来自Mongoose web服务器与mbedtls TLS的错误消息

huangapple go评论159阅读模式
英文:

Error messages from Mongoose web server with mbedtls TLS

问题

我正在使用Intel SGX构建一个HTTP(S)服务器,使用mbedtls作为我的TLS库。

我可以在使用HTTP时按预期提供内容,但是当切换到使用mbedtls的TLS/SSL时,我遇到了一些更复杂的问题,错误消息很难理解。

具体来说,当我使用“https://”前缀访问我的网站时,我可以看到mongoose/mbedtls会读取cert.pem和key.pem,然后在“/”上进行recv调用。在那个recv调用期间,它报错如下:

mg_ssl_if_mbed_err 0x7f9e8c023060 mbedTLS error: -0x7780

从mbedtls源代码中,我可以读到这个稍微不那么有用的解释:

#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 /**< A fatal alert message was received from our peer. */

我的起点是simplest_web_server_ssl。

问题:
如何启用mg和mbedtls的调试日志?
如何解释这些错误(甚至可以说,这个错误的一些可能原因是什么)?

非常感谢任何提示!

英文:

I am building an HTTP(S) server on Intel SGX, using mbedtls as my TLS library.

I can serve content as expected using HTTP, but when switching over to TLS/SSL using mbedtls I am getting some more complex issues and the error messages are difficult to understand.

Concretely, when I access my site using the “https://” prefix, I can tell that mongoose/mbedtls goes out and reads cert.pem and key.pem, and then makes a recv call on “/”. During that recv call it coughs up the following error:

mg_ssl_if_mbed_err 0x7f9e8c023060 mbedTLS error: -0x7780

From mbedtls src I can read this slightly not so useful explanation:

#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 /**< A fatal alert message was received from our peer. */

My starting point is the simplest_web_server_ssl.

Questions:
How do I enable mg and mbedtls debug logging?
How do I interpret these errors (or even; what can be some reasons for this error)?

Sincerely grateful for any hints!

答案1

得分: 1

请参阅 https://github.com/cesanta/mongoose/blob/6.16/mongoose.c#L5161
https://github.com/cesanta/mongoose/blob/6.16/mongoose.c#L5075

因此,您可以通过调用 cs_log_set_level(LL_VERBOSE_DEBUG) 来增加调试日志级别。

您看到的错误很可能是由于您的客户端不接受的无效证书引起的。

尝试通过 curl -k https://IPADDR 访问您的服务器。

-k 选项禁用证书验证。如果该curl命令有效,则只需修复您的证书 - 您的C代码运行正常。

英文:

See https://github.com/cesanta/mongoose/blob/6.16/mongoose.c#L5161
and https://github.com/cesanta/mongoose/blob/6.16/mongoose.c#L5075

Thus you can increase debug log level by calling cs_log_set_level(LL_VERBOSE_DEBUG)

The error you see is most probably due to the invalid cert your client does not accept.

Try to access your server by curl -k https://IPADDR

-k option disables cert verification. If that curl command works, then just fix your cert - your C code works fine.

huangapple
  • 本文由 发表于 2020年1月6日 19:24:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/59611264.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定