Hi,
I am currently implementing an HTTPS server using mbedTLS 3.6.5 and LwIP on an STM32H7S7L8 platform running FreeRTOS.
Our mbedTLS configuration are fully functional, as we already have a stable, working TLS implementation on an MQTT client using the same stack.
However, we are encountering an issue during the TLS Handshake phase on the server side after configuring the client sockets to non-blocking mode (O_NONBLOCK). While the listening socket correctly accepts incoming connections, the handshake loop fails.
I have attached the relevant snippet of our server thread implementation, including our I/O callbacks.
Could you please review our non-blocking I/O logic and handshake loop to see if we missed a specific configuration requirement or state handling for mbedTLS 3.x in server mode?
/* STM32CubeMX Specific Parameters (not defined in opt.h) ---------------------*/
/* Parameters set in STM32CubeMX LwIP Configuration GUI -*/
/*----- WITH_RTOS enabled (Since FREERTOS is set) -----*/
#define WITH_RTOS 1
/*----- WITH_MBEDTLS enabled (Since MBEDTLS and FREERTOS are set) -----*/
#define WITH_MBEDTLS 1
/*----- CHECKSUM_BY_HARDWARE enabled -----*/
#define CHECKSUM_BY_HARDWARE 1
/*-----------------------------------------------------------------------------*/
/* LwIP Stack Parameters (modified compared to initialization value in opt.h) -*/
/* Parameters set in STM32CubeMX LwIP Configuration GUI -*/
/*----- LWIP_NETIF_API==1: Enable NETIF API -----*/
#define LWIP_NETIF_API 1
/*----- Default value in ETH configuration GUI in CubeMx: 1524 -----*/
#define ETH_RX_BUFFER_SIZE 1524
/*----- Value in opt.h for MEM_ALIGNMENT: 1 -----*/
#define MEM_ALIGNMENT 4
/*----- Default Value for MEM_SIZE: 1600 ---*/
#define MEM_SIZE 48*1024
/*----- Default Value for H7 devices: 0x30004000 -----*/
#define LWIP_RAM_HEAP_POINTER 0x24024300//0x71000000
/*----- Value supported for H7 devices: 1 -----*/
#define LWIP_SUPPORT_CUSTOM_PBUF 1
/*----- Value in opt.h for LWIP_ETHERNET: LWIP_ARP || PPPOE_SUPPORT -*/
#define LWIP_ETHERNET 1
/*----- Value in opt.h for LWIP_DNS_SECURE: (LWIP_DNS_SECURE_RAND_XID | LWIP_DNS_SECURE_NO_MULTIPLE_OUTSTANDING | LWIP_DNS_SECURE_RAND_SRC_PORT) -*/
#define LWIP_DNS_SECURE 7
/*----- Default Value for TCP_MSS: 536 ---*/
#define TCP_MSS 1460
/*----- Default Value for TCP_SND_BUF: 2920 ---*/
#define TCP_SND_BUF 5840
/*----- Default Value for TCP_SND_QUEUELEN: 17 ---*/
#define TCP_SND_QUEUELEN 16
/*----- Value in opt.h for TCP_SNDQUEUELOWAT: LWIP_MAX(TCP_SND_QUEUELEN)/2, 5) -*/
#define TCP_SNDQUEUELOWAT 5
/*----- Default Value for LWIP_ALTCP: 0 ---*/
#define LWIP_ALTCP 1
