diff --git a/examples/tls_client_example/CMakeLists.txt b/examples/tls_client_example/CMakeLists.txt index b076a246..19af44bd 100644 --- a/examples/tls_client_example/CMakeLists.txt +++ b/examples/tls_client_example/CMakeLists.txt @@ -8,9 +8,9 @@ set_source_files_properties(${example_SRCS} PROPERTIES LANGUAGE CXX) ENDIF(MSVC) -configure_file(client1-key.pem client1-key.pem COPYONLY) -configure_file(client1.cer client1.cer COPYONLY) -configure_file(root.cer root.cer COPYONLY) +configure_file(client_CA1_1.key client_CA1_1.key COPYONLY) +configure_file(client_CA1_1.pem client_CA1_1.pem COPYONLY) +configure_file(root_CA1.pem root_CA1.pem COPYONLY) add_executable(tls_client_example ${example_SRCS} diff --git a/examples/tls_client_example/client1-key.pem b/examples/tls_client_example/client1-key.pem deleted file mode 100644 index c39425cc..00000000 --- a/examples/tls_client_example/client1-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAxAMUXdnem99n5J8Z8Wa0fdPtoMCTdkQJrOO6WJ4XePrpQgHU -HDziSmdIZDDkpJ3Ey0Byy+b+iiRDmOuIZGSCsI0ehggWaia12h2osUK0BLyThuZ/ -RQw54K0dy61eviNaYsftiBcxHYKyKmWch/wLLYxdd1qLzd0reAbSUaHDkDzrj9hO -8qr7DhKpqx7PoVh1gFhAKPKuY6b+4xqv5eZvt8QflQTWYGxaxmUIEinqCnzh1l5d -tp0rhnBsz9Y4y8dXjh0m7pbXmRNY6opMxXatqgYEqsntLy1N6x7DvWLBqtVvEmox -Tc5bbAoRW3eEToClDdFQBzLsMVcSEX8vwttk3QIDAQABAoIBABHr1ijeiqPlwTH9 -+flAUrBOeCOCd/kQL3JHP/pqOestxbXrROFwD6CN4OiIL999LUkIE3bhH9SxjByn -LElBh1FtFaVbh/EcqPPQUmQinSLxuutSl8BQZdpM+bRtnYP054awkN8of60bDf8i -WzVzrfH0K3eGJ9Iirp7CwOgFykOdpQyxsI+HG8grcwA87x1ZsAIfHhiKmQByliNl -BkbJmYBOtfVgXje5QdxTptlTNljFSbZcaCXv1P3aOqctcgJMQjg0T+E37Y8Cav80 -6SuXbpv/cdacG695MAT7Vtywue0Axh59DvxAzc+deyQT70Hzw+Mo6pgi0clFnwzU -Y5ViDWECgYEAxxhRKzpz7klnmGob5CZvrbqDfC3JUEOxKH0e342S/HmT05bTI21w -N8A0KStNjQXS1mmkAkY/OO1Zutmf6yjqsxAIEO5UMTCSEP7YLRB7qBdN7dOt3JaK -4wxErMCljdT68Vj5Qj8YzIXJkWPk871oFTvVNe2qxgrCUigE5ai2I8cCgYEA/Akv -E0L+2uXayEucEamzO3n9xVziNanjyHilnJJvduvO9gd+crBbxSKqaXSdfPnp2mSa -+e3N7elxP2b/kPrGkzZekSaMh1nPH4Upu+ISK117r1x+vmnxZHRpehrVh1QzOQ5p -Ljt+GaXa3ur3P/6uW5KMbtGGW6MEgDwLMLvpqjsCgYA5pnfyfYWOTWEbCDa1VM/n -zWc/cP6nKELHR5vF/fe+9fFxRm4zBwCElDpGZYyaNkJ75bEhG3g5Irll2phs/rcf -TJgZVvm4GKljFHhCbFByNvVQ1Ye1pT3oSugj4dDOhgp4Elxy61Rh/KeGWxez4Heg -FmhBqmVV3U2xfncUjUrYhwKBgQCKtPM3gpOIHSA/Q31tKxv9C7JiQDAuoIU/+0YJ -2X2G0VhhhtZMgErBP8bRquBRu6i8DMpN6lZ/LQ6qeiEExT8sHawF7lVA2GhpTHwf -btfZDeXYKOuIF/5F7ttt2/7QL8LRD+FLFGrd6q1+KYpRqfSDaS/ofV+YZys+98yg -0YpTqQKBgQCWJpV2ySgXcKJzAUh14VNpLTRzJOMSpsU576nwz0TLUREVjiH6rvKr -gxllDEe1bVNMEekaZ+dOqiJX+4aTnEbIrEXki5Dvz0vq8biImW9RRdPEHgYVTv/d -qBOPHiIq2JiY6abD9XNPM3VQ/z8em6/4mkC8COCJRd2mA89FOYRxOQ== ------END RSA PRIVATE KEY----- diff --git a/examples/tls_client_example/client1.cer b/examples/tls_client_example/client1.cer deleted file mode 100644 index a5aa8db3..00000000 Binary files a/examples/tls_client_example/client1.cer and /dev/null differ diff --git a/examples/tls_client_example/client_CA1_1.key b/examples/tls_client_example/client_CA1_1.key new file mode 100644 index 00000000..23e672fc --- /dev/null +++ b/examples/tls_client_example/client_CA1_1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA2PuXMNUYO43NbEvBmEAru/uL1JdU6gFuhMKLuZOPaOGjGhth +JiDO9AsnUGzKAk3m9QZ/YhAzY9CiEeYsnGaPeI0OBdkgWmpz5k9Fw+bqaqlxYQTy +Bw69/kYbwNyMmGsb8XqXKZvhPXdLoaxkVmS+AMlxVcN/7c2ldZGTTDrhBtJnfuPK +rGmH9cFg+XVvUskPQsUIwJtn1sN+niZ++hkuiCzmoZ4A+m73QACltdcr7aNtHJmh +aU/p1bmLIhYfbxGmyvm2faJ8htYuaRBj6DcZq44IyDGz2LThmdWzpIcYbovCzB2X +Pn26b0BXsXBpN+ptf2xpAEDWDdzaR6Xp4BgJwQIDAQABAoIBAQDQGLJOlgBQlVWv +CBSaNOj8t2nKsHwylL7uujoQ95DxUH0BO8L3Mz3n1Y6V1lAC172pvtqKLOlsUBov +OmYMdVwhjH4nY65gqHmRJvPMxviI5Qqktn58AEp8w7Y4SAza3NaGyECTGjlxnqi9 +XD06khGbZZa5Xu6hHboSwFPZJxrLU1jaopJUgFG+p9oUgiSp5cfGDwAsU9JELmkP +MVF0GWedpypBBKi9JsniOulr1USpNZN2rzEkkxwY0QQttw3E9dgheIsut7dUYWLz +9NLKcRWIK/Y29NzS6Urye8lUTHHBrXgk5pUcdN3vuY7mkleqIn5tYY6xf93/5/VA +jF+HcgolAoGBAPDhS986xppbfLmrresIUUZKxk2s/Vg+vHPLX0SJFF7Uhy8nMYoJ +JqfG2mS+/tiM/wPBglVhsrlsfnDIag7Brqx7sjH2OHO6VX8jQPYgOuCbNwp7uL1w +bG82R5rujcxxFAtMVAM3zYz9sNGSu8u7M/U3kfTBwtntFJ6iPC60REbjAoGBAOaa +SdtX0bOQAYDM4moEDVnRPMHp8lZAjqKphGqTDrGOqU4usNW8+ZNBhn3vF1+n2Gq5 +KY2IWSF0j71jqpOXahW0EBoXpcTLs5JBWet8J5vKzbpN8Uq8TvTABn67G1F/DZub +FOiCDy/Kku4yWT2aUqNwS07va7gzFhyyjMl/JWoLAoGAATpEtriH9pVsx012r3H1 +aBRNemvdRqvbLgPlUmYYcntGzRi4CeoOBmDfEBBhIB1n108PKPw8evFwm4aJ89VM +3JgsylBk7UIP2XwGgrqbUjW4TBdhU6XVB6QRLVr14grZfU1ASFvqckOAuTC0QE+N +7jwARG0QXyf0KPLOt7Y3et0CgYEAhJcd9EJQTsB0PMyROofN7WDDYHPVZQaFfL2f +Z2/auPjgHBX4k0yu6553aB17AQMPCn4giEJnjTbqFukhgO9EjeoUgAwswjSlsWhl +/WJLm+ZF1+NM473WYB+xHFkU4gz9lATdRrrRZJdDWDYW3bbH4TWF94LuGuE0y5dW +H909c/UCgYEAiYY/TTZvfEsQvCo4Rv6qg7cI2/OdGwGhMmtziYy4SIAAm0Ga2s3R +L7Kq72In+nbaDIUD2zTSGQmwTm3B0C73vIUAXvupcl28nE5px0YNV6NZJaaFSV66 +hP1CgPBYe6KjnVufOiqhcnDdJQ6XdqK0tblj+cavkZgW+UdeqVBXCFQ= +-----END RSA PRIVATE KEY----- diff --git a/examples/tls_client_example/client_CA1_1.pem b/examples/tls_client_example/client_CA1_1.pem new file mode 100644 index 00000000..580cff4b --- /dev/null +++ b/examples/tls_client_example/client_CA1_1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAkMCFFTJkICEIidmnrisIFxZ99KKLhDFMA0GCSqGSIb3DQEBCwUAMGox +CzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwIRnJlaWJ1cmcxGzAZ +BgNVBAoMEk1aIEF1dG9tYXRpb24gR21iSDEMMAoGA1UECwwDUiZEMRAwDgYDVQQD +DAdyb290X0NBMB4XDTIyMDMxODA5MzMxOFoXDTIyMDQxNzA5MzMxOFowajELMAkG +A1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVyZzEbMBkGA1UE +CgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAOBgNVBAMMB2Ns +aWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY+5cw1Rg7jc1s +S8GYQCu7+4vUl1TqAW6Ewou5k49o4aMaG2EmIM70CydQbMoCTeb1Bn9iEDNj0KIR +5iycZo94jQ4F2SBaanPmT0XD5upqqXFhBPIHDr3+RhvA3IyYaxvxepcpm+E9d0uh +rGRWZL4AyXFVw3/tzaV1kZNMOuEG0md+48qsaYf1wWD5dW9SyQ9CxQjAm2fWw36e +Jn76GS6ILOahngD6bvdAAKW11yvto20cmaFpT+nVuYsiFh9vEabK+bZ9onyG1i5p +EGPoNxmrjgjIMbPYtOGZ1bOkhxhui8LMHZc+fbpvQFexcGk36m1/bGkAQNYN3NpH +pengGAnBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADSnrKdPqeUr3F1MIk6P8SKo +yR1VrPmNCljaC1i3realDlG+7jlPHfTCkwZwlEfKGa/yANJAw4hv+2tR5m4CsgMB +x6FkKG9p6NTXyv4gXZeLa3ivqFqz7awTVMBf1C1VVeTi/H2kvHSBRmbj6Z5p7/MN +9E1t5NsgbKKfbj4hQD+f7r6zgFdgTK8C5OYT2ijYryFl1Qqrl5CYPpswm3vL0KkM +e3RMOBqamkFqr4OCZw5juNpGrp3bK3dLF+N6Ceb+PGnS0YU29NpUXo64lzIxdwxs +NDqbFMYXEXGKqUDVQAuj1374M85Cvqlso0Jenc+hWN2/kfAgHGE1Ne3sD9oJg5w= +-----END CERTIFICATE----- diff --git a/examples/tls_client_example/root.cer b/examples/tls_client_example/root.cer deleted file mode 100644 index 87683444..00000000 Binary files a/examples/tls_client_example/root.cer and /dev/null differ diff --git a/examples/tls_client_example/root_CA1.pem b/examples/tls_client_example/root_CA1.pem new file mode 100644 index 00000000..0e7045a9 --- /dev/null +++ b/examples/tls_client_example/root_CA1.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUJysTAOCqE3IaNO1QgtOPxMq6M8EwDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVy +ZzEbMBkGA1UECgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAO +BgNVBAMMB3Jvb3RfQ0EwHhcNMjIwMzE4MDkyNzEwWhcNMzIwMzE1MDkyNzEwWjBq +MQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxETAPBgNVBAcMCEZyZWlidXJnMRsw +GQYDVQQKDBJNWiBBdXRvbWF0aW9uIEdtYkgxDDAKBgNVBAsMA1ImRDEQMA4GA1UE +AwwHcm9vdF9DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMyaDaT ++a4DT0s2NCrjUN8coLPfFrLRdN0Gx0hRViuLUFxd001jXruRgXKt2g8lR+YnzUeA +PQHbcIfRQhL+jy/ZMXpmz4Nrl7vyOWFdu8nBKU6c7y9LmSGbnOJZjDXwlX6ERwui +qFzAvRA6YXbPN8gY0B3Ou+T/mjkWN9L1x+V+7bGs9rVIoM78fVyM2FERBfsBtT76 +QVQv3KZ+a9EOLxqcZ/nGqsFFysFOSkiRC6Cy4mC5CSik9S5D7X9lz/bdga7O+hqd +SKfir6YMlQGV37JPqmz69N6vvb9UOX/G989T4qdVB/zQOvMdcIWXkqb3vSAXYi/c +ClVS1Pymsy/MXQ0CAwEAAaNTMFEwHQYDVR0OBBYEFGYgIECdrhTsmgCKpVM0RHeC +kFUmMB8GA1UdIwQYMBaAFGYgIECdrhTsmgCKpVM0RHeCkFUmMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBACsiuHFQjqOglenp/fcNbU034m/vvkyV +SZXau9amXBWdeTEpc1HaPOYO7jFFnu/QoH6AbGZkpL0yWZJA2rf102AkOdAe6E0g +2H77/hHoHVCfxOiOl3+icsLXJ4VXqV2vmUOEVnWfHRtej4My6avT9uCNMO2bw9hm +56RAZrs82T9Mpg/1XQ9YUO1q4/JfP/+dCzPXAdwJ/h2cJ/q6Q9g1gRns8IzVlGOZ +0ZBQCLqLl8vUei+t6YgjyBbeNCz4CEcmXKIJeqMB1jhpsgr6BBMTNTU2Q60b9fzU +OCGLw94EnKYtHWGy2WHMFNbwkNCR0/jwhxKkU0HXy1aNMUBWp99M7P8= +-----END CERTIFICATE----- diff --git a/examples/tls_client_example/server_CA1_1.key b/examples/tls_client_example/server_CA1_1.key new file mode 100644 index 00000000..e0402b2a --- /dev/null +++ b/examples/tls_client_example/server_CA1_1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA2FFfpxEqImd01A9Q+ccTRDroVpz840ektXr45V0RQkpz8zSu +Iv5GXPqBXwSgKXsojoLkCYK+VmlX4GQ6xXblAKAd/flUS+WVsUq9kL9cud30dwYK +h2V4/Tm/NvUiZsYV3b5/8RfUpYwVNBW/eScbNXrVHNkiBrcIJtixruKsyH+drckP +7K4j+AZh43LGsK6NY+ppf5wHBctGWFOCFdJSrabck4oem807COKX9PhTfD87OnjB +QcqdHkus8WZP/SGnZV+6c1k0SN4O0E4MahpWkr8D2ZjsbhGFIW8AU4NdobsohClW +AZ0MDR1N4oo0sj4HgY2hGR2AbR/5Y2LH4kRcpQIDAQABAoIBAEK2tf1cedYqegl8 +v8iI8RQ15rnvqL6ftdiSmHiEf3ImbCQxtxLrwN+kEoovbwXcCeIJ1DJqtDEKRCPc +RZPo2y+aMiXF442UvNn05wnhOsPIBEFBB7ZCQVI3oRVd/MIdjVjaC7NbWiXEUjXC +D09aFDYmL9u5y5iukkEIy6PYHNmokN0MlHwhFqqp72hGe6UvHfZ6yu46z1eF6zLN +S4b2ULUzJ6Ov0Y7kmN7vP058yfZYHoj4TPeRBDm3Qx8g9c5d6da22vfkt61UzXEN +ih8fIejq6BGila2wMuZKyCM/Oxv5WX0RTzVQO13+42f29BM47Mdk/a8ijBZCzXnC +oAnHcwECgYEA7Isah3VNc4KkSNRrnV1UrInQ8BAlNLTN4cJTbyOkogCUECvfzAS+ +K/l8YZOzZ7YoJkK7RzDeUqRfrZhyJut6x7J/3Vl6qLXpnx3iEPJdxaD5L1iftnIP +NOytbphClO+VAjSO3frhlCwZ00Z6o6meTV+CNmRT2LDFEzxAMc3GtrECgYEA6hxh +m3S5KX7Ze/m5v9l4vi2iGDNBJkk48Cc+qfgVLGa0TSd7cY+8bjYNufr6vqThKlVu +RByZ3Wo5C5PfrkU69YbJ9LnQ+RTZPu+IxPIsUM3xlyTin7bufyOcWhPr1820MKqP +A/mRJ/SKel7ubrURai7KDETR0mI9XajhtwF/qjUCgYEAvW1sclwTCVTuwVAzWhM6 +0u2PACC92uaMFaYscM1nc0DpUcYA8/48WTTzUaUZwA1VO8am+Yz+DcqKwJdbmyVq +7u9YjGey3dbIX19sAcxGIhUWWL8tL8tJuEVtYirW7zSp7NkwLD5UVfe3OsWvQs97 +8VRyD6LqrpZpTE0sz3WOFBECgYAxgOLa3mmw7pPKdVnjyXaQsFGQUHY8REt37LSB +eGXxx53kmq6tqrkrjN6GLx4KZg7+xqXUXT/j4+xAGHq5/QWkmWXnC8u2f8QYXMpM +6vCX/ZRSY4hQQXxZAgyzt3atYV/y0n3/VyxsiHcnvR8p5bvS+iXbRkof9IoJXgas +jfKS6QKBgQC6ZFuvYIeqkfZ0Yyxxum3qlGxpR41wcuIpb4hBQ0gr1haTL0aaoUiQ +qqUfzVRst/oPxf6vqeCxtWh1/3lGa1QXP9KJDA5twFMqTg5jv92vjMIgPTEZ2Oif ++YyTs72V197KHctx2/T4RxAGhxCLJwDzk2shvLS+1voU/w40YRy9yA== +-----END RSA PRIVATE KEY----- diff --git a/examples/tls_client_example/server_CA1_1.pem b/examples/tls_client_example/server_CA1_1.pem new file mode 100644 index 00000000..1a55213c --- /dev/null +++ b/examples/tls_client_example/server_CA1_1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAkMCFFTJkICEIidmnrisIFxZ99KKLhDIMA0GCSqGSIb3DQEBCwUAMGox +CzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwIRnJlaWJ1cmcxGzAZ +BgNVBAoMEk1aIEF1dG9tYXRpb24gR21iSDEMMAoGA1UECwwDUiZEMRAwDgYDVQQD +DAdyb290X0NBMB4XDTIyMDUyNjEwNDc0NFoXDTMwMDgxMjEwNDc0NFowajELMAkG +A1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVyZzEbMBkGA1UE +CgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAOBgNVBAMMB3Nl +cnZlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYUV+nESoiZ3TU +D1D5xxNEOuhWnPzjR6S1evjlXRFCSnPzNK4i/kZc+oFfBKApeyiOguQJgr5WaVfg +ZDrFduUAoB39+VRL5ZWxSr2Qv1y53fR3BgqHZXj9Ob829SJmxhXdvn/xF9SljBU0 +Fb95Jxs1etUc2SIGtwgm2LGu4qzIf52tyQ/sriP4BmHjcsawro1j6ml/nAcFy0ZY +U4IV0lKtptyTih6bzTsI4pf0+FN8Pzs6eMFByp0eS6zxZk/9IadlX7pzWTRI3g7Q +TgxqGlaSvwPZmOxuEYUhbwBTg12huyiEKVYBnQwNHU3iijSyPgeBjaEZHYBtH/lj +YsfiRFylAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANPRnvfByVoKwfMcQYUnYT6l +5OhYt8f2tQfoa0EXirP0O2xG052ZBl3Z5ZzBCcsq1zveaPoeqXFl6HjqIqURB5NS +imJIi7kB7o6C2z19yxOndPm3urKGyfvxtSy2iyzTMZ8eL8RFMJC5DVV+n5Y+1EgC +pYIu//I0ojnFOemEJXVjfxQhiUbx6Nw8HalHOhW1i017XcOWMKji/lwHfWF2PFmn +pIWZCFPCUtHzBUkXCRzn9ESeMDcMXN6qLb2wGJkRUDw+Ls1RGJd6dnB811vOuOd+ +QQc8lyyBZ1byARcxQ8lAtof6Mv7Yzebv1OxRr7NcrV/+ujnSFyJWKrJdcMx7+10= +-----END CERTIFICATE----- diff --git a/examples/tls_client_example/tls_client_example.c b/examples/tls_client_example/tls_client_example.c index 44d4a906..c546f425 100644 --- a/examples/tls_client_example/tls_client_example.c +++ b/examples/tls_client_example/tls_client_example.c @@ -29,6 +29,14 @@ reportCallbackFunction(void* parameter, ClientReport report) } } +static void +securityEventHandler(void* parameter, TLSConfiguration_EventLevel eventLevel, int eventCode, const char* msg) +{ + (void)parameter; + + printf("[SECURITY EVENT] %s (t: %i, c: %i)\n", msg, eventLevel, eventCode); +} + int main(int argc, char** argv) { char* hostname; @@ -43,17 +51,19 @@ int main(int argc, char** argv) { TLSConfiguration_setChainValidation(tlsConfig, true); TLSConfiguration_setAllowOnlyKnownCertificates(tlsConfig, false); - if (!TLSConfiguration_setOwnKeyFromFile(tlsConfig, "client1-key.pem", NULL)) { + TLSConfiguration_setEventHandler(tlsConfig, securityEventHandler, NULL); + + if (!TLSConfiguration_setOwnKeyFromFile(tlsConfig, "client_CA1_1.key", NULL)) { printf("ERROR: Failed to load private key!\n"); return 0; } - if (!TLSConfiguration_setOwnCertificateFromFile(tlsConfig, "client1.cer")) { + if (!TLSConfiguration_setOwnCertificateFromFile(tlsConfig, "client_CA1_1.pem")) { printf("ERROR: Failed to load own certificate!\n"); return 0; } - if (!TLSConfiguration_addCACertificateFromFile(tlsConfig, "root.cer")) { + if (!TLSConfiguration_addCACertificateFromFile(tlsConfig, "root_CA1.pem")) { printf("ERROR: Failed to load root certificate\n"); return 0; } diff --git a/examples/tls_server_example/CMakeLists.txt b/examples/tls_server_example/CMakeLists.txt index 47f4228c..da0c81d6 100644 --- a/examples/tls_server_example/CMakeLists.txt +++ b/examples/tls_server_example/CMakeLists.txt @@ -12,11 +12,11 @@ set_source_files_properties(${example_SRCS} PROPERTIES LANGUAGE CXX) ENDIF(MSVC) -configure_file(server-key.pem server-key.pem COPYONLY) -configure_file(server.cer server.cer COPYONLY) -configure_file(client1.cer client1.cer COPYONLY) -configure_file(client2.cer client2.cer COPYONLY) -configure_file(root.cer root.cer COPYONLY) +configure_file(server_CA1_1.key server_CA1_1.key COPYONLY) +configure_file(server_CA1_1.pem server_CA1_1.pem COPYONLY) +configure_file(client_CA1_1.pem client_CA1_1.pem COPYONLY) +configure_file(client_CA1_2.pem client_CA1_2.pem COPYONLY) +configure_file(root_CA1.pem root_CA1.pem COPYONLY) add_executable(tls_server_example ${example_SRCS} diff --git a/examples/tls_server_example/client1.cer b/examples/tls_server_example/client1.cer deleted file mode 100644 index a5aa8db3..00000000 Binary files a/examples/tls_server_example/client1.cer and /dev/null differ diff --git a/examples/tls_server_example/client2.cer b/examples/tls_server_example/client2.cer deleted file mode 100644 index f482289b..00000000 Binary files a/examples/tls_server_example/client2.cer and /dev/null differ diff --git a/examples/tls_server_example/client_CA1_1.pem b/examples/tls_server_example/client_CA1_1.pem new file mode 100644 index 00000000..580cff4b --- /dev/null +++ b/examples/tls_server_example/client_CA1_1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAkMCFFTJkICEIidmnrisIFxZ99KKLhDFMA0GCSqGSIb3DQEBCwUAMGox +CzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwIRnJlaWJ1cmcxGzAZ +BgNVBAoMEk1aIEF1dG9tYXRpb24gR21iSDEMMAoGA1UECwwDUiZEMRAwDgYDVQQD +DAdyb290X0NBMB4XDTIyMDMxODA5MzMxOFoXDTIyMDQxNzA5MzMxOFowajELMAkG +A1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVyZzEbMBkGA1UE +CgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAOBgNVBAMMB2Ns +aWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY+5cw1Rg7jc1s +S8GYQCu7+4vUl1TqAW6Ewou5k49o4aMaG2EmIM70CydQbMoCTeb1Bn9iEDNj0KIR +5iycZo94jQ4F2SBaanPmT0XD5upqqXFhBPIHDr3+RhvA3IyYaxvxepcpm+E9d0uh +rGRWZL4AyXFVw3/tzaV1kZNMOuEG0md+48qsaYf1wWD5dW9SyQ9CxQjAm2fWw36e +Jn76GS6ILOahngD6bvdAAKW11yvto20cmaFpT+nVuYsiFh9vEabK+bZ9onyG1i5p +EGPoNxmrjgjIMbPYtOGZ1bOkhxhui8LMHZc+fbpvQFexcGk36m1/bGkAQNYN3NpH +pengGAnBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADSnrKdPqeUr3F1MIk6P8SKo +yR1VrPmNCljaC1i3realDlG+7jlPHfTCkwZwlEfKGa/yANJAw4hv+2tR5m4CsgMB +x6FkKG9p6NTXyv4gXZeLa3ivqFqz7awTVMBf1C1VVeTi/H2kvHSBRmbj6Z5p7/MN +9E1t5NsgbKKfbj4hQD+f7r6zgFdgTK8C5OYT2ijYryFl1Qqrl5CYPpswm3vL0KkM +e3RMOBqamkFqr4OCZw5juNpGrp3bK3dLF+N6Ceb+PGnS0YU29NpUXo64lzIxdwxs +NDqbFMYXEXGKqUDVQAuj1374M85Cvqlso0Jenc+hWN2/kfAgHGE1Ne3sD9oJg5w= +-----END CERTIFICATE----- diff --git a/examples/tls_server_example/client_CA1_2.pem b/examples/tls_server_example/client_CA1_2.pem new file mode 100644 index 00000000..156b3ee8 --- /dev/null +++ b/examples/tls_server_example/client_CA1_2.