The certificates are set up using version 3 certificate standards with the SAN extension, which allows for alternative names. We need an alternative name for our host, because our node.js script is otherwise not able to process the certificate and won't publish mqtt topics. After implementing the changes, I noticed that on the esp32 client the following error started appearing again:
Code: Select all
E (9628) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700 I (9638) esp-tls-mbedtls: Failed to verify peer certificate! I (9648) esp-tls-mbedtls: verification info: ! The certificate Common Name (CN) does not match with the expected CN ! The certificate is not E (9658) esp-tls: Failed to open new connection E (9658) TRANS_SSL: Failed to open a new connection E (9668) MQTT_CLIENT: Error transport connect
My guess is that mbedTLS somehow doesn't support alternative names. This page seems support that (https://tls.mbed.org/kb/development/add ... me_support) but it also seems to be older information, so it might be supportet as of now.
Also, it wouldn't explain our error, because we put the same IP address in both Common Name (CN) and alternative name fields. So if mbedTLS can't parse the alternative name, the Common Name should still match. The only way I can think of why it doesn't work is that mbedTLS somehow gets confused about how to read the new version 3 certificate and fails at parsing even the common name. But I also have my doubts about that.
We would be very grateful for a hint because our product is being deployed soon and this bug keeps us from delivering punctually x_X. Thank you!