/*----- Default Value for LWIP_ALTCP_TLS: 0 ---*/
#define LWIP_ALTCP_TLS 1
/*----- Default Value for LWIP_NETIF_STATUS_CALLBACK: 0 ---*/
#define LWIP_NETIF_STATUS_CALLBACK 1
/*----- Default Value for LWIP_NETIF_EXT_STATUS_CALLBACK: 0 ---*/
#define LWIP_NETIF_EXT_STATUS_CALLBACK 1
/*----- Value in opt.h for LWIP_NETIF_LINK_CALLBACK: 0 -----*/
#define LWIP_NETIF_LINK_CALLBACK 1
/*----- Default Value for TCPIP_THREAD_NAME: "tcpip_thread" ---*/
#define TCPIP_THREAD_NAME "TCP/IP"
/*----- Value in opt.h for TCPIP_THREAD_STACKSIZE: 0 -----*/
#define TCPIP_THREAD_STACKSIZE 8*2048
/*----- Value in opt.h for TCPIP_THREAD_PRIO: 1 -----*/
#define TCPIP_THREAD_PRIO 24
/*----- Value in opt.h for TCPIP_MBOX_SIZE: 0 -----*/
#define TCPIP_MBOX_SIZE 6
/*----- Value in opt.h for SLIPIF_THREAD_STACKSIZE: 0 -----*/
#define SLIPIF_THREAD_STACKSIZE 1024
/*----- Value in opt.h for SLIPIF_THREAD_PRIO: 1 -----*/
#define SLIPIF_THREAD_PRIO 3
/*----- Value in opt.h for DEFAULT_THREAD_STACKSIZE: 0 -----*/
#define DEFAULT_THREAD_STACKSIZE 2*2048
/*----- Value in opt.h for DEFAULT_THREAD_PRIO: 1 -----*/
#define DEFAULT_THREAD_PRIO 3
/*----- Value in opt.h for DEFAULT_UDP_RECVMBOX_SIZE: 0 -----*/
#define DEFAULT_UDP_RECVMBOX_SIZE 6
/*----- Value in opt.h for DEFAULT_TCP_RECVMBOX_SIZE: 0 -----*/
#define DEFAULT_TCP_RECVMBOX_SIZE 6
/*----- Value in opt.h for DEFAULT_ACCEPTMBOX_SIZE: 0 -----*/
#define DEFAULT_ACCEPTMBOX_SIZE 6
/*----- Value in opt.h for RECV_BUFSIZE_DEFAULT: INT_MAX -----*/
#define RECV_BUFSIZE_DEFAULT 2000000000
/*----- Default Value for LWIP_USE_EXTERNAL_MBEDTLS: 0 ---*/
#define LWIP_USE_EXTERNAL_MBEDTLS 1
/*----- Value in opt.h for LWIP_STATS: 1 -----*/
#define LWIP_STATS 0
/*----- Value in opt.h for CHECKSUM_GEN_IP: 1 -----*/
#define CHECKSUM_GEN_IP 0
/*----- Value in opt.h for CHECKSUM_GEN_UDP: 1 -----*/
#define CHECKSUM_GEN_UDP 0
/*----- Value in opt.h for CHECKSUM_GEN_TCP: 1 -----*/
#define CHECKSUM_GEN_TCP 0
/*----- Value in opt.h for CHECKSUM_GEN_ICMP6: 1 -----*/
#define CHECKSUM_GEN_ICMP6 0
/*----- Value in opt.h for CHECKSUM_CHECK_IP: 1 -----*/
#define CHECKSUM_CHECK_IP 0
/*----- Value in opt.h for CHECKSUM_CHECK_UDP: 1 -----*/
#define CHECKSUM_CHECK_UDP 0
/*----- Value in opt.h for CHECKSUM_CHECK_TCP: 1 -----*/
#define CHECKSUM_CHECK_TCP 0
/*----- Value in opt.h for CHECKSUM_CHECK_ICMP6: 1 -----*/
#define CHECKSUM_CHECK_ICMP6 0
openssl s_client -connect 10.0.2.251:443 -debug -tls1_2
Connecting to 10.0.2.251
CONNECTED(00000190)
write to 000002016EA017D0 [000002016EA19D90] (193 bytes => 193 (0xC1))
0000 - 16 03 01 00 bc 01 00 00-b8 03 03 5a c4 e3 55 0d ...........Z..U.