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAkMCFFTJkICEIidmnrisIFxZ99KKLhDGMA0GCSqGSIb3DQEBCwUAMGox +CzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwIRnJlaWJ1cmcxGzAZ +BgNVBAoMEk1aIEF1dG9tYXRpb24gR21iSDEMMAoGA1UECwwDUiZEMRAwDgYDVQQD +DAdyb290X0NBMB4XDTIyMDMxODA5MzY0OVoXDTIyMDQxNzA5MzY0OVowajELMAkG +A1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVyZzEbMBkGA1UE +CgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAOBgNVBAMMB2Ns +aWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8hnd/sd/nLJrN +wfei5lphgS71fpP567xgkrGaEy0/lyISeuYK8nkrHI3T5cz0IHsVRGai0cQPdrP5 +0Vdn7kj2rM/WzD7RzSRZIBydd4tnCZBz/bktTRtYNVve7+HaP9t4FxQdkMF4K3Jm +E/j/gYSYimR49DFjXI2om9kXWZ6pdQUyaKUr+zxgmovtQjtc7wdTdKmsKFQxQQhd +zWQajEpaNTL+JTJyrCZctryaILgYv4cvQbpF54zbcRsdoPRkP6azsR9GDhCYydwz +UGMr2CZ2C4BRwB8ChswDsU6iww5enF2vWIUY36VvjmSDDrsH1w4V9UCkSjYMg0VQ +Mmwc8kerAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALYG8KSPm82uvgmeto76kL+N +nUgV1ojxj+X9yBrbrkgo4rnsXFU1NUqncdCfpvA7u9mqAjZ4KN+ORZIUp1SXUl3Z +TIpBClO5ML7wz1Iy6QrExeFwb2783Gl1jeq0lSQwWffNMwkPEqG1QYr/2IK9eSRJ +hDrure/Ys3s5F7grQ6vTWBQrEXynd81YqqZuBFFs7FuLhg0GK/OdpJ5i2BsLS+B3 +nEOxmgxZ1qLSqbYDjhawsjiSItvO8XxZjA99n3MpBVharqqwp0Xpkm+X30rWolUp +wur154X0dMZh8jF98KVrB/3Te9aidtyuO9EiGU2Qbkre7jK+Ol3nITR50Gy8yYU= +-----END CERTIFICATE----- diff --git a/examples/tls_server_example/root.cer b/examples/tls_server_example/root.cer deleted file mode 100644 index 87683444..00000000 Binary files a/examples/tls_server_example/root.cer and /dev/null differ diff --git a/examples/tls_server_example/root_CA1.pem b/examples/tls_server_example/root_CA1.pem new file mode 100644 index 00000000..0e7045a9 --- /dev/null +++ b/examples/tls_server_example/root_CA1.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUJysTAOCqE3IaNO1QgtOPxMq6M8EwDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVy +ZzEbMBkGA1UECgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAO +BgNVBAMMB3Jvb3RfQ0EwHhcNMjIwMzE4MDkyNzEwWhcNMzIwMzE1MDkyNzEwWjBq +MQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxETAPBgNVBAcMCEZyZWlidXJnMRsw +GQYDVQQKDBJNWiBBdXRvbWF0aW9uIEdtYkgxDDAKBgNVBAsMA1ImRDEQMA4GA1UE +AwwHcm9vdF9DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMyaDaT ++a4DT0s2NCrjUN8coLPfFrLRdN0Gx0hRViuLUFxd001jXruRgXKt2g8lR+YnzUeA +PQHbcIfRQhL+jy/ZMXpmz4Nrl7vyOWFdu8nBKU6c7y9LmSGbnOJZjDXwlX6ERwui +qFzAvRA6YXbPN8gY0B3Ou+T/mjkWN9L1x+V+7bGs9rVIoM78fVyM2FERBfsBtT76 +QVQv3KZ+a9EOLxqcZ/nGqsFFysFOSkiRC6Cy4mC5CSik9S5D7X9lz/bdga7O+hqd +SKfir6YMlQGV37JPqmz69N6vvb9UOX/G989T4qdVB/zQOvMdcIWXkqb3vSAXYi/c +ClVS1Pymsy/MXQ0CAwEAAaNTMFEwHQYDVR0OBBYEFGYgIECdrhTsmgCKpVM0RHeC +kFUmMB8GA1UdIwQYMBaAFGYgIECdrhTsmgCKpVM0RHeCkFUmMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBACsiuHFQjqOglenp/fcNbU034m/vvkyV +SZXau9amXBWdeTEpc1HaPOYO7jFFnu/QoH6AbGZkpL0yWZJA2rf102AkOdAe6E0g +2H77/hHoHVCfxOiOl3+icsLXJ4VXqV2vmUOEVnWfHRtej4My6avT9uCNMO2bw9hm +56RAZrs82T9Mpg/1XQ9YUO1q4/JfP/+dCzPXAdwJ/h2cJ/q6Q9g1gRns8IzVlGOZ +0ZBQCLqLl8vUei+t6YgjyBbeNCz4CEcmXKIJeqMB1jhpsgr6BBMTNTU2Q60b9fzU +OCGLw94EnKYtHWGy2WHMFNbwkNCR0/jwhxKkU0HXy1aNMUBWp99M7P8= +-----END CERTIFICATE----- diff --git a/examples/tls_server_example/server-key.pem b/examples/tls_server_example/server-key.pem deleted file mode 100644 index 6fe35295..00000000 --- a/examples/tls_server_example/server-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAu3Fjxb904UdyV/dDfvs8SFi6zJeNoMYjmpXm/LBcFSH3zGoK -wdcMovrUTED3Cc6Ww84AYpJ5MRMPTct7DfKJkWfSnkzOPmLldTSTv3RvzGVb4NzK -QqA5aSVDqAzPiP5RnFT6Q4KWRe69TMFxpw7zMXCJx9jDggqN1oojGGkmSgYGXnFd -Nc20Mujejh5pihgwnN4Y/bPFyxJwvIMj+D8qr9klhEmXKPTiX9UFd8oLkn9JCB6+ -SiHhNyFIo+Llossn1Q2hxCGty36fAhEWzpfBTaY510VLjie9y4q9GPTwxITDqSQd -xcX8IuvrbxX0DyEK507SMmTJmB9448eF9ZCWFQIDAQABAoIBAC80BuQtqslwrKLq -adz4d93gOmp7X/c07pJnXZwU7ZuEylp3+e2Gsm/4qq3pTkzx8ZWtsvsf19U774av -z3VbtrkfZDLpNKcRUKeLbgmw0NawT8r4zxaoMsz/zWHsl/bv1K2B2ORXZnCGBrXl -oTFo2mWA6bGiLNn6vm1grCXhlPreywyG/kFK3pi2VvkpvG3XZSI7mmZ0Dq/MD3nO -03oOZBqwwnMObfQQdhKE7646/+KgeuF/JsXaUH4bkHmtzYWyocWYMqpC0hjpNWlQ -cKuQ7t1kfmpsGD9aNW4+ND2ok9BdxIiC+rPXS9NDqZxoWLp+a8seU++uqk1l8RPq -tPE3LqECgYEAz1NmemNLiUsKvyemUvjp8+dJupzWtdV7fsnCbYhj/5gDA2UhFKCf -dP9xiHCdNe0797oAqHY7c3JhS4ug8haDy9aDIu5GG2DNYzjX/oYm4ywbCdRx+uEN -RcTw69FjSYVGkObmxWYszwsFybRasV6PYamg65qYR3FlvW2Td4Fndy8CgYEA53L/ -zHtBRQiNGJU9jfMHeX0bTtXIAt622Qn78jw0it/rhXWi2RwG2Cw5Q2aPRJ6uMt9F -yk1+GAPZcwYqwjq/nKRrl71Tn+KDWIk5rz1fNYRkaXtnMLs2MOogqoDTBshW0QBq -tnPrFNsaLKX6V92Az69wHjd2uwvLQLTvS/EuNfsCgYEAr3to/uhytAd3VirKRep3 -o0E+D5zWw1upxrwhPDK4aUuSKVp8sIfvz8iyoQiomE9vdZPTIMPKOEI1BgtuM9pI -vcyYfIVvg5bg4T3o3H9SBPB9BknyG6ZHZKl4PjGht0X+X4GBDM4Z2Tj8Mijcpsph -1AkOsrzMbZQWyEoqCnnWSHMCgYAFEHUcak4BTrCXqxxPsNOnCt/AF9lqhqkFkrxa -joqvxzqGDw7jJUPZEw6ltObJn5c8Mbp7NLrfl6X4aFgjK9npeYeJKHFd/DzXgRks -BnHA4Aa6cCLP5CjJZTYVxP/ZFCUiKZosJ9kq+ahW9cLGjWg2IyaW4qvMZ/OolMzv -onVaZQKBgQCir8u1vDsyA4JQXMytPHBJe27XaLRGULvteNydVB59Vt21a99o5gt1 -5B9gwWArZdZby3/KZiliNmzp8lMCrLJYjTL5WK6dbWdq92X5hCOofKPIjEcgHjhk -mvnAos3HeC83bJQtADXhw9jR7Vr6GJLM9HDcIgeIMzX7+BuqlMgaHA== ------END RSA PRIVATE KEY----- diff --git a/examples/tls_server_example/server.cer b/examples/tls_server_example/server.cer deleted file mode 100644 index 957bdc30..00000000 Binary files a/examples/tls_server_example/server.cer and /dev/null differ diff --git a/examples/tls_server_example/server_CA1_1.key b/examples/tls_server_example/server_CA1_1.key new file mode 100644 index 00000000..e0402b2a --- /dev/null +++ b/examples/tls_server_example/server_CA1_1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA2FFfpxEqImd01A9Q+ccTRDroVpz840ektXr45V0RQkpz8zSu +Iv5GXPqBXwSgKXsojoLkCYK+VmlX4GQ6xXblAKAd/flUS+WVsUq9kL9cud30dwYK +h2V4/Tm/NvUiZsYV3b5/8RfUpYwVNBW/eScbNXrVHNkiBrcIJtixruKsyH+drckP +7K4j+AZh43LGsK6NY+ppf5wHBctGWFOCFdJSrabck4oem807COKX9PhTfD87OnjB +QcqdHkus8WZP/SGnZV+6c1k0SN4O0E4MahpWkr8D2ZjsbhGFIW8AU4NdobsohClW +AZ0MDR1N4oo0sj4HgY2hGR2AbR/5Y2LH4kRcpQIDAQABAoIBAEK2tf1cedYqegl8 +v8iI8RQ15rnvqL6ftdiSmHiEf3ImbCQxtxLrwN+kEoovbwXcCeIJ1DJqtDEKRCPc +RZPo2y+aMiXF442UvNn05wnhOsPIBEFBB7ZCQVI3oRVd/MIdjVjaC7NbWiXEUjXC +D09aFDYmL9u5y5iukkEIy6PYHNmokN0MlHwhFqqp72hGe6UvHfZ6yu46z1eF6zLN +S4b2ULUzJ6Ov0Y7kmN7vP058yfZYHoj4TPeRBDm3Qx8g9c5d6da22vfkt61UzXEN +ih8fIejq6BGila2wMuZKyCM/Oxv5WX0RTzVQO13+42f29BM47Mdk/a8ijBZCzXnC +oAnHcwECgYEA7Isah3VNc4KkSNRrnV1UrInQ8BAlNLTN4cJTbyOkogCUECvfzAS+ +K/l8YZOzZ7YoJkK7RzDeUqRfrZhyJut6x7J/3Vl6qLXpnx3iEPJdxaD5L1iftnIP +NOytbphClO+VAjSO3frhlCwZ00Z6o6meTV+CNmRT2LDFEzxAMc3GtrECgYEA6hxh +m3S5KX7Ze/m5v9l4vi2iGDNBJkk48Cc+qfgVLGa0TSd7cY+8bjYNufr6vqThKlVu +RByZ3Wo5C5PfrkU69YbJ9LnQ+RTZPu+IxPIsUM3xlyTin7bufyOcWhPr1820MKqP +A/mRJ/SKel7ubrURai7KDETR0mI9XajhtwF/qjUCgYEAvW1sclwTCVTuwVAzWhM6 +0u2PACC92uaMFaYscM1nc0DpUcYA8/48WTTzUaUZwA1VO8am+Yz+DcqKwJdbmyVq +7u9YjGey3dbIX19sAcxGIhUWWL8tL8tJuEVtYirW7zSp7NkwLD5UVfe3OsWvQs97 +8VRyD6LqrpZpTE0sz3WOFBECgYAxgOLa3mmw7pPKdVnjyXaQsFGQUHY8REt37LSB +eGXxx53kmq6tqrkrjN6GLx4KZg7+xqXUXT/j4+xAGHq5/QWkmWXnC8u2f8QYXMpM +6vCX/ZRSY4hQQXxZAgyzt3atYV/y0n3/VyxsiHcnvR8p5bvS+iXbRkof9IoJXgas +jfKS6QKBgQC6ZFuvYIeqkfZ0Yyxxum3qlGxpR41wcuIpb4hBQ0gr1haTL0aaoUiQ +qqUfzVRst/oPxf6vqeCxtWh1/3lGa1QXP9KJDA5twFMqTg5jv92vjMIgPTEZ2Oif ++YyTs72V197KHctx2/T4RxAGhxCLJwDzk2shvLS+1voU/w40YRy9yA== +-----END RSA PRIVATE KEY----- diff --git a/examples/tls_server_example/server_CA1_1.pem b/examples/tls_server_example/server_CA1_1.pem new file mode 100644 index 00000000..1a55213c --- /dev/null +++ b/examples/tls_server_example/server_CA1_1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWzCCAkMCFFTJkICEIidmnrisIFxZ99KKLhDIMA0GCSqGSIb3DQEBCwUAMGox +CzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwIRnJlaWJ1cmcxGzAZ +BgNVBAoMEk1aIEF1dG9tYXRpb24gR21iSDEMMAoGA1UECwwDUiZEMRAwDgYDVQQD +DAdyb290X0NBMB4XDTIyMDUyNjEwNDc0NFoXDTMwMDgxMjEwNDc0NFowajELMAkG +A1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVyZzEbMBkGA1UE +CgwSTVogQXV0b21hdGlvbiBHbWJIMQwwCgYDVQQLDANSJkQxEDAOBgNVBAMMB3Nl +cnZlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYUV+nESoiZ3TU +D1D5xxNEOuhWnPzjR6S1evjlXRFCSnPzNK4i/kZc+oFfBKApeyiOguQJgr5WaVfg +ZDrFduUAoB39+VRL5ZWxSr2Qv1y53fR3BgqHZXj9Ob829SJmxhXdvn/xF9SljBU0 +Fb95Jxs1etUc2SIGtwgm2LGu4qzIf52tyQ/sriP4BmHjcsawro1j6ml/nAcFy0ZY +U4IV0lKtptyTih6bzTsI4pf0+FN8Pzs6eMFByp0eS6zxZk/9IadlX7pzWTRI3g7Q +TgxqGlaSvwPZmOxuEYUhbwBTg12huyiEKVYBnQwNHU3iijSyPgeBjaEZHYBtH/lj +YsfiRFylAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANPRnvfByVoKwfMcQYUnYT6l +5OhYt8f2tQfoa0EXirP0O2xG052ZBl3Z5ZzBCcsq1zveaPoeqXFl6HjqIqURB5NS +imJIi7kB7o6C2z19yxOndPm3urKGyfvxtSy2iyzTMZ8eL8RFMJC5DVV+n5Y+1EgC +pYIu//I0ojnFOemEJXVjfxQhiUbx6Nw8HalHOhW1i017XcOWMKji/lwHfWF2PFmn +pIWZCFPCUtHzBUkXCRzn9ESeMDcMXN6qLb2wGJkRUDw+Ls1RGJd6dnB811vOuOd+ +QQc8lyyBZ1byARcxQ8lAtof6Mv7Yzebv1OxRr7NcrV/+ujnSFyJWKrJdcMx7+10= +-----END CERTIFICATE----- diff --git a/examples/tls_server_example/tls_server_example.c b/examples/tls_server_example/tls_server_example.c index f22aaf23..d5fdf211 100644 --- a/examples/tls_server_example/tls_server_example.c +++ b/examples/tls_server_example/tls_server_example.c @@ -105,6 +105,14 @@ clientAuthenticator(void* parameter, AcseAuthenticationParameter authParameter, return true; } +static void +securityEventHandler(void* parameter, TLSConfiguration_EventLevel eventLevel, int eventCode, const char* msg) +{ + (void)parameter; + + printf("[SECURITY EVENT] %s (t: %i, c: %i)\n", msg, eventLevel, eventCode); +} + int main(int argc, char** argv) { @@ -115,17 +123,19 @@ main(int argc, char** argv) TLSConfiguration_setChainValidation(tlsConfig, false); TLSConfiguration_setAllowOnlyKnownCertificates(tlsConfig, true); - if (!TLSConfiguration_setOwnKeyFromFile(tlsConfig, "server-key.pem", NULL)) { + TLSConfiguration_setEventHandler(tlsConfig, securityEventHandler, NULL); + + if (!TLSConfiguration_setOwnKeyFromFile(tlsConfig, "server_CA1_1.key", NULL)) { printf("Failed to load private key!\n"); return 0; } - if (!TLSConfiguration_setOwnCertificateFromFile(tlsConfig, "server.cer")) { + if (!TLSConfiguration_setOwnCertificateFromFile(tlsConfig, "server_CA1_1.pem")) { printf("ERROR: Failed to load own certificate!\n"); return 0; } - if (!TLSConfiguration_addCACertificateFromFile(tlsConfig, "root.cer")) { + if (!TLSConfiguration_addCACertificateFromFile(tlsConfig, "root_CA1.pem")) { printf("ERROR: Failed to load root certificate\n"); return 0; } @@ -134,12 +144,12 @@ main(int argc, char** argv) * Configure two allowed clients */ - if (!TLSConfiguration_addAllowedCertificateFromFile(tlsConfig, "client1.cer")) { + if (!TLSConfiguration_addAllowedCertificateFromFile(tlsConfig, "client_CA1_1.pem")) { printf("ERROR: Failed to load allowed client certificate\n"); return 0; } - if (!TLSConfiguration_addAllowedCertificateFromFile(tlsConfig, "client2.cer")) { + if (!TLSConfiguration_addAllowedCertificateFromFile(tlsConfig, "client_CA1_2.pem")) { printf("ERROR: Failed to load allowed client certificate\n"); return 0; } diff --git a/hal/inc/hal_socket.h b/hal/inc/hal_socket.h index 5c594f83..2f681cce 100644 --- a/hal/inc/hal_socket.h +++ b/hal/inc/hal_socket.h @@ -306,7 +306,7 @@ Socket_getLocalAddress(Socket self); /** * \brief Get the address of the peer application (IP address and port number) * - * The peer address has to be returned as + * The peer address has to be returned as null terminated string * * Implementation of this function is MANDATORY (libiec61850) * @@ -320,7 +320,7 @@ Socket_getPeerAddress(Socket self); /** * \brief Get the address of the peer application (IP address and port number) * - * The peer address has to be returned as + * The peer address has to be returned as null terminated string * * Implementation of this function is MANDATORY (lib60870) * diff --git a/hal/inc/tls_config.h b/hal/inc/tls_config.h index 2accacaa..37af40c2 100644 --- a/hal/inc/tls_config.h +++ b/hal/inc/tls_config.h @@ -50,6 +50,54 @@ TLSConfiguration_create(void); PAL_API void TLSConfiguration_setClientMode(TLSConfiguration self); +typedef enum { + TLS_SEC_EVT_INFO = 0, + TLS_SEC_EVT_WARNING = 1, + TLS_SEC_EVT_INCIDENT = 2 +} TLSConfiguration_EventLevel; + +#define TLS_EVENT_CODE_ALM_ALGO_NOT_SUPPORTED 1 +#define TLS_EVENT_CODE_ALM_UNSECURE_COMMUNICATION 2 +#define TLS_EVENT_CODE_ALM_CERT_UNAVAILABLE 3 +#define