Error - SSL - An invalid SSL record was received

George_Santiago · February 26, 2025, 1:30am

Today, when I was burning the firmware on the ESP32 (using Arduino-Library 2.31 and Platformio espressif32@6.8.1 (I also tested with the versions espressif32@6.9.0 and espressif32@6.10.0) and trying to connect to my thinger server, I got this error message regarding SSL:

21:35:45.103 > [_SOCKET] Connecting to XXXXXXXXXXXX.aws.thinger.io:25202...
21:35:45.110 > [_SOCKET] Using secure TLS/SSL connection: yes
21:35:45.114 > Thinger State Listener: SOCKET_CONNECTING
21:35:46.691 > [_SOCKET] Connected!
21:35:46.692 > Thinger State Listener: SOCKET_CONNECTED
21:35:46.697 > [THINGER] Authenticating. User: iot_public Device: XXXXXXXXXXXX
21:35:46.703 > Thinger State Listener: THINGER_AUTHENTICATING
21:35:46.703 > [THINGER] Writing bytes: 56 [OK]
21:35:46.893 > [  5901][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received
21:35:46.893 > [  5901][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received
21:35:56.706 > [_SOCKET] Cannot read from socket!
21:35:56.706 > [THINGER] Auth Failed! Check username, device id, or device credentials.
21:35:56.723 > [_SOCKET] Is now closed!

The ESP32 keeps trying to connect, there are many messages in the Inspector indicating that the device connected and then disconnected… Until the device manages to connect and stabilizes the connection.

I found some issues related to this problem:

github.com/espressif/arduino-esp32

Reboot due to SSL error "An invalid SSL record was received"

opened 03:06PM - 01 Jun 23 UTC

closed 01:14PM - 08 Jun 23 UTC

caipifrosch

Type: For reference Type: Question

### Board ESP32-WROOM ### Device Description Custom board with ESP32-WR…OOM ### Hardware Configuration nothing special related to this problem, WiFi / SSL related ### Version 2.0.9 ### IDE Name PlatformIO ### Operating System Windows 11 ### Flash frequency 80MHz ### PSRAM enabled yes ### Upload speed 115200 ### Description Log is reporting invalid SSL record and ESP reboots due to heap problem. Issue happens very random. Sometime within hours, but also happens after days of operation. Error message... [4814633][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received ...caused by WiFiClientSecure as server connection worked for more that one hour? Anyone solved this problem or may have ideas how to further takle this? Probably different issue, but reducing WiFi AP upload/download speed to 10kbps or below will prevent successful mqtt server connection and trigger wdt. PubSubClient related...? Thanks a lot in advance for your replies! ### Sketch ```cpp #include "MQTT.h" #include "measure.h" WiFiClientSecure secureClient = WiFiClientSecure(); PubSubClient mqttClient(secureClient); ``` ### Debug Message ```plain 15:06:00.360 > SYSTEM: Runtime: 0d 01h 20min 05sec Free Heap: 90.86 KB 15:06:00.362 > 15:06:09.845 > [4814632][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received 15:06:09.854 > [4814633][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received 15:06:09.864 > CORRUPT HEAP: Bad head at 0x3ffd9240. Expected 0xabba1234 got 0x3ffcd9ec 15:06:09.870 > 15:06:09.873 > assert failed: multi_heap_free multi_heap_poisoning.c:253 (head != NULL) 15:06:09.879 > 15:06:09.879 > 15:06:09.879 > Backtrace: 0x40083e45:0x3ffbb400 0x40095301:0x3ffbb420 0x4009af69:0x3ffbb440 0x4009abdb:0x3ffbb570 0x40084309:0x3ffbb590 0x4008d3e1:0x3ffbb5b0 0x401dc122:0x3ffbb5d0 0x401cd8b2:0x3ffbb5f0 0x400f656a:0x3ffbb610 0x400f5268:0x3ffbb630 0x400f5349:0x3ffbb650 0x400f52b4:0x3ffbb670 0x4022c34a:0x3ffbb690 0x4022bd55:0x3ffbb6c0 0x400e0a05:0x3ffbb6e0 0x400d3a43:0x3ffbb700 0x4012edcf:0x3ffbb720 15:06:09.912 > 15:06:09.912 > 15:06:09.912 > 15:06:09.912 > 15:06:09.912 > ELF file SHA256: 89e4abb211f07ab3 15:06:09.916 > 15:06:10.328 > Rebooting... ``` ### Other Steps to Reproduce 1. connect to wifi 2. connect to mqtt server with pubsubclient 3. wait for invalid ssl record error message ### I have checked existing issues, online documentation and the Troubleshooting Guide - [X] I confirm I have checked existing issues, online documentation and Troubleshooting guide.