0010 - 51 ed d7 fd 27 c6 cf d8-cc 97 ef 92 29 a2 eb 96 Q...'.......)...
0020 - 24 3f b2 61 4b 7c 83 01-88 be a0 00 00 36 c0 2c $?.aK|.......6.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14 .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c .9.....3.....=.<
0060 - 00 35 00 2f 01 00 00 59-ff 01 00 01 00 00 0b 00 .5./...Y........
0070 - 02 01 00 00 0a 00 10 00-0e 00 1d 00 17 00 1e 00 ................
0080 - 18 00 19 01 00 01 01 00-23 00 00 00 16 00 00 00 ........#.......
0090 - 17 00 00 00 0d 00 2a 00-28 04 03 05 03 06 03 08 ......*.(.......
00a0 - 07 08 08 08 09 08 0a 08-0b 08 04 08 05 08 06 04 ................
00b0 - 01 05 01 06 01 03 03 03-01 03 02 04 02 05 02 06 ................
00c0 - 02 .
read from 000002016EA017D0 [000002016EA1F203] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 5b ....[
read from 000002016EA017D0 [000002016EA1F208] (91 bytes => 91 (0x5B))
0000 - 02 00 00 57 03 03 70 08-7e 01 3e 4f b5 6f 3e f5 ...W..p.~.>O.o>.
0010 - 8b 84 59 4f 77 ba 03 29-25 c9 a1 62 ab 35 44 4f ..YOw..)%..b.5DO
0020 - 57 4e 47 52 44 01 20 a8-e3 64 58 a5 cd 63 1a 92 WNGRD. ..dX..c..
0030 - c9 35 0c 90 00 c0 ae 9c-7b 3d 04 18 15 5a 1e 69 .5......{=...Z.i
0040 - 45 8b 90 e8 03 fd 82 cc-a8 00 00 0f ff 01 00 01 E...............
0050 - 00 00 17 00 00 00 0b 00-02 01 00 ...........
Can't use SSL_get_servername
read from 000002016EA017D0 [000002016EA1F203] (5 bytes => 5 (0x5))
0000 - 16 03 03 05 f2 .....
read from 000002016EA017D0 [000002016EA1F208] (1522 bytes => 1455 (0x5AF))
0000 - 0b 00 05 ee 00 05 eb 00-02 fb 30 82 02 f7 30 82 ..........0...0.
0010 - 01 df a0 03 02 01 02 02-14 2e 86 28 38 e8 0b c9 ...........(8...
0020 - 6a 84 b7 81 d1 53 4e 16-be 8d 06 5f 70 30 0d 06 j....SN...._p0..
0030 - 09 2a 86 48 86 f7 0d 01-01 0b 05 00 30 13 31 11 .*.H........0.1.
0040 - 30 0f 06 03 55 04 03 0c-08 4d 6f 6e 41 70 70 43 0...U....MonAppC
0050 - 41 30 1e 17 0d 32 36 30-35 32 30 31 32 35 35 32 A0...26052012552
0060 - 31 5a 17 0d 32 37 30 35-32 30 31 32 35 35 32 31 1Z..270520125521
0070 - 5a 30 14 31 12 30 10 06-03 55 04 03 0c 09 6c 6f Z0.1.0...U....lo
0080 - 63 61 6c 68 6f 73 74 30-82 01 22 30 0d 06 09 2a calhost0.."0...*
0090 - 86 48 86 f7 0d 01 01 01-05 00 03 82 01 0f 00 30 .H.............0
00a0 - 82 01 0a 02 82 01 01 00-a5 d6 05 76 c3 dc da c9 ...........v....