TLS_EVENT_CODE_ALM_BAD_CERT 4 +#define TLS_EVENT_CODE_ALM_CERT_SIZE_EXCEEDED 5 +#define TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED 6 +#define TLS_EVENT_CODE_ALM_CERT_REQUIRED 7 +#define TLS_EVENT_CODE_ALM_HANDSHAKE_FAILED_UNKNOWN_REASON 8 +#define TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION 9 +#define TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION 10 +#define TLS_EVENT_CODE_ALM_CERT_EXPIRED 11 +#define TLS_EVENT_CODE_ALM_CERT_REVOKED 12 +#define TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED 13 +#define TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED 12 + +typedef void (*TLSConfiguration_EventHandler)(void* parameter, TLSConfiguration_EventLevel eventLevel, int eventCode, const char* message); + +/** + * \brief Set the security event handler + */ +PAL_API void +TLSConfiguration_setEventHandler(TLSConfiguration self, TLSConfiguration_EventHandler handler, void* parameter); + +/** + * \brief enable or disable TLS session resumption (default: enabled) + * + * NOTE: Depending on the used TLS version this is implemented by + * session IDs or by session tickets. + * + * \param enable true to enable session resumption, false otherwise + */ +PAL_API void +TLSConfiguration_enableSessionResumption(TLSConfiguration self, bool enable); + +/** + * \brief Set the maximum life time of a cached TLS session for session resumption in seconds + * + * \param intervalInSeconds the maximum lifetime of a cached TLS session + */ +PAL_API void +TLSConfiguration_setSessionResumptionInterval(TLSConfiguration self, int intervalInSeconds); + /** * \brief Enables the validation of the certificate trust chain (enabled by default) * diff --git a/hal/tls/mbedtls/tls_mbedtls.c b/hal/tls/mbedtls/tls_mbedtls.c index 6603f08a..19ac7421 100644 --- a/hal/tls/mbedtls/tls_mbedtls.c +++ b/hal/tls/mbedtls/tls_mbedtls.c @@ -3,7 +3,7 @@ * * TLS API for TCP/IP protocol stacks * - * Copyright 2017-2021 Michael Zillgith, MZ Automation GmbH + * Copyright 2017-2022 Michael Zillgith * * Implementation of the TLS abstraction layer for mbedtls * @@ -26,6 +26,15 @@ #include "mbedtls/net_sockets.h" #include "mbedtls/error.h" #include "mbedtls/debug.h" +#include "mbedtls/ssl_cache.h" + +#define SEC_EVENT_ALARM 2 +#define SEC_EVENT_WARNING 1 +#define SEC_EVENT_INFO 0 + +#ifndef CONFIG_DEBUG_TLS +#define CONFIG_DEBUG_TLS 0 +#endif #if (CONFIG_DEBUG_TLS == 1) #define DEBUG_PRINT(appId, fmt, ...) fprintf(stderr, "%s: " fmt, appId, ## __VA_ARGS__); @@ -48,6 +57,13 @@ struct sTLSConfiguration { mbedtls_ssl_config conf; LinkedList /* */ allowedCertificates; + /* session cache for server */ + mbedtls_ssl_cache_context cache; + + /* client side cached session */ + mbedtls_ssl_session* savedSession; + uint64_t savedSessionTime; + bool chainValidation; bool allowOnlyKnownCertificates; @@ -60,7 +76,16 @@ struct sTLSConfiguration { /* TLS minimum version allowed (default: TLS_VERSION_TLS_1_2) */ TLSConfigVersion maxVersion; + TLSConfiguration_EventHandler eventHandler; + void* eventHandlerParameter; + + /* time of the last CRL update */ + uint64_t crlUpdated; + bool setupComplete; + + bool useSessionResumption; + int sessionResumptionInterval; /* session resumption interval in seconds */ }; struct sTLSSocket { @@ -74,8 +99,19 @@ struct sTLSSocket { /* time of last session renegotiation (used to calculate next renegotiation time) */ uint64_t lastRenegotiationTime; + + /* time of the last CRL update */ + uint64_t crlUpdated; }; +static void +raiseSecurityEvent(TLSConfiguration config, TLSConfiguration_EventLevel eventCategory, int eventCode, const char* message) +{ + if (config->eventHandler) { + config->eventHandler(config->eventHandlerParameter, eventCategory, eventCode, message); + } +} + static bool compareCertificates(mbedtls_x509_crt *crt1, mbedtls_x509_crt *crt2) { @@ -137,17 +173,25 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth if (certMatches) *flags = 0; - else + else { + raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Incident: Certificate not configured"); + + *flags |= MBEDTLS_X509_BADCERT_OTHER; return 1; + } } if (self->storePeerCert) { if (*flags == 0) { - self->peerCertLength = crt->raw.len; - self->peerCert = (uint8_t*) GLOBAL_MALLOC(self->peerCertLength); - memcpy(self->peerCert, crt->raw.p, self->peerCertLength); + self->peerCertLength = 0; + self->peerCert = (uint8_t*) GLOBAL_MALLOC(crt->raw.len); + + if (self->peerCert) { + memcpy(self->peerCert, crt->raw.p, self->peerCertLength); + self->peerCertLength = crt->raw.len; + } } @@ -166,11 +210,28 @@ TLSConfiguration_setupComplete(TLSConfiguration self) if (self->setupComplete == false) { mbedtls_ssl_conf_ca_chain( &(self->conf), &(self->cacerts), &(self->crl) ); - int ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(self->ownCertificate), &(self->ownKey)); + if (self->ownCertificate.version > 0) { + int ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(self->ownCertificate), &(self->ownKey)); - if (ret != 0) { - DEBUG_PRINT("TLS", "mbedtls_ssl_conf_own_cert returned %d\n", ret); - return false; + if (ret != 0) { + DEBUG_PRINT("TLS", "mbedtls_ssl_conf_own_cert returned %d\n", ret); + return false; + } + } + + if (self->useSessionResumption) { + if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { + + } + else { + mbedtls_ssl_cache_init( &(self->cache) ); + + self->cache.timeout = self->sessionResumptionInterval; + + mbedtls_ssl_conf_session_cache( &(self->conf), &(self->cache), + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); + } } self->setupComplete = true; @@ -182,7 +243,7 @@ TLSConfiguration_setupComplete(TLSConfiguration self) TLSConfiguration