github.com/espressif/arduino-esp32

SSL - An invalid SSL record was received MbedTLS message code: -29184

opened 09:19AM - 02 May 19 UTC

closed 10:52PM - 14 Aug 19 UTC

thedim-witted

Status: Stale

I'm working with esp32 WROOM where I am trying to send some data through http re…quest using the arduino Json. The code works fine and I receive data on the other side, however, after some random number of runs the uploading gets stuck at "writing http request" and throws the error an "SSL - An invalid SSL record was received" and in the other line it states as "MbedTLS message code: -29184". And because it is only happening after a few successful runs I am unable to understand where the issue is. Any help would be really appreciated. The data send code: ``` DynamicJsonBuffer jsonBuffer(14700); float X1dataArray[SAMPLE_SIZE], Y1dataArray[SAMPLE_SIZE], Z1dataArray[SAMPLE_SIZE]; void loop() { //use the SPI buses int iterator; connection_iterator = 0; connection_iterator2 = 0; if (wifiMulti.run() == WL_CONNECTED) { Serial.println(""); Serial.println("WiFi connected"); Serial.println("IP address: "); Serial.println(WiFi.localIP()); } jsonBuffer.clear(); JsonObject &rootObject = jsonBuffer.createObject(); JsonObject &dataObject = rootObject.createNestedObject("data"); JsonArray &X1dataObject = dataObject.createNestedArray("X1"); JsonArray &Y1dataObject = dataObject.createNestedArray("Y1"); JsonArray &Z1dataObject = dataObject.createNestedArray("Z1"); rootObject["coreid"] = String(low, HEX) + String(high, HEX); //rootObject["coreid_high"] = String(high, HEX); rootObject["sample_time"] = int(time_taken); rootObject["firmware_version"] = FIRMWARE_UPDATE_VERSION; rootObject.prettyPrintTo(Serial); Serial.print("connecting to "); Serial.println(host); while ((!client.connect(host, httpsPort)) && !setup_mode) { connection_iterator++; Serial.println("connection failed! Retrying.."); delay(5000); if (connection_iterator >= 10) ESP.restart(); } if (client.verify(fingerprint, host)) { Serial.println("certificate matches"); } else { Serial.println("certificate doesn't match"); } digitalWrite(LED_BUILTIN, HIGH); Serial.print("requesting URL: "); Serial.println(url); client.println(String("POST ") + url + " HTTP/1.0"); client.println(String("Host: ") + host); client.println("Cache-Control: no-cache"); client.println("Content-Type: application/json"); client.print("Content-Length: "); client.println(rootObject.measureLength()); client.println(); rootObject.printTo(client); Serial.println("request sent"); while ((client.connected()) && !setup_mode) { connection_iterator2++; String line = client.readStringUntil('\n'); if (line == "\r") { Serial.println("headers received"); break; } Serial.println("Waiting for response"); digitalWrite(LED_BUILTIN, HIGH); delay(100); digitalWrite(LED_BUILTIN, LOW); delay(100); if (connection_iterator2 >= 30) { Serial.println("No response from server"); break; } } String line = client.readStringUntil('\n'); if (line.startsWith("{")) { Serial.println("esp32/Arduino CI successfull!"); } else { Serial.println("esp32/Arduino CI has failed"); } Serial.println("reply was:"); Serial.println("=========="); Serial.println(line); Serial.println("=========="); Serial.println("closing connection"); digitalWrite(LED_BUILTIN, LOW); } ``` The log at the point of failure > 14:46:55.694 -> [V][ssl_client.cpp:276] send_ssl_data(): Writing HTTP request... > 14:46:55.694 -> [V][ssl_client.cpp:276] send_ssl_data(): Writing HTTP request... > 14:46:55.694 -> [V][ssl_client.cpp:276] send_ssl_data(): Writing HTTP request... > 14:46:55.728 -> [V][ssl_client.cpp:276] send_ssl_data(): Writing HTTP request... > 14:46:55.728 -> request sent > 14:46:55.728 -> [E][ssl_client.cpp:33] handle_error(): SSL - An invalid SSL record was received > 14:46:55.728 -> [E][ssl_client.cpp:35] handle_error(): MbedTLS message code: -29184 > 14:46:55.728 -> [V][ssl_client.cpp:245] stop_ssl_socket(): Cleaning SSL connection. > 14:46:56.710 -> esp32/Arduino CI has failed > 14:46:56.745 -> reply was: The log does make it clear that the problem is coming somewhere at the stage of SSL/TLS connection but I am not able to pinpoint to where as I am new to this.

github.com/espressif/arduino-esp32

Feature Request: ESP32 SSL/TLS Certificate Store

opened 03:22PM - 19 Jan 20 UTC

closed 07:56AM - 16 Jan 25 UTC

yknivag

Type: Feature request

Is it possible to handle https connections on the ESP32 **without** knowing in a…dvance the root CA for the service one is trying to connect to? For example, on the ESP8266 this is possible using `CertStoreBearSSL` (see https://github.com/esp8266/Arduino/tree/master/libraries/ESP8266WiFi). This is particularly important for https services which redirect from one domain to another where one would need to know all the certificates in advance on the ESP32 whereas on the ESP8266 one needs only to add `certs.ar` to SPIFFS and it is possible to connect to almost any https service. I may have missed a way that this is already possible but I haven't been able to find one. How complex would it be to port the `CertStoreBearSSL` functionality to the ESP32?

github.com/espressif/arduino-esp32

ESP restarts due to invalid SSL record

opened 01:43PM - 03 Jan 24 UTC

closed 01:49PM - 10 Sep 24 UTC

caipifrosch

Resolution: Unable to reproduce Type: Question Resolution: Expired IDE: PlaformIO Status: Community help needed