00b0 - ec a3 8f f1 54 e5 88 cd-63 f5 f9 5d bd 61 b3 3a ....T...c..].a.:
00c0 - b0 e4 0b b4 ca 9b 7d f9-c7 2b 4b a8 9e a8 e3 75 ......}..+K....u
00d0 - 7d 46 04 3d 4c f0 6a 83-ac ac dd ae f0 a6 73 6f }F.=L.j.......so
00e0 - a0 06 62 c2 e5 67 d0 29-28 58 24 87 e1 73 b8 0e ..b..g.)(X$..s..
00f0 - cc f5 de cb b0 b4 61 ef-a4 2f c8 44 70 eb 49 bb ......a../.Dp.I.
0100 - e4 47 f5 a9 93 c8 f9 53-ce 7f bf 33 0a 80 66 ba .G.....S...3..f.
0110 - a9 1e 74 14 fa 55 e6 d9-96 27 c4 65 5e b5 6e 0a ..t..U...'.e^.n.
0120 - 83 5c f4 11 75 9a 8a fa-ed d2 8d 87 a1 2a 7d f6 .\..u........*}.
0130 - 5b a0 82 18 11 7c 99 36-af ab 76 9f 37 fa 2a 65 [....|.6..v.7.*e
0140 - 50 9a ea 29 41 44 e6 a6-0e 5d 07 1f fc 75 79 97 P..)AD...]...uy.
0150 - f7 e8 c7 3c 55 20 44 7f-bc 45 30 4a 06 c1 6f 07 ...<U D..E0J..o.
0160 - d5 2f 73 11 89 4f 71 f3-81 cd 52 cc 50 2f 07 f8 ./s..Oq...R.P/..
0170 - 8c b6 03 41 ce 03 04 55-60 c9 40 6e 13 32 7d b7 ...A...U`.@n.2}.
0180 - 1d 04 b9 e7 08 7f fd 61-f4 7f 2c 6b 2e 8a 07 6c .......a..,k...l
0190 - 24 74 8f af 91 52 51 a9-c9 02 0f 24 30 2d 2b 97 $t...RQ....$0-+.
01a0 - 72 91 2e 89 5c 00 51 83-02 03 01 00 01 a3 42 30 r...\.Q.......B0
01b0 - 40 30 1d 06 03 55 1d 0e-04 16 04 14 ef 2e 1e e7 @0...U..........
01c0 - a9 93 d8 1c ef d5 af 93-c2 55 1d 72 f1 9c b4 a6 .........U.r....
01d0 - 30 1f 06 03 55 1d 23 04-18 30 16 80 14 2f 1a 1c 0...U.#..0.../..
01e0 - 02 ba c5 75 73 6e 4a 8a-4c 63 0f 95 55 8d a4 3d ...usnJ.Lc..U..=
01f0 - 54 30 0d 06 09 2a 86 48-86 f7 0d 01 01 0b 05 00 T0...*.H........
0200 - 03 82 01 01 00 52 0b bd-e3 f9 9d 48 5f 2d 74 e4 .....R.....H_-t.
0210 - 11 4b 39 12 93 b5 19 49-c7 6e 33 6a 50 1c ca a2 .K9....I.n3jP...
0220 - 9b b7 0f be cc b3 1c e2-0b 21 2c 7b f8 d6 b1 ae .........!,{....
0230 - f8 dc df cf bb a9 40 7e-f7 c1 80 d4 01 b0 c0 a9 ......@~........
0240 - cd 74 ce 76 88 8d 04 23-e4 89 2e 10 fa f4 b0 9b .t.v...#........
0250 - ef d3 ca 40 cd 7f 36 ba-27 0a 56 c8 77 76 f2 d3 ...@..6.'.V.wv..
0260 - 66 37 e0 34 69 1d f7 a5-68 5f 11 35 87 50 34 3b f7.4i...h_.5.P4;
0270 - d0 19 8c 30 fd ba a5 12-77 af e6 5e 16 6f 98 c9 ...0....w..^.o..
0280 - 2b 83 de d4 6c 00 db 8d-4e 51 6c 5d fd 6b 6f 95 +...l...NQl].ko.