TLSConfiguration_create() { - TLSConfiguration self = (TLSConfiguration) GLOBAL_MALLOC(sizeof(struct sTLSConfiguration)); + TLSConfiguration self = (TLSConfiguration) GLOBAL_CALLOC(1, sizeof(struct sTLSConfiguration)); if (self != NULL) { mbedtls_ssl_config_init( &(self->conf) ); @@ -220,6 +281,14 @@ TLSConfiguration_create() self->chainValidation = true; self->allowOnlyKnownCertificates = false; self->setupComplete = false; + + self->eventHandler = NULL; + self->eventHandlerParameter = NULL; + + self->useSessionResumption = true; + self->sessionResumptionInterval = 21600; /* default value: 6h */ + self->savedSession = NULL; + self->savedSessionTime = 0; } return self; @@ -231,6 +300,25 @@ TLSConfiguration_setClientMode(TLSConfiguration self) self->conf.endpoint = MBEDTLS_SSL_IS_CLIENT; } +void +TLSConfiguration_enableSessionResumption(TLSConfiguration self, bool enable) +{ + self->useSessionResumption = enable; +} + +void +TLSConfiguration_setSessionResumptionInterval(TLSConfiguration self, int intervalInSeconds) +{ + self->sessionResumptionInterval = intervalInSeconds; +} + +void +TLSConfiguration_setEventHandler(TLSConfiguration self, TLSConfiguration_EventHandler handler, void* parameter) +{ + self->eventHandler = handler; + self->eventHandlerParameter = parameter; +} + void TLSConfiguration_setMinTlsVersion(TLSConfiguration self, TLSConfigVersion version) { @@ -365,6 +453,9 @@ TLSConfiguration_addCRL(TLSConfiguration self, uint8_t* crl, int crlLen) if (ret != 0) { DEBUG_PRINT("TLS", "mbedtls_x509_crl_parse returned %d\n", ret); } + else { + self->crlUpdated = Hal_getTimeInMs(); + } return (ret == 0); } @@ -389,6 +480,18 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs) void TLSConfiguration_destroy(TLSConfiguration self) { + if (self->useSessionResumption) { + if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { + if (self->savedSession) { + mbedtls_ssl_session_free(self->savedSession); + GLOBAL_FREEMEM(self->savedSession); + } + } + else { + mbedtls_ssl_cache_free(&(self->cache)); + } + } + mbedtls_x509_crt_free(&(self->ownCertificate)); mbedtls_x509_crt_free(&(self->cacerts)); mbedtls_x509_crl_free(&(self->crl)); @@ -410,6 +513,67 @@ TLSConfiguration_destroy(TLSConfiguration self) GLOBAL_FREEMEM(self); } +static void +createSecurityEvents(TLSConfiguration config, int ret, uint32_t flags) +{ + if (config->eventHandler == NULL) + return; + + switch (ret) { + + case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: + raiseSecurityEvent(config, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_ALGO_NOT_SUPPORTED, "Incident: Algorithm not supported"); + break; + + case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_UNSECURE_COMMUNICATION, "Incident: Unsecure communication"); + break; + + case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_UNAVAILABLE, "Incident: Certificate unavailable"); + break; + + case MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_BAD_CERT, "Incident: Bad certificate"); + break; + + case MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_SIZE_EXCEEDED, "Incident: TLS certificate size exceeded"); + break; + + case MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED, "Incident: certificate validation: certificate signature could not be validated"); + break; + + case MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_REQUIRED, "Incident: Certificate required"); + break; + + case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: + { + if (flags & MBEDTLS_X509_BADCERT_EXPIRED) { + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_EXPIRED, "Incident: Certificate expired"); + } + else if (flags & MBEDTLS_X509_BADCERT_REVOKED) { + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_REVOKED, "Incident: Certificate revoked"); + } + else if (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED, "Incident: Certificate validation: CA certificate not available"); + } + else if (flags & MBEDTLS_X509_BADCERT_OTHER) { + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Incident: Certificate not configured"); + } + else { + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED, "Incident: Certificate verification failed"); + } + } + break; + + default: + raiseSecurityEvent(config,TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_HANDSHAKE_FAILED_UNKNOWN_REASON, "Incident: handshake failed for unknown reason"); + break; + } +} static int readFunction(void* ctx, unsigned char* buf, size_t len) @@ -429,6 +593,30 @@ writeFunction(void* ctx, unsigned char* buf, size_t len) return Socket_write((Socket)ctx, buf, (int)len); } +static TLSConfigVersion +getTLSVersion(int majorVersion, int minorVersion) +{ + if (majorVersion != 3) { + return TLS_VERSION_NOT_SELECTED; + } + else { + switch (minorVersion) { + case 0: + return TLS_VERSION_SSL_3_0; + case 1: + return TLS_VERSION_TLS_1_0; + case 2: + return TLS_VERSION_TLS_1_1; + case 3: + return TLS_VERSION_TLS_1_2; + case 4: + return TLS_VERSION_TLS_1_3; + default: + return TLS_VERSION_NOT_SELECTED; + } + } +} + static int getMajorVersion(TLSConfigVersion version) { @@ -472,7 +660,7 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient { TLSSocket self = (TLSSocket) GLOBAL_CALLOC(1, sizeof(struct sTLSSocket)); - if (self != NULL) { + if (self) { self->socket = socket; self->tlsConfig = configuration; @@ -490,6 +678,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_conf_ca_chain( &(self->conf), &(configuration->cacerts), &(configuration->crl) ); + self->crlUpdated = configuration->crlUpdated; + if (configuration->minVersion != TLS_VERSION_NOT_SELECTED) { /* set minimum TLS version */ @@ -508,10 +698,12 