Mbed TLS

[中文]

Does ESP8266 OpenSSL support hostname validation?

Yes. ESP8266 OpenSSL is based on Mbed TLS encapsulation, which supports hostname validation. ESP-TLS can be used to switch between Mbed TLS and wolfSSL.

How to optimize memory when ESP32 uses Mbed TLS?

  • You can enable dynamic buffer in menuconfig, the specific operation is menuconfig > Component config > mbedTLS > Using dynamic TX/RX buffer (key "Y" to enable).

  • At the same time, you can enable the sub-options Free SSL peer certificate after its usage and Free certificate, key and DHM data after its usage in the Using dynamic TX/RX buffer in the previous step.

  • However, ESP-IDF v5.0 and later no longer have sub-optioin Free SSL peer certificate after its usage, and Mbed TLS enables MBEDTLS_SSL_KEEP_PEER_CERTIFICATE by default. If you want to save memory, you can close it by menuconfig > Component config > mbedTLS > mbedTLS v3.x related > Keep peer certificate after handshake completion (key "N" to disable).

When I connected an ESP32 module with the HTTPS Server, I got the following log. What is the reason?

free heap size: 181784 bytes
I (4285) esp_https_server: Starting server
E (4285) esp_https_server: Could not allocate memory
I (4295) example: Error starting server!
I (4295) SSDP Server: SSDP server started
free heap size: 178636 bytes

  • The error is caused by low memory. The log shows that you use the esp_get_free_heap_size() API to get the remaining memory. However, the remaining memory includes the chip’s internal RAM as well as external PSRAM.

  • By default, mbedTLS uses internal RAM memory, and you can use the esp_get_free_internal_heap_size() API to obtain the remaining internal memory.

  • If the module has an external PSRAM, you can modify the configuration from menuconfig > Component config > mbedTLS > Memory allocation strategy > Internal memory to menuconfig > Component config > mbedTLS > Memory allocation strategy > External SPIRAM for testing.

When resolving a hostname on ESP32, I encountered the following error. What could be the reason?

getaddrinfo() returns 202, addrinfo=0x0

  • The error is caused by DNS request timeout.

  • You can enable DNS log with the debug level or capture wireless packets for further analysis.

  • To enable the debug level DNS log, you can add #define DNS_DEBUG LWIP_DBG_ON code to the esp-idf/components/lwip/lwip/src/include/lwip/opt.h file, and then enable the Component config > LWIP > Enable LWIP Debug configuration.

Why does the following mbedtls software error occur when I develop applications based on the esp-idf SDK?

E: esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x4290
E: esp-tls: Failed to open new connection
E: transport_base: Failed to open a new connection
E: HTTP_CLIENT: Connection failed, sock < 0
E: HTTP_CLIENT: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT

  • The mbedtls error code is 0x4290, which is generally 0x4280 + 0x10. 0x4280 represents the error stage MBEDTLS_ERR_RSA_PUBLIC_FAILED, and 0x10 indicates that the cause of this error stage is MBEDTLS_ERR_MPI_ALLOC_FAILED, which means that this error stage is caused by a failure in memory allocation.

  • For the meanings for mbedtls error codes, refer to Mbed TLS error codes.

The following error occurred when I ran the esp-idf/examples/protocols/https_mbedtls example on ESP32 to connect to a TLS v1.3 server in the ESP-IDF v5.1.2 SDK. What could be the reason?

E(53769) example: mbedtls_ssl_handshake returned -0x6c00
I(53779) mbedtls: ssl_tls.c:355 Reallocating in_buf to 4429
I(53779) mbedtls: ssl_tls.c:355 Reallocating in_buf to 16717
E(53769) example: Last error was: -0x6c00 - SSL - Internal error (eg, unexpected failure in lower-level module)

How can mbedtls be modified to support the parsing of fragmented TLS handshake messages?

You can refer to the relevant PR from the mbedtls community (e.g., https://github.com/Mbed-TLS/mbedtls/pull/9872/files). This PR provides a solution.

Does ESP32 support the secp256r1 encryption algorithm?

Yes, ESP32 supports the secp256r1 encryption algorithm, and the corresponding implementation is provided in mbedtls.

What does the error mbedtls_ssl_handshake returned -0x2800 indicate?

This error is usually caused by insufficient memory. It is recommended to check the available RAM on the device.

How to restrict mbedtls to only use specific cipher suites?

You can use the mbedtls_ssl_conf_ciphersuites interface, as shown below:

static int force_ciphersuite[2] = {MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, 0};
mbedtls_ssl_conf_ciphersuites(&tls->conf, force_ciphersuite);

For more details, please refer to: https://github.com/espressif/esp-idf/blob/master/components/esp-tls/esp_tls_mbedtls.c#L880-L889.


Suggestion on this document?

 Provide feedback