0290 - ec df 82 fe 18 a0 3e 5b-e9 6c d1 3f b4 c3 8e 52 ......>[.l.?...R
02a0 - e2 22 3a fb 99 41 2d ba-a4 7b 8f 65 85 bb 42 d0 .":..A-..{.e..B.
02b0 - 4f ee 3c 2c d5 54 a2 2a-c6 a2 df f9 5f 55 32 4e O.<,.T.*...._U2N
02c0 - 9b 02 ee 46 c1 96 47 54-c3 d4 db 00 be 04 ae 99 ...F..GT........
02d0 - a7 c9 65 03 80 7c cb 7f-a2 c0 ad 98 5c 12 02 10 ..e..|......\...
02e0 - a3 2a d9 9c 2d 8e 36 5f-be 6c 7e 43 22 ba d5 da .*..-.6_.l~C"...
02f0 - 6b 84 58 27 9c 1f 01 b7-61 20 2e 45 db 46 bc d4 k.X'....a .E.F..
0300 - 57 4e 2e 29 8d 00 02 ea-30 82 02 e6 30 82 01 ce WN.)....0...0...
0310 - a0 03 02 01 02 02 14 4e-8b ab e2 de 1f 26 45 35 .......N.....&E5
0320 - e9 d1 f3 d2 81 d6 e0 b5-82 c9 48 30 0d 06 09 2a ..........H0...*
0330 - 86 48 86 f7 0d 01 01 0b-05 00 30 13 31 11 30 0f .H........0.1.0.
0340 - 06 03 55 04 03 0c 08 4d-6f 6e 41 70 70 43 41 30 ..U....MonAppCA0
0350 - 1e 17 0d 32 36 30 35 32-30 31 32 35 35 30 36 5a ...260520125506Z
0360 - 17 0d 32 37 30 35 32 30-31 32 35 35 30 36 5a 30 ..270520125506Z0
0370 - 13 31 11 30 0f 06 03 55-04 03 0c 08 4d 6f 6e 41 .1.0...U....MonA
0380 - 70 70 43 41 30 82 01 22-30 0d 06 09 2a 86 48 86 ppCA0.."0...*.H.
0390 - f7 0d 01 01 01 05 00 03-82 01 0f 00 30 82 01 0a ............0...
03a0 - 02 82 01 01 00 b9 0f 25-78 0c 1b f2 95 5b 45 f3 .......%x....[E.
03b0 - a1 af 1a f3 e0 1b 37 c9-cc d0 97 54 da fa 70 8e ......7....T..p.
03c0 - e5 2a 05 0a b1 28 45 a4-57 97 b7 29 65 da 0f 77 .*...(E.W..)e..w
03d0 - 04 f1 4a de e6 8b 93 54-31 dc 6e 6f 60 db 50 75 ..J....T1.no`.Pu
03e0 - de d2 02 f3 bf 67 f6 b1-c7 77 f5 68 4e 3e d8 25 .....g...w.hN>.%
03f0 - 55 79 2d 50 b0 35 85 ad-56 c6 aa 79 93 60 79 90 Uy-P.5..V..y.`y.
0400 - 10 54 6d c7 f5 ed c7 88-63 d0 1d 36 39 d4 00 a8 .Tm.....c..69...
0410 - 50 c5 84 ac 47 b9 05 d1-1b fe 52 03 5c 2b 10 c3 P...G.....R.\+..
0420 - 0a 07 72 5e 28 7a 1f cc-e5 a6 62 d3 22 1f 47 95 ..r^(z....b.".G.
0430 - 21 8f a5 c7 23 b6 38 e2-bc ef 73 d8 2c ef 0b 98 !...#.8...s.,...
0440 - 3a 5c 95 e6 f0 a8 c8 9c-d8 b0 0b fb e2 d7 5f cb :\............_.