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_conf_max_version( &(self->conf), majorVer, minorVer); } - ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(configuration->ownCertificate), &(configuration->ownKey)); + if (configuration->ownCertificate.version > 0) { + ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(configuration->ownCertificate), &(configuration->ownKey)); - if (ret != 0) - DEBUG_PRINT("TLS", "mbedtls_ssl_conf_own_cert returned %d\n", ret); + if (ret != 0) + DEBUG_PRINT("TLS", "mbedtls_ssl_conf_own_cert returned %d\n", ret); + } ret = mbedtls_ssl_setup( &(self->ssl), &(self->conf) ); @@ -521,12 +713,44 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_set_bio(&(self->ssl), socket, (mbedtls_ssl_send_t*) writeFunction, (mbedtls_ssl_recv_t*) readFunction, NULL); + bool reuseSession = false; + + if (configuration->useSessionResumption) { + if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { + if (configuration->savedSession && configuration->savedSessionTime > 0) { + + if (Hal_getTimeInMs() < (configuration->savedSessionTime + configuration->sessionResumptionInterval * 1000)) { + + ret = mbedtls_ssl_set_session(&(self->ssl), configuration->savedSession); + + if (ret != 0) { + DEBUG_PRINT("TLS", "mbedtls_ssl_set_session returned %d\n", ret); + configuration->savedSessionTime = 0; + } + else { + DEBUG_PRINT("TLS", "resume TLS session\n"); + reuseSession = true; + } + } + else { + configuration->savedSessionTime = 0; + DEBUG_PRINT("TLS", "cached session expired\n"); + } + + } + } + } + while( (ret = mbedtls_ssl_handshake(&(self->ssl)) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { DEBUG_PRINT("TLS", "handshake failed - mbedtls_ssl_handshake --> %d\n\n", ret ); + uint32_t flags = mbedtls_ssl_get_verify_result(&(self->ssl)); + + createSecurityEvents(configuration, ret, flags); + mbedtls_ssl_free(&(self->ssl)); if (self->peerCert) { @@ -539,10 +763,35 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient } } + if (configuration->useSessionResumption) { + if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { + + if (configuration->savedSession == NULL) { + configuration->savedSession = GLOBAL_CALLOC(1, sizeof(mbedtls_ssl_session)); + } + + if (configuration->savedSession) { + + if (configuration->savedSessionTime == 0) { + ret = mbedtls_ssl_get_session(&(self->ssl), configuration->savedSession); + + if (ret != 0) { + DEBUG_PRINT("TLS", "mbedtls_ssl_get_session returned %d\n", ret); + } + else { + configuration->savedSessionTime = Hal_getTimeInMs(); + } + } + } + } + } + self->lastRenegotiationTime = Hal_getTimeInMs(); - /* TODO check for TLS version warning or alarm condition */ - /* printf("TLS %i.%i\n", self->ssl.major_ver, self->ssl.minor_ver); */ + if (getTLSVersion(self->ssl.major_ver, self->ssl.minor_ver) < TLS_VERSION_TLS_1_2) { + raiseSecurityEvent(configuration, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION, "Warning: Insecure TLS version"); + } + } return self; @@ -560,17 +809,44 @@ TLSSocket_getPeerCertificate(TLSSocket self, int* certSize) bool TLSSocket_performHandshake(TLSSocket self) { - if (mbedtls_ssl_renegotiate(&(self->ssl)) == 0) + int ret = mbedtls_ssl_renegotiate(&(self->ssl)); + + if (ret == 0) { + if (getTLSVersion(self->ssl.major_ver, self->ssl.minor_ver) < TLS_VERSION_TLS_1_2) { + raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION, "Warning: Insecure TLS version"); + } + return true; - else + } + else { + DEBUG_PRINT("TLS", "TLSSocket_performHandshake failed -> ret=%i\n", ret); + + if (self->tlsConfig->eventHandler) { + uint32_t flags = mbedtls_ssl_get_verify_result(&(self->ssl)); + + createSecurityEvents(self->tlsConfig, ret, flags); + } + return false; + } } int TLSSocket_read(TLSSocket self, uint8_t* buf, int size) { + if (self->crlUpdated != self->tlsConfig->crlUpdated) { + DEBUG_PRINT("TLS", "CRL updated -> refresh CA chain\n"); + + mbedtls_ssl_conf_ca_chain( &(self->conf), &( self->tlsConfig->cacerts), &( self->tlsConfig->crl) ); + + self->crlUpdated = self->tlsConfig->crlUpdated; + } + if (self->tlsConfig->renegotiationTimeInMs > 0) { if (Hal_getTimeInMs() > self->lastRenegotiationTime + self->tlsConfig->renegotiationTimeInMs) { + + raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Info: session renegotiation started"); + if (TLSSocket_performHandshake(self) == false) { DEBUG_PRINT("TLS", " renegotiation failed\n"); return -1; @@ -601,6 +877,13 @@ TLSSocket_read(TLSSocket self, uint8_t* buf, int size) default: DEBUG_PRINT("TLS", " mbedtls_ssl_read returned -0x%x\n", -ret); + + { + uint32_t flags = mbedtls_ssl_get_verify_result(&(self->ssl)); + + createSecurityEvents(self->tlsConfig, ret, flags); + } + return -1; } } @@ -614,6 +897,30 @@ TLSSocket_write(TLSSocket self, uint8_t* buf, int size) int ret; int len = size; + if (self->crlUpdated != self->tlsConfig->crlUpdated) { + DEBUG_PRINT("TLS", "CRL updated -> refresh CA chain\n"); + + mbedtls_ssl_conf_ca_chain( &(self->conf), &( self->tlsConfig->cacerts), &( self->tlsConfig->crl) ); + + self->crlUpdated = self->tlsConfig->crlUpdated; + } + + if (self->tlsConfig->renegotiationTimeInMs > 0) { + if (Hal_getTimeInMs() > self->lastRenegotiationTime + self->tlsConfig->renegotiationTimeInMs) { + + raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Info: session renegotiation started"); + + if (TLSSocket_performHandshake(self) == false) { + DEBUG_PRINT("TLS", " renegotiation failed\n"); + return -1; + } + else { + DEBUG_PRINT("TLS", " started renegotiation\n"); + self->lastRenegotiationTime = Hal_getTimeInMs(); + } + } + } + while ((ret = mbedtls_ssl_write(&(self->ssl), buf, len)) <= 0) { if (ret == MBEDTLS_ERR_NET_CONN_RESET)