl)) != 0) {
         return ret;
     }
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: ssl->conf->min_tls_version=%u", __func__, ssl->conf->min_tls_version));
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: ssl->conf->max_tls_version=%u", __func__, ssl->conf->max_tls_version));
     ssl->tls_version = ssl->conf->max_tls_version;
+    MBEDTLS_SSL_DEBUG_MSG(2, ("%s: set tls_version=%u", __func__, ssl->tls_version));
 
     /*
      * Prepare base structures