0450 - 2c e1 04 b3 96 1e fd d1-65 d8 71 62 d6 00 90 32 ,.......e.qb...2
0460 - 1d 71 51 4c 7b 42 45 c3-01 58 62 65 2e f6 42 26 .qQL{BE..Xbe..B&
0470 - 3b a1 f7 19 10 4a c8 b4-33 5c 77 e3 09 af 77 89 ;....J..3\w...w.
0480 - ad 4a bf d2 2d 92 1f f0-a2 7a 3c aa c4 25 c0 a2 .J..-....z<..%..
0490 - b4 0b e2 ae c8 e5 e5 86-d4 37 56 fb 8e 38 cc 41 .........7V..8.A
04a0 - 98 52 a0 30 a5 02 03 01-00 01 a3 32 30 30 30 1d .R.0.......2000.
04b0 - 06 03 55 1d 0e 04 16 04-14 2f 1a 1c 02 ba c5 75 ..U....../.....u
04c0 - 73 6e 4a 8a 4c 63 0f 95-55 8d a4 3d 54 30 0f 06 snJ.Lc..U..=T0..
04d0 - 03 55 1d 13 01 01 ff 04-05 30 03 01 01 ff 30 0d .U.......0....0.
04e0 - 06 09 2a 86 48 86 f7 0d-01 01 0b 05 00 03 82 01 ..*.H...........
04f0 - 01 00 13 51 c6 4c c6 38-2e ca a3 d5 e8 da 3d ea ...Q.L.8......=.
0500 - aa 74 a0 ec ee fc b6 fb-40 5e 93 02 86 56 56 67 .t......@^...VVg
0510 - e3 8a df 15 43 47 77 f8-a9 ec e1 fb 74 00 5c aa ....CGw.....t.\.
0520 - 45 97 2f e9 e2 02 77 5d-aa 2d b4 5c 4b e4 be a2 E./...w].-.\K...
0530 - 1d 46 60 b2 d6 94 91 76-65 84 f1 aa cb 17 e6 28 .F`....ve......(
0540 - 73 84 8d 57 9a 2f 9a 4e-4b 91 48 fe a4 4a 11 b6 s..W./.NK.H..J..
0550 - a5 37 93 c1 91 f6 7f cc-14 9f 45 0c e5 10 4a 0d .7........E...J.
0560 - ea 97 fd 87 58 38 76 45-1b b3 19 c5 37 0b f8 05 ....X8vE....7...
0570 - c0 44 18 60 d5 29 57 1e-cf 13 2e 17 11 d1 e4 35 .D.`.)W........5
0580 - 4c 69 6e 75 02 13 ce 9a-73 10 84 34 cd 5c cf 91 Linu....s..4.\..
0590 - 49 83 2d 2a 36 ed d5 71-f3 17 ca c6 cf b9 be a8 I.-*6..q........
05a0 - f3 45 af 5e 4c f6 24 e3-8b 8f 7b 33 40 ca 54 .E.^L.$...{3@.T
read from 000002016EA017D0 [000002016EA1F7B7] (67 bytes => 67 (0x43))
0000 - c0 3f 2b 6a b2 50 fa 51-e5 2e de fe d3 2f 51 6b .?+j.P.Q...../Qk
0010 - f2 e0 78 eb ea cd 39 da-2a ae a2 25 a5 97 a8 aa ..x...9.*..%....
0020 - ce 9d 22 c1 28 75 9b d0-bf 73 51 67 cc 8b 5d f6 ..".(u...sQg..].
0030 - 80 9f 2e f3 35 8d 21 d0-e1 2f 2a 97 8d 7f 6a 12 ....5.!../*...j.