### Board custom ### Device Description ESP32-WROOM module ### Hardware Conf…iguration custom hardware with ESP32-WROOM ### Version v2.0.14 ### IDE Name PlatformIO ### Operating System Windows 11 ### Flash frequency 80MHz ### PSRAM enabled no ### Upload speed 115200 ### Description ESP32 connects to an mqtt service and will restart from time to time. Sometimes it runs for days and sometimes it crashes after an hour or even less. Seems to be related to secure client/ssl. Always shows exact same decoded backtrace sequence starting from my custom mqtt file. Double heap or mqtt buffer did not help and error is not related to particular mqtt message. See logs. ### Sketch ```cpp too complex to strip down ``` ### Debug Message ```plain 13:38:12.241 > SYSTEM: Loop Task - Stack 3332/24576 - 135/sec 13:39:05.313 > [113686][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received 13:39:05.321 > [113686][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received 13:39:05.333 > CORRUPT HEAP: Bad tail at 0x3ffe2ae0. Expected 0xbaad5678 got 0x3ffe29b8 13:39:05.338 > 13:39:05.338 > assert failed: multi_heap_free multi_heap_poisoning.c:259 (head != NULL) 13:39:05.347 > 13:39:05.347 > 13:39:05.347 > Backtrace: 0x4008415d:0x3ffbd410 0x40095fc5:0x3ffbd430 0x4009be95:0x3ffbd450 0x4009ba8d:0x3ffbd580 0x400846cd:0x3ffbd5a0 0x4008dc9d:0x3ffbd5c0 0x40199122:0x3ffbd5e0 0x40189d02:0x3ffbd600 0x40123be3:0x3ffbd620 0x40122805:0x3ffbd640 0x40122962:0x3ffbd660 0x401228a5:0x3ffbd680 0x401eb636:0x3ffbd6a0 0x401e9c9d:0x3ffbd6d0 0x400e80c5:0x3ffbd6f0 0x400f8770:0x3ffbd710 0x40162073:0x3ffbd730 13:39:06.024 > 13:39:06.024 > #0 0x4008415d:0x3ffbd410 in panic_abort at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/esp_system/panic.c:408 13:39:06.024 > #1 0x40095fc5:0x3ffbd430 in esp_system_abort at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/esp_system/esp_system.c:137 13:39:06.024 > #2 0x4009be95:0x3ffbd450 in __assert_func at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/newlib/assert.c:85 13:39:06.024 > #3 0x4009ba8d:0x3ffbd580 in multi_heap_free at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/heap/multi_heap_poisoning.c:259 (discriminator 1) 13:39:06.024 > #4 0x400846cd:0x3ffbd5a0 in heap_caps_free at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/heap/heap_caps.c:382 13:39:06.024 > #5 0x4008dc9d:0x3ffbd5c0 in esp_mbedtls_mem_free at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/mbedtls/port/esp_mem.c:46 13:39:06.024 > #6 0x40199122:0x3ffbd5e0 in mbedtls_free at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/mbedtls/mbedtls/library/platform.c:66 13:39:06.024 > #7 0x40189d02:0x3ffbd600 in mbedtls_ssl_free at /Users/ficeto/Desktop/ESP32/ESP32S2/esp-idf-public/components/mbedtls/mbedtls/library/ssl_tls.c:6786 13:39:06.024 > #8 0x40123be3:0x3ffbd620 in stop_ssl_socket(sslclient_context*, char const*, char const*, char const*) at C:/Users/andre/.platformio/packages/framework-arduinoespressif32/libraries/WiFiClientSecure/src/ssl_client.cpp:336 13:39:06.024 > #9 0x40122805:0x3ffbd640 in WiFiClientSecure::stop() at C:/Users/andre/.platformio/packages/framework-arduinoespressif32/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp:98 13:39:06.024 > #10 0x40122962:0x3ffbd660 in WiFiClientSecure::available() at C:/Users/andre/.platformio/packages/framework-arduinoespressif32/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp:248 13:39:06.024 > #11 0x401228a5:0x3ffbd680 in WiFiClientSecure::read(unsigned char*, unsigned int) at C:/Users/andre/.platformio/packages/framework-arduinoespressif32/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp:213 13:39:06.024 > #12 0x401eb636:0x3ffbd6a0 in WiFiClientSecure::connected() at C:/Users/andre/.platformio/packages/framework-arduinoespressif32/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp:257 ``` ### Other Steps to Reproduce none ### I have checked existing issues, online documentation and the Troubleshooting Guide - [X] I confirm I have checked existing issues, online documentation and Troubleshooting guide.

github.com/espressif/arduino-esp32

Guru Meditation Error: Core 0 panic'ed (LoadProhibited). Exception was unhandled.

