new https ota example giving mbed tls handshake error -0x2700 (IDFGH-745)

[akbarhash]

Environment

• Development Kit: ESP32-DOIT Board
• Core (if using chip or module): [ESP-WROOM32]
• IDF version (git rev-parse --short HEAD to get the commit id.):
  30545f4 // Latest IDF
• Development Env: [Make]
• Operating System: [Ubuntu]
• Power Supply: [USB]

Problem Description

The simple OTA example is not working even after many different trials.
Tried using python server and openssl server
works with http by modifying the code slightly

Expected Behavior

should not give certificate error

Actual Behavior

E (6804) TRANS_SSL: mbedtls_ssl_handshake returned -0x2700
E (6804) HTTP_CLIENT: Connection failed, sock < 0
E (6804) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (6814) simple_ota_example: Firmware Upgrades Failed

Steps to reproduce

install ota example
generate cert
setup server and example using cert
run the example

Code to reproduce this issue

void simple_ota_example_task(void * pvParameter)
{
    ESP_LOGI(OTA_TAG, "Starting OTA example...");

    /* Wait for the callback to set the CONNECTED_BIT in the
       event group.
    */
    xEventGroupWaitBits(wifi_event_group, WIFI_CONNECTED_BIT, false, true, portMAX_DELAY);
    ESP_LOGI(OTA_TAG, "Connected to Wifi ! Start to Connect to Server....");
    
    esp_http_client_config_t config = {
        .url = CONFIG_FIRMWARE_UPGRADE_URL,
        .cert_pem = (char *)server_cert_pem_start,
        .event_handler = _http_event_handler,
    };
    esp_err_t ret = esp_https_ota(&config);
    if (ret == ESP_OK) {
        esp_restart();
    } else {
        ESP_LOGE(OTA_TAG, "Firmware Upgrades Failed");
    }
    while (1) {
        vTaskDelay(1000 / portTICK_PERIOD_MS);
    }
}

Debug Logs

E (6804) TRANS_SSL: mbedtls_ssl_handshake returned -0x2700
E (6804) HTTP_CLIENT: Connection failed, sock < 0
E (6804) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (6814) simple_ota_example: Firmware Upgrades Failed

[jitin17]

@akbarhash Your certificate seems to be invalid. Can you try following the instructions given in Step 2: Run HTTPS Server part of README.md, located at examples/system/ota/README.md, to setup the HTTPS server.

[akbarhash]

I have done everything again.
I have a doubt in this case what should be
Common Name of server certificate should be host-name of your server.

[jitin17]

If your firmware upgrade URL looks something like https://<host-ip-address>:<host-port>/<firmware-image-filename> this, say https://192.168.0.3:8070/hello-world.bin, then host-ip-address will be the Common Name, say 192.168.0.3.

[akbarhash]

server side logs

openssl s_server -WWW -key ca_key.pem -cert ca_cert.pem -port 8070
Enter pass phrase for ca_key.pem:
Using default temp DH parameters
ACCEPT
139642142949824:error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 43
ACCEPT
139642142949824:error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 43
ACCEPT

[akbarhash]

got it to work the issue was i was using 1024 rsa had changed it during testing. now working with 2048 rsa and common name as 192.168.0.87

[akbarhash]

suggestion would be to include this bit in the readme.md
thanks jitin

[Abhijit123Gupta]

how do you change the rsa?