0040 - 20 a8 3c .<
depth=1 CN=MonAppCA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 CN=MonAppCA
verify return:1
depth=0 CN=localhost
verify return:1
read from 000002016EA017D0 [000002016EA1F203] (5 bytes => 0)
write to 000002016EA017D0 [000002016EA19D90] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 32 ......2
B4840000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:708:
---
Certificate chain
0 s:CN=localhost
i:CN=MonAppCA
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: May 20 12:55:21 2026 GMT; NotAfter: May 20 12:55:21 2027 GMT
1 s:CN=MonAppCA
i:CN=MonAppCA
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: May 20 12:55:06 2026 GMT; NotAfter: May 20 12:55:06 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIULoYoOOgLyWqEt4HRU04Wvo0GX3AwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwITW9uQXBwQ0EwHhcNMjYwNTIwMTI1NTIxWhcNMjcwNTIw
MTI1NTIxWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCl1gV2w9zayeyjj/FU5YjNY/X5Xb1hszqw5Au0ypt9+ccr
S6ieqON1fUYEPUzwaoOsrN2u8KZzb6AGYsLlZ9ApKFgkh+FzuA7M9d7LsLRh76Qv
yERw60m75Ef1qZPI+VPOf78zCoBmuqkedBT6VebZlifEZV61bgqDXPQRdZqK+u3S
jYehKn32W6CCGBF8mTavq3afN/oqZVCa6ilBROamDl0HH/x1eZf36Mc8VSBEf7xF
MEoGwW8H1S9zEYlPcfOBzVLMUC8H+Iy2A0HOAwRVYMlAbhMyfbcdBLnnCH/9YfR/
LGsuigdsJHSPr5FSUanJAg8kMC0rl3KRLolcAFGDAgMBAAGjQjBAMB0GA1UdDgQW
BBTvLh7nqZPYHO/Vr5PCVR1y8Zy0pjAfBgNVHSMEGDAWgBQvGhwCusV1c25Kikxj
D5VVjaQ9VDANBgkqhkiG9w0BAQsFAAOCAQEAUgu94/mdSF8tdOQRSzkSk7UZScdu
M2pQHMqim7cPvsyzHOILISx7+Naxrvjc38+7qUB+98GA1AGwwKnNdM52iI0EI+SJ
LhD69LCb79PKQM1/NronClbId3by02Y34DRpHfelaF8RNYdQNDvQGYww/bqlEnev
5l4Wb5jJK4Pe1GwA241OUWxd/Wtvlezfgv4YoD5b6WzRP7TDjlLiIjr7mUEtuqR7
j2WFu0LQT+48LNVUoirGot/5X1UyTpsC7kbBlkdUw9TbAL4ErpmnyWUDgHzLf6LA
rZhcEgIQoyrZnC2ONl++bH5DIrrV2muEWCecHwG3YSAuRdtGvNRXTi4pjQ==
-----END CERTIFICATE-----
subject=CN=localhost
issuer=CN=MonAppCA
---
No client certificate CA names sent
---
SSL handshake has read 1623 bytes and written 200 bytes
Verification error: self-signed certificate in certificate chain
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: A8E36458A5CD631A92C9350C9000C0AE9C7B3D0418155A1E69458B90E803FD82
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1779290438
Timeout : 7200 (sec)
Verify return code: 19 (self-signed certificate in certificate chain)
Extended master secret: yes
---
ECH: NOT CONFIGURED: -103
---
read from 000002016EA017D0 [000002016E98CD10] (16384 bytes => -1)
static int mbedtls_lwip_send(void *ctx, const unsigned char *buf, size_t len) {
int fd = *((int *)ctx);
int ret = lwip_send(fd, buf, len, 0);
if (ret < 0) {
/* If the socket is non-blocking and the operation would block */
if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINPROGRESS) {
return MBEDTLS_ERR_SSL_WANT_WRITE;
}
return MBEDTLS_ERR_NET_SEND_FAILED;
}
return ret;
}
/* --- Custom Receive Callback for mbedTLS (Non-blocking LwIP) --- */
static int mbedtls_lwip_recv(void *ctx, unsigned char *buf, size_t len) {
int fd = *((int *)ctx);
int ret = lwip_recv(fd, buf, len, 0);
if (ret < 0) {
/* If the socket is non-blocking and no data is available yet */
if (errno == EWOULDBLOCK || errno == EAGAIN) {
return MBEDTLS_ERR_SSL_WANT_READ;
}
return MBEDTLS_ERR_NET_RECV_FAILED;
} else if (ret == 0) {