opened 08:13AM - 25 Nov 22 UTC

closed 05:05AM - 13 Apr 23 UTC

DennisMart

Area: BT&Wifi Resolution: Expired

### Board esp32S2 ### Device Description ESP-ROM:esp32s2-rc4 ### Ha…rdware Configuration WiFiClientSecure net = WiFiClientSecure(); MQTTClient awsClient = MQTTClient(----); ### Version v2.0.5 ### IDE Name Visual studio code ### Operating System windows 10 ### Flash frequency 80Mhz ### PSRAM enabled no ### Upload speed 921600 ### Description Hi everyone, i am new in this foro, i working in one proyect about esp32 but i received this error ssl (-29184) SSL - An invalid SSL record was received them my esp32 reebot with this error, my program good running 10 hours that and then show this error, but this error random show, and I can't force to apper this error. 05:43:28 [49347651][V][ssl_client.cpp:369] send_ssl_data(): Writing HTTP request with 2 bytes... 05:43:38 [49357653][V][ssl_client.cpp:369] send_ssl_data(): Writing HTTP request with 2 bytes... 05:43:48 [49367656][V][ssl_client.cpp:369] send_ssl_data(): Writing HTTP request with 2 bytes... 05:43:48 [49367737][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received 05:43:48 [49367739][V][ssl_client.cpp:324] stop_ssl_socket(): Cleaning SSL connection. 05:43:48 Guru Meditation Error: Core 0 panic'ed (LoadProhibited). Exception was unhandled. 05:43:48 05:43:48 Core 0 register dump: 05:43:48 PC : 0x400cdecb PS : 0x00060730 A0 : 0x800ce215 A1 : 0x3fff0310 05:43:49 A2 : 0x3ffcfb50 A3 : 0x00000000 A4 : 0x00000005 A5 : 0x3fff0370 05:43:49 A6 : 0x00000000 A7 : 0x0000000b A8 : 0x800cd9d8 A9 : 0x3fff0300 05:43:49 A10 : 0x00000000 A11 : 0x3fff0e00 A12 : 0x00000005 A13 : 0x3ffc88e0 05:43:49 A14 : 0x3fff0330 A15 : 0x00000001 SAR : 0x00000015 EXCCAUSE: 0x0000001c 05:43:49 EXCVADDR: 0x00000005 LBEG : 0x00000005 LEND : 0x3ffc88e0 LCOUNT : 0x40028140 05:43:49 05:43:49 05:43:49 Backtrace:0x400cdec8:0x3fff03100x400ce212:0x3fff0340 0x400ce936:0x3fff03b0 0x4008e49e:0x3fff03d0 0x4008d1c9:0x3fff03f0 0x4008d144:0x3fff0410 0x40126aaa:0x3fff0430 0x40126d75:0x3fff0460 0x4008a654:0x3fff0480 05:43:49 ELF file SHA256: 0000000000000000 05:43:49 Rebooting... 05:43:49 ESP-ROM:esp32s2-rc4-20191025 ### Sketch ```cpp WiFiClient espClient; WiFiClientSecure net = WiFiClientSecure(); MQTTClient awsClient = MQTTClient(PORT); net.setCACert(root.c_str()); net.setCertificate(cert_pem.c_str()); net.setPrivateKey(private_key.c_str()); net.setHandshakeTimeout(60); ``` ### Debug Message ```plain Decoding stack results 0x4008e49e: _vfprintf_r at /builds/idf/crosstool-NG/.build/HOST-i686-w64-mingw32/xtensa-esp32s2-elf/src/newlib/newlib/libc/stdio/vfprintf.c line 1410 0x4008d1c9: _vfprintf_r at /builds/idf/crosstool-NG/.build/HOST-i686-w64-mingw32/xtensa-esp32s2-elf/src/newlib/newlib/libc/stdio/vfprintf.c line 1056 0x4008d144: _vfprintf_r at /builds/idf/crosstool-NG/.build/HOST-i686-w64-mingw32/xtensa-esp32s2-elf/src/newlib/newlib/libc/stdio/vfprintf.c line 1017 0x4008a654: (anonymous namespace)::pool::free(void*) at /builds/idf/crosstool-NG/.build/HOST-i686-w64-mingw32/xtensa-esp32s2-elf/src/gcc/libstdc++-v3/libsupc++/eh_alloc.cc line 23 ``` ### Other Steps to Reproduce _No response_ ### I have checked existing issues, online documentation and the Troubleshooting Guide - [ ] I confirm I have checked existing issues, online documentation and Troubleshooting guide.

github.com/espressif/arduino-esp32

GET following secureClient.setInsecure(); results in SSL - An invalid SSL record was received

opened 06:23PM - 30 Apr 22 UTC

closed 03:27PM - 23 Aug 22 UTC

SheetLightning

Area: BT&Wifi Type: Question Resolution: Expired

### Board ESP32 WROOM ### Device Description ESP32 Lolin ### Hardware Config…uration No ### Version v1.0.6 ### IDE Name Arduino IDE version 1.8.19 ### Operating System Linux Mint ### Flash frequency 40MHz ### PSRAM enabled no ### Upload speed 115200 ### Description New issue to reference issue 4992 which is still not fixed and has been closed. https://github.com/espressif/arduino-esp32/issues/4992 I am still having the problem with the latest version of the ESP32 library for the Arduino IDE. ### Sketch ```cpp None provided at this stage ``` ### Debug Message ```plain [E][ssl_client.cpp:36] _handle_error(): [data_to_read():287]: (-29184) SSL - An invalid SSL record was received ``` ### Other Steps to Reproduce Set secureClient.setInsecure(); then perform a get request. ### I have checked existing issues, online documentation and the Troubleshooting Guide - [X] I confirm I have checked existing issues, online documentation and Troubleshooting guide.

github.com/espressif/arduino-esp32

Latest Core Breaks WiFiClientSecure Insecure HTTPS

opened 01:51PM - 31 Mar 21 UTC

closed 01:55PM - 31 Mar 21 UTC

bwjohns4

### Hardware: Board: ESP32 Dev Module Core Installation version: 1.0.6… IDE name: Platform.io Flash Frequency: 40Mhz PSRAM enabled: unsure Upload Speed: PlatformIO default Computer OS: Windows 10 ### Description: WiFiClientSecure doesn't work when I upgrade to latest 1.0.6 Arduino Core (via PlatformIO Espressif32 3.2.0 Release). I'm not validating any certificates or thumbprints on the other end, just using it as insecure HTTPS. It works fine on 1.0.4 (via PlatformIO Espressif 3.0.0 Release), but breaks when upgrading to 1.0.6 (unsure if problem still exists in 1.0.5). I know that in 1.0.4 there is no .setInsecure() method, but that method has recently been added. I did try including that in my code, but that didn't make any recognizable difference. I have so far traced it back to start_ssl_client() within ssl_client.cpp where it fails at the first check and returns -1, but haven't made it any further: ``` int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure) { char buf[512]; int ret, flags; int enable = 1; log_v("Free internal heap before TLS %u", ESP.getFreeHeap()); if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure) { return -1; //***************It Fails Here************************************** } ``` ### Sketch: (leave the backquotes for [code formatting](https://help.github.com/articles/creating-and-highlighting-code-blocks/)) ```cpp int httpCheck(char *domainName){ delay(5000); WiFiClientSecure secureClient; String requestString = "https://" + String(domainName) + "/"; secureClient.setTimeout(20000); delay(0); BWJ_DEBUG_PRINTLN_FLASH("Starting TCP Connect"); if(!secureClient.connect(domainName, uint16_t(443))){ delay(1000); //!!!!!!!!!!!! This is absolutely required. Works with only 100ms but put 1000ms for overkill. Lots of troubleshooting to find error in WiFiclientSecure that requires extra delay upon failed connection. Otherwise temporarily blocks interrupts or just Serial.println, or more. Unknown. 2-2-21 return -1; } delay(0); HTTPClient http; http.setTimeout(20000); BWJ_DEBUG_PRINTLN_FLASH("Starting HTTP: Begin()"); http.begin(secureClient, requestString); BWJ_DEBUG_PRINTLN_FLASH("Running GET()"); int httpResponseCode = http.GET(); if (httpResponseCode>0) { BWJ_DEBUG_PRINT_FLASH("HTTP Response code: "); BWJ_DEBUG_PRINTLN(httpResponseCode); //String payload = http.getString(); } else { BWJ_DEBUG_PRINT_FLASH("Error code: "); BWJ_DEBUG_PRINTLN(httpResponseCode); } http.end(); secureClient.stop(); return httpResponseCode; } ``` ### Debug Messages: ``` 09:44:21.330 > [V][HTTPClient.cpp:245] beginInternal(): url: https://my.domain.name/stuff/moreStuff 09:44:21.464 > [D][HTTPClient.cpp:293] beginInternal(): protocol: https, host: my.domain.name port: 443 url: /stuff/moreStuff 09:44:23.667 > [D][HTTPClient.cpp:579] sendRequest(): request type: 'GET' redirCount: 0 09:44:23.737 > 09:44:23.737 > [V][ssl_client.cpp:59] start_ssl_client(): Free internal heap before TLS 259264 09:44:23.804 > [E][WiFiClientSecure.cpp:133] connect(): start_ssl_client: -1 09:44:23.867 > [V][ssl_client.cpp:265] stop_ssl_socket(): Cleaning SSL connection. 09:44:23.963 > [D][HTTPClient.cpp:1118] connect(): failed connect to my.domain.name:443 09:44:24.037 > [W][HTTPClient.cpp:1417] returnError(): error(-1): connection refused 09:44:24.130 > [E][HTTPUpdate.cpp:231] handleUpdate(): HTTP error: connection refused 09:44:24.204 > 09:44:24.204 > [D][HTTPClient.cpp:400] disconnect(): tcp is closed 09:44:24.267 > 09:44:24.267 > [V][ssl_client.cpp:265] stop_ssl_socket(): Cleaning SSL connection. 09:44:24.337 > [V][ssl_client.cpp:265] stop_ssl_socket(): Cleaning SSL connection. ```

George_Santiago · February 26, 2025, 1:55am

I am using the compilation option with FreeRTOS: #define THINGER_FREE_RTOS

Could it be something related to the stack size?
bool start(unsigned core=ARDUINO_RUNNING_CORE, size_t stack_size=8192){

github.com

thinger-io/Arduino-Library/blob/dfa74f4a3c489c0c16832050f6c0ee3f92c85d37/src/ThingerESP32FreeRTOS.h#L55


      
          ThingerESP32FreeRTOS(ThingerClient& client)
              : task_client_(client)
          {
          
          }
          
          virtual ~ThingerESP32FreeRTOS(){
          
          }
          
          bool start(unsigned core=ARDUINO_RUNNING_CORE, size_t stack_size=8192){
              if(running_) return false;
              running_ = true;
              running_core_ = core;
              BaseType_t result = xTaskCreateUniversal(
                  [](void* param){
                      ThingerESP32FreeRTOS* instance = (ThingerESP32FreeRTOS*) param;
                      while(instance->running_){
                          vTaskDelay(5);
                          instance->task_client_.handle();
                      }

George_Santiago · February 26, 2025, 3:04am

Or would it be something related to the new Thinger Server 6.4.6-beta update?

alvarolb · February 26, 2025, 9:34am

Hi @George_Santiago , doest it work fine with the regular Sketch without FreeRTOS?

George_Santiago · March 8, 2025, 4:40pm

Hello, @alvarolb

Sorry for the delay in replying.

Apparently, everything works fine with the ESP32 Single Core (without FreeRTOS).

So far, we have only seen the SSL error occur on the ESP32 Duo Core (with FreeRTOS). The ESP32 with FreeRTOS takes about 5 to 10 minutes to stabilize the connection, after making several attempts.

Is this SSL error related to the new security implementations?
http://thinger.io/iot-platform-security/
Is there any prospect of a fix?

George_Santiago · March 8, 2025, 5:13pm

I’m changing the value of THINGER_OUTPUT_BUFFER_GROWING_SIZE to 0 and will run tests.

github.com

thinger-io/Arduino-Library/blob/dfa74f4a3c489c0c16832050f6c0ee3f92c85d37/src/ThingerClient.h#L134C13-L134C48


      
          #define THINGER_OUTPUT_BUFFER_GROWING_SIZE 32

George_Santiago · March 8, 2025, 5:14pm

George_Santiago · March 8, 2025, 5:46pm

github.com/SuperHouse/esp-open-rtos

Problem GET'ing binary file

opened 09:10PM - 07 Feb 17 UTC

closed 04:58PM - 22 Feb 17 UTC

ole-johan

question

I am sending a GET message to download a binary file using the mbedtls HTTPS set…up. I am successfully using POST, and GET works for small text files. When I try to GET a binary file that is 520kb, I get the following response when calling `mbedtls_ssl_read(&ssl, buffer, 300);` in a loop: ``` HTTP/1.1 200 OK Access-Control-Allow-Origin: * X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen Accept-Ranges: bytes Date: Tue, 07 Feb 2017 20:49:39 GMT Cache-Control: public, max-age=0 Last-Modified: Tue, 31 Jan 2017 20:39:18 GMT ETag: W/"811b8-977420404" Content-Type: application/octet-stream Content-Length: 528824 set-cookie: connect.sid=...; Path=/; HttpOnly Connection: keep-alive ``` However, after receiving this header, I get the following error on the subsequent call to `mbedtls_ssl_read` : ``` ssl_tls.c:3363: bad message length ssl_tls.c:6185: mbedtls_ssl_read_record() returned -29184 (-0x7200) ERROR: SSL read failed. -29184 - SSL - An invalid SSL record was received ``` Any tips on how to make this work? Thanks, OJ.