/* Connection closed by the remote client */
return MBEDTLS_ERR_NET_CONN_RESET;
}
return ret;
}
void http_server_netconn_thread(void *arg) {
int ret;
int listen_fd, client_fd;
struct sockaddr_in serv_addr, client_addr;
socklen_t client_len = sizeof(client_addr);
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;
/* Initialize mbedTLS Contexts */
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&srvcert);
mbedtls_pk_init(&pkey);
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
/* 1. Seed Random Number Generator */
const char *pers = "https_server";
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers, strlen(pers));
if (ret != 0) {
printf("Failed to seed CTR_DRBG: -0x%04X\n", -ret);
goto cleanup;
}
/* 2. Load Certificates and Private Key */
mbedtls_x509_crt_parse(&srvcert, (const unsigned char *)mbedtls_test_srv_crt, mbedtls_test_srv_crt_len);
mbedtls_x509_crt_parse(&srvcert, (const unsigned char *)mbedtls_test_cas_pem, mbedtls_test_cas_pem_len);
mbedtls_pk_parse_key(&pkey, (const unsigned char *)mbedtls_test_srv_key, mbedtls_test_srv_key_len,
NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
/* 3. Configure SSL Settings */
mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL);
mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey);
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
printf("Failed to setup SSL context: -0x%04X\n", -ret);
goto cleanup;
}
/* 4. Configure LwIP Listening Socket */
listen_fd = lwip_socket(AF_INET, SOCK_STREAM, 0);
if (listen_fd < 0) {
goto cleanup;
}
memset(&serv_addr, 0, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = lwip_htonl(INADDR_ANY);
serv_addr.sin_port = lwip_htons(443); // HTTPS standard port
if (lwip_bind(listen_fd, (struct sockaddr*)&serv_addr, sizeof(serv_addr)) < 0) {
lwip_close(listen_fd);
goto cleanup;
}
if (lwip_listen(listen_fd, 5) < 0) {
lwip_close(listen_fd);
goto cleanup;
}
/* Main Server Loop */
while (1) {
mbedtls_ssl_session_reset(&ssl);
/* Block and wait for an incoming client connection */
client_fd = lwip_accept(listen_fd, (struct sockaddr*)&client_addr, &client_len);
if (client_fd < 0) {
osDelay(10);
continue;
}
/* Set the client socket to NON-BLOCKING mode */
int flags = lwip_fcntl(client_fd, F_GETFL, 0);
if (flags >= 0) {
lwip_fcntl(client_fd, F_SETFL, flags | O_NONBLOCK);
}
/* Bind the LwIP Socket file descriptor to the TLS Bio interface */
mbedtls_ssl_set_bio(&ssl, &client_fd, mbedtls_lwip_send, mbedtls_lwip_recv, NULL);
printf("Executing TLS Handshake...\n");
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
printf("Critical error during Handshake: -0x%04X\n", -ret);
break;
}
/* Socket is non-blocking: yield to FreeRTOS scheduler while waiting for I/O */
osDelay(5);
}
if (ret == 0) {
printf("TLS Handshake Successful!\n");
https_server_serve(&ssl);
/* Securely notify and close the TLS connection layer */
do {
ret = mbedtls_ssl_close_notify(&ssl);
} while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE);
}
/* Tear down the underlying client TCP network socket */
lwip_close(client_fd);
}
cleanup:
/* Comprehensive FreeRTOS task termination resource cleanup */
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
vTaskDelete(NULL);
}