It’d be best to confirm with a packet capture or by enabling mbedTLS debugging, but the problem is probably that the server is sending a TLS message with more than 4096 bytes of data in it:
esp-open-rtos/extras/mbedtls/include/mbedtls/config.h at master · SuperHouse/esp-open-rtos · GitHub

TLS spec says that messages can be up to 16KB, but this requires 32KB of RAM on the ESP8266 (16KB RX buffer + 16KB TX buffer.) So by default it’s turned down to 4KB, which is fine as long as the server doesn’t try to send a longer message. Streaming static files is a good way for this to happen, though! (In practice, most big servers use a TLS gateway that encrypts fragments of data from the HTTP server, so even reading static files you don’t often see full 16KB messages - but it’s always a possibility.)

Two ways to fix this:

Enable the RFC 6066 max_fragment_length extension in the TLS config of the server. This is the best option, because it means client and server will negotiate a maximum 4KB message size. Most major third party HTTPS servers don’t seem to support this extension, unfortunately.

Increase the max message size in the mbedTLS config (at the cost of free RAM). There is a patch for mbedTLS that I wrote last year that allows TX & RX buffer sizes to be different, which saves some of the RAM overhead by allowing you to grow the RX buffer only. I should get around to looking at that again!

George_Santiago · March 8, 2025, 5:56pm

github.com/govorox/SSLClient

(-2) BIGNUM - An error occurred while reading from or writing to a file

opened 08:48AM - 22 Apr 24 UTC

closed 07:43AM - 09 May 24 UTC

weekroom

help wanted

Hello, I am using sim7020 and esp32 to connect to AWS MQTT and I have used digit…aldragon/SSLClient@1.1.10 for ssl encryption. However, in the running process, I found that the certificate file cannot be read normally. I also refer to other people's relevant Settings for the certificate, and the relevant format is correct, but I do not know why the file cannot be read normally. I have used mqttfx to verify that the certificate is valid and can normally connect to AWS. [ 6135][E][ssl__client.cpp:45] _handle_error(): [start_ssl_client():353]: (-2) BIGNUM - An error occurred while reading from or writing to a file This is my code ```cpp #include <M5Atom.h> #include "ATOM_DTU_NB.h" #include <PubSubClient.h> #include <TinyGsmClient.h> #include <time.h> #include <sys/time.h> #include <SSLClient.h> #include "ca_cert.h" #define MQTT_BROKER "a31klw4qph0psl-ats.iot.us-east-2.amazonaws.com" #define MQTT_PORT 8883 #define UPLOAD_INTERVAL 10000 #define mqtt_devid "44a8c4fe642442f19c71ac54ec18d20d" //client id TinyGsm modem(SerialAT, ATOM_DTU_SIM7020_RESET); TinyGsmClient tcpClient(modem); SSLClient ssl_client(&tcpClient); PubSubClient mqttClient(ssl_client); void nbConnect(void); // For read the MQTT events void callback(char *topic, byte *payload, unsigned int length) { Serial.print("Message arrived ["); Serial.print(topic); Serial.print("] "); for (int i = 0; i < length; i++) { Serial.print((char)payload[i]); } Serial.println(); } void log(String info) { SerialMon.println(info); } // To connect to the broker void reconnect() { // Loop until we're reconnected while (!mqttClient.connected()) { Serial.println("Attempting MQTT connection..."); // Attempt to connect if (mqttClient.connect(mqtt_devid)) //if (client.connect(client_name)) { Serial.println("-----------------------------------connected-----------------------"); // Once connected, publish an announcement... // client.publish("outTopic", "hello world"); mqttClient.publish("devices/CHANGE_TO_DEVICE_NAME_AZURE_IOT_HUB/messages/events/","Test"); // Topic to publish telemetry // ... and resubscribe mqttClient.subscribe("$iothub/twin/PATCH/properties/desired/#"); //Topic to subscribe Device Twin } else { Serial.print("failed, rc="); Serial.print(mqttClient.state()); Serial.println("...try again in 5 seconds"); delay(5000); } } } void setup() { M5.begin(true, false, true); Serial.println(">>ATOM DTU NB MQTT TEST"); SerialAT.begin(SIM7020_BAUDRATE, SERIAL_8N1, ATOM_DTU_SIM7020_RX, ATOM_DTU_SIM7020_TX); //log("rootca_data:"+String(root_ca)); //log("certificate_data:"+String(certificate_data)); //log("privatekey_data:"+String(privatekey_data)); ssl_client.setCACert(root_ca); ssl_client.setCertificate(client_cert_pem_start); ssl_client.setPrivateKey(client_key_pem_start); nbConnect(); mqttClient.setServer(MQTT_BROKER, MQTT_PORT); mqttClient.setCallback(callback); } void loop() { // We maintain connectivity with the broker if (!mqttClient.connected()) { reconnect(); } // We are listening to the events mqttClient.loop(); delay(15000); } void nbConnect(void) { unsigned long start = millis(); log("Initializing modem..."); while (!modem.init()) { log("waiting...." + String((millis() - start) / 1000) + "s"); }; start = millis(); log("Waiting for network..."); while (!modem.waitForNetwork()) { log("waiting...." + String((millis() - start) / 1000) + "s"); } log("success"); } ``` This is my certificate format ![8b100515413deacafdddddca1ac2cf3](https://github.com/govorox/SSLClient/assets/51262475/bf7569e1-6245-4c46-af4e-eac2836cade5) This is my log ```sh rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 188777542, SPIWP:0xee clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 mode:DIO, clock div:1 load:0x3fff0030,len:1344 load:0x40078000,len:13964 load:0x40080400,len:3600 entry 0x400805f0 [ 1][D][ssl__client.cpp:206] ssl_init(): Init SSL [ 17][D][esp32-hal-cpu.c:244] setCpuFrequencyMhz(): PLL: 480 / 2 = 240 Mhz, APB: 80000000 Hz M5Atom initializing...OK >>ATOM DTU NB MQTT TEST [ 206][D][SSLClient.cpp:484] setCACert(): Set root CA [ 206][D][SSLClient.cpp:498] setCertificate(): Set client CA [ 209][D][SSLClient.cpp:513] setPrivateKey(): Set client PK Initializing modem... [ 225][E][esp32-hal-gpio.c:102] __pinMode(): Invalid pin selected E (209) gpio: gpio_set_level(227): GPIO output gpio_num error E (512) gpio: gpio_set_level(227): GPIO output gpio_num error Waiting for network... success [ 5686][V][SSLClient.cpp:397] read(): This is the iClient->read() implementation [ 5686][V][SSLClient.cpp:397] read(): This is the iClient->read() implementation Attempting MQTT connection... [ 5700][V][SSLClient.cpp:397] read(): This is the iClient->read() implementation [ 5700][V][SSLClient.cpp:397] read(): This is the iClient->read() implementation [ 5707][V][SSLClient.cpp:161] connect(): connect with CA [ 5712][V][SSLClient.cpp:219] connect(): Connecting to a31klw4qph0psl-ats.iot.us-east-2.amazonaws.com:8883 [ 5722][V][SSLClient.cpp:220] connect(): Timeout value: 0 [ 5727][V][SSLClient.cpp:221] connect(): CA Certificate: Provided [ 5733][V][SSLClient.cpp:222] connect(): Client Certificate: Provided [ 5739][V][SSLClient.cpp:223] connect(): Private Key: Provided [ 5745][V][ssl__client.cpp:291] start_ssl_client(): Free internal heap before TLS 328948 [ 5752][V][ssl__client.cpp:292] start_ssl_client(): Connecting to a31klw4qph0psl-ats.iot.us-east-2.amazonaws.com:8883 [ 5763][V][ssl__client.cpp:379] init_tcp_connection(): Client pointer: 0x3ffc1e70 [ 5994][E][ssl__client.cpp:382] init_tcp_connection(): Connection to server failed! [ 5994][D][ssl__client.cpp:791] stop_ssl_socket(): Cleaning SSL connection. [ 5997][D][ssl__client.cpp:795] stop_ssl_socket(): Stopping SSL client. Current client pointer address: 0x3ffc1e70 [ 6093][D][ssl__client.cpp:816] stop_ssl_socket(): Freeing SSL context. Current ssl_ctx address: 0x3ffb9d14 [ 6093][D][ssl__client.cpp:819] stop_ssl_socket(): Freeing SSL config. Current ssl_conf address: 0x3ffb9f34 [ 6101][D][ssl__client.cpp:822] stop_ssl_socket(): Freeing DRBG context. Current drbg_ctx address: 0x3ffba01c [ 6110][D][ssl__client.cpp:825] stop_ssl_socket(): Freeing entropy context. Current entropy_ctx address: 0x3ffba06c [ 6121][D][ssl__client.cpp:828] stop_ssl_socket(): Finished cleaning SSL connection. [ 6128][D][ssl__client.cpp:249] cleanup(): Free internal heap after TLS 328948 [ 6135][E][ssl__client.cpp:45] _handle_error(): [start_ssl_client():353]: (-2) BIGNUM - An error occurred while reading from or writing to a file [ 6148][V][SSLClient.cpp:232] connect(): Return value from start_ssl_client: 0 [ 6155][E][SSLClient.cpp:235] connect(): start_ssl_client failed: 0 [ 6161][D][SSLClient.cpp:90] stop(): Stopping ssl client [ 6166][D][ssl__client.cpp:791] stop_ssl_socket(): Cleaning SSL connection. [ 6173][D][ssl__client.cpp:795] stop_ssl_socket(): Stopping SSL client. Current client pointer address: 0x3ffc1e70 [ 6267][D][ssl__client.cpp:816] stop_ssl_socket(): Freeing SSL context. Current ssl_ctx address: 0x3ffb9d14 [ 6267][D][ssl__client.cpp:819] stop_ssl_socket(): Freeing SSL config. Current ssl_conf address: 0x3ffb9f34 [ 6275][D][ssl__client.cpp:822] stop_ssl_socket(): Freeing DRBG context. Current drbg_ctx address: 0x3ffba01c [ 6284][D][ssl__client.cpp:825] stop_ssl_socket(): Freeing entropy context. Current entropy_ctx address: 0x3ffba06c [ 6295][D][ssl__client.cpp:828] stop_ssl_socket(): Finished cleaning SSL connection. failed, rc=-2...try again in 5 seconds ```

I finally had some time to put to this! … and it took … some time …

So, I needed to use the feature to add a timeout for making the initial connection with AWS, once this was done I was able to get past the -2 BUGNUM error and onto the bug. The bug was that the perform_ssl_handshake function was making a solid connection and then relying upon the return value of get_record_expansion to pass on the good connection. If record_expansion was not avilaible or returned a minus something then this told the client the connection has failed when it hadn’t. I am still not on why the get_record_expansion can do this but it is only something we need to check if need to know how many extra bytes the protocol will be adding (I think most of the time this is small enough to not be a worry).

If you would like to test this against your hardware add this line to your platformio.ini instead of the usual include for SSLClient and you will pulling in the branch with this fix in.

George_Santiago · March 12, 2025, 2:02am

During some testing, a new error appeared. But only once:
[189240][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29056) SSL - Verification of the message MAC failed

22:59:17.740 > [_SOCKET] Connected!
22:59:17.741 > [THINGER] Authenticating. User: iot_public Device: XXXXXXXXXXXXXX
22:59:17.752 > Thinger State Listener: THINGER_AUTHENTICATING
22:59:17.756 > [THINGER] Writing bytes: 56 [OK]
22:59:17.936 > [THINGER] Authenticated
22:59:17.936 > Thinger State Listener: THINGER_AUTHENTICATED
22:59:17.950 > [THINGER] Writing bytes: 2 [OK]
22:59:18.146 > [189240][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29056) SSL - Verification of the message MAC failed
22:59:18.160 > [_SOCKET] Connecting to XXXXXXXXXX.aws.thinger.io:25202...

George_Santiago · March 12, 2025, 2:05am

We are concerned that some of our ESP32 devices (with two cores and FreeRTOS) are failing to reconnect.

@alvarolb, any prospect of fixing this bug? We believe it was after the last update on the Server, as we have never seen this error before.

George_Santiago · March 12, 2025, 2:13am

Though a similar question got answered in the [Nordic DevZone](https://devzone.nordicsemi.com/f/nordic-q-a/89820/nrf9160-modem_key_mgmt_cmp-returns--1) it may be also the answer for this question.

For openssl, "010102030405060708090a0b0c0d0e0f" results in a 16 bytes secret. About

b'010102030405060708090a0b0c0d0e0f'

I'm not that sure. From other SO questions, I think it's a 32 bytes secret. If the peers don't share the same secret, the handshake fails. Some implementations will simple timeout the handshake, other may report a MAC validation error, because a mismatching secret creates different association keys, and with that, the MAC validation of the handshake 'Finish' fails.

Either use "30 31 30 31 30 32 30 33 30 34 30 35 30 36 30 37 30 38 30 39 30 61 30 62 30 63 30 64 30 65 30 66" (remove the spaces!) for openssl, or use b'\x01\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' for python.

Hope, that works.

George_Santiago · March 12, 2025, 2:22am

Another error that appeared, but only once.

23:15:42.714 > [505763][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record [505763][E][ssl_client.cpp:37] _hawas receivedndle_error(
23:15:42.715 > ): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received

.
.
.

23:15:42.498 > [_SOCKET] Connected!
23:15:42.519 > [THINGER] Authenticating. User: iot_public Device: XXXXXXXXXXXXXXXXX
23:15:42.521 > Thinger State Listener: THINGER_AUTHENTICATING
23:15:42.521 > [THINGER] Writing bytes: 56 [OK]
23:15:42.714 > [505763][E][ssl_client.cpp:37] _handle_error(): [data_to_read():361]: (-29184) SSL - An invalid SSL record [505763][E][ssl_client.cpp:37] _hawas receivedndle_error(
23:15:42.715 > ): [data_to_read():361]: (-29184) SSL - An invalid SSL record was received
23:15:52.527 > [_SOCKET] Cannot read from socket!
23:15:52.530 > [THINGER] Auth Failed! Check username, device id, or device credentials.
23:15:52.545 > [_SOCKET] Is now closed!
23:15:57.548 > [_SOCKET] Connecting to XXXXXX.aws.thinger.io:25202...

George_Santiago · March 12, 2025, 5:26pm

Hi @alvarolb

Some of our ESP32 devices (duo core + FreeRTOS) are not able to reconnect to the Server. Any prospect of fixing this bug?

We have never encountered these issues before. Everything indicates that it occurred after the update to version 6.4 of the Thinger Server.

We need a solution urgently!

alvarolb · March 12, 2025, 8:45pm

Hi @George_Santiago,
The latest release did not change anything regarding TLS connectivity. I will try to connect the ESP32 with RTOS.

alvarolb · March 13, 2025, 10:16am

Hi @George_Santiago,

We have tested an ESP32 with FreeRTOS and did not observe anything unusual:

[NETWORK] Starting connection...
[NETWORK] Connecting to network XXXXXXX
[NETWORK] Connected to WiFi!
[NETWORK] Getting IP Address...
[NETWORK] Got IP Address: 192.168.1.144
[NETWORK] Connected!
[_SOCKET] Connecting to xxxx.aws.thinger.io:25202...
[_SOCKET] Using secure TLS/SSL connection: yes
[_SOCKET] Connected!
[THINGER] Authenticating. User: alvarolb Device: esp32rtos
[THINGER] Writing bytes: 39 [OK]
[THINGER] Authenticated

Can you try to check the WiFi Signal of such devices?

void loop() {
  // use loop as in normal Arduino Sketch
  // use thing.lock() thing.unlock() if using variables exposed on thinger resources

  Serial.printf("WiFi Signal: %d dB\n", WiFi.RSSI());
  delay(1000);
}

George_Santiago · March 13, 2025, 10:56am

Hi @alvarolb
We will redo the tests now and post the details of the results.
We will do the tests with Arduino IDE (with board versions esp 3.1.1 and esp 2.0.17). We will bring the results later today.

George_Santiago · March 15, 2025, 8:41pm

Hello, @alvarolb
Apparently, we discovered the origin of the BUG.

Everything indicates that using FreeRTOS + Thinger ( thing.start(); in core 0) and calling thing.is_connected() in core 1 (very frequently) causes some access conflict, which generates the SSL error.

This leaves a question: do we need to do some blocking when we call the thing object in the loop of core 1? We will discuss this in a specific topic.

Thank you very much for your feedback.