MbedTLS handshake fails

We are trying to integrate Mbed TLS in our embedded platform (running on an imx rt 1024 CPU from NXP). Our platform uses FreeRTOS and LWIP, and now we integrated Mbed TLS 3.6.2 with the LWIP port to Mbed TLS.

We are able to create a TLS configuration which does a lot of checking on the supplied root certificate, which looks promising. But when we try to connect to a https server the TLS handshake fails.

We tried different certificates for different endpoints (google's certificate to access https://google.com, the root certificate of mosquitto to connect to some public test MQTT server, and our own certificate, to connect to our own endpoint.

They all fail on the obscure "Alert" generated by the server, which doesn't tell us much.

The only place where we can get wireshark to listen in on the TCP traffic is with our own server. It also doesn't reveal a great deal, but maybe somebody can help us track down anything and give a hint where we should be looking...

The client hello message from our embedded device to the server:

The client hello message is acked by the server, but immediately after the server response raises the generic alert:

Our Mbed TLS configuration for what it's worth

/** * \file config-suite-b.h * * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460) *//* *  Copyright The Mbed TLS Contributors *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later *//* * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) * * Distinguishing features: * - no RSA or classic DH, fully based on ECC * - optimized for low RAM usage * * Possible improvements: * - if 128-bit security is enough, disable secp384r1 and SHA-512 * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C * * See README.txt for usage instructions. *//* System support */#define MBEDTLS_HAVE_ASM#define MBEDTLS_NO_PLATFORM_ENTROPY#define MBEDTLS_ENTROPY_HARDWARE_ALT /* Using imx rt 1024 TRNG unit in hardware */#define MBEDTLS_PLATFORM_C#define MBEDTLS_PLATFORM_MEMORY#define MBEDTLS_DEBUG_C /* Enabled logging for failing handshake *//* Mbed TLS feature support */#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED#define MBEDTLS_CIPHER_AES_128_GCM_C#define MBEDTLS_ECP_DP_SECP256R1_ENABLED#define MBEDTLS_SSL_PROTO_TLS1_2/* Mbed TLS modules */#define MBEDTLS_AES_C#define MBEDTLS_RSA_C       /* required for google's root CA */#define MBEDTLS_PKCS1_V21   /* required for RSA */#define MBEDTLS_MD5_C#define MBEDTLS_ASN1_PARSE_C#define MBEDTLS_ASN1_WRITE_C#define MBEDTLS_BIGNUM_C#define MBEDTLS_CIPHER_C#define MBEDTLS_CCM_C#define MBEDTLS_CTR_DRBG_C#define MBEDTLS_ECDH_C#define MBEDTLS_ECDSA_C#define MBEDTLS_ECP_C#define MBEDTLS_ENTROPY_C#define MBEDTLS_HMAC_DRBG_C#define MBEDTLS_GCM_C#define MBEDTLS_MD_C#define MBEDTLS_OID_C#define MBEDTLS_PK_C#define MBEDTLS_PK_PARSE_C#define MBEDTLS_SHA256_C// #define MBEDTLS_SHA256_ALT   /* todo: nicer to have sha256 in hardware */#define MBEDTLS_SSL_CLI_C#define MBEDTLS_SSL_SRV_C#define MBEDTLS_SSL_TLS_C#define MBEDTLS_X509_CRT_PARSE_C#define MBEDTLS_X509_USE_C/* For test certificates */#define MBEDTLS_BASE64_C#define MBEDTLS_PEM_PARSE_C/* Save RAM at the expense of ROM */#define MBEDTLS_AES_ROM_TABLES/* Save RAM by adjusting to our exact needs */// #define MBEDTLS_MPI_MAX_SIZE    48 // 384-bit EC curve = 48 bytes// #define MBEDTLS_MPI_MAX_SIZE    256 /* required by google's root CA*/#define MBEDTLS_MPI_MAX_SIZE    512 /* required by lets encrypt root CA*//* Save RAM at the expense of speed, see ecp.h */#define MBEDTLS_ECP_WINDOW_SIZE        2#define MBEDTLS_ECP_FIXED_POINT_OPTIM  0/* Significant speed benefit at the expense of some ROM */#define MBEDTLS_ECP_NIST_OPTIM/* * You should adjust this to the exact number of sources you're using: default * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones. * Minimum is 2 for the entropy test suite. */#define MBEDTLS_ENTROPY_MAX_SOURCES 2/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */#define MBEDTLS_SSL_CIPHERSUITES                        \    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/* * Save RAM at the expense of interoperability: do this only if you control * both ends of the connection!  (See comments in "mbedtls/ssl.h".) * The minimum size here depends on the certificate chain used as well as the * typical size of records. */#define MBEDTLS_SSL_IN_CONTENT_LEN             1024#define MBEDTLS_SSL_OUT_CONTENT_LEN             1024/* These defines are present so that the config modifying scripts can enable * them during tests/scripts/test-ref-configs.pl *///#define MBEDTLS_USE_PSA_CRYPTO//#define MBEDTLS_PSA_CRYPTO_C

Our embedded device also prints the logging produced by Mbed TLS to serial, but it doesn't give any information of why the server rejected the handshake (which makes sense, since wireshark also doesn't capture any additional information so I understand Mbed TLS simply doesn't get the underlying reason).

Still for completeness, the serial log

[2024-12-12 15:00:01] 2024-12-10 13:03:53.174 [Info ] [Http] GET from projects-admin.ddns.net:443 - /home[2024-12-12 15:00:01] 2024-12-10 13:03:53.176 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(1327): The SSL configuration is tls12 only.[2024-12-12 15:00:01] 2024-12-10 13:03:53.358 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4606): => handshake[2024-12-12 15:00:01] 2024-12-10 13:03:53.360 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output[2024-12-12 15:00:01] 2024-12-10 13:03:53.360 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output[2024-12-12 15:00:01] 2024-12-10 13:03:53.362 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_HELLO_REQUEST[2024-12-12 15:00:01] 2024-12-10 13:03:53.362 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output[2024-12-12 15:00:01] 2024-12-10 13:03:53.364 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output[2024-12-12 15:00:01] 2024-12-10 13:03:53.364 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_CLIENT_HELLO[2024-12-12 15:00:01] 2024-12-10 13:03:53.396 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(919): => write client hello[2024-12-12 15:00:01] 2024-12-10 13:03:53.424 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): dumping 'client hello, random bytes' (32 bytes)[2024-12-12 15:00:01] 2024-12-10 13:03:53.452 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): 0000:  a4 8b 90 c0 3e 15 05 f1 83 68 b4 36 51 03 85 9d  ....>....h.6Q...[2024-12-12 15:00:01] 2024-12-10 13:03:53.482 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(486): 0010:  75 6a 95 74 34 67 5e a9 58 51 33 ce 61 69 2b 2f  uj.t4g^.XQ3.ai+/[2024-12-12 15:00:01] 2024-12-10 13:03:53.510 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(511): dumping 'session id' (0 bytes)[2024-12-12 15:00:01] 2024-12-10 13:03:53.536 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(369): client hello, add ciphersuite: c02b, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256[2024-12-12 15:00:01] 2024-12-10 13:03:53.566 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(387): adding EMPTY_RENEGOTIATION_INFO_SCSV[2024-12-12 15:00:01] 2024-12-10 13:03:53.594 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(396): client hello, got 2 cipher suites[2024-12-12 15:00:01] 2024-12-10 13:03:53.628 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(230): client hello, adding supported_groups extension[2024-12-12 15:00:01] 2024-12-10 13:03:53.664 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(249): got supported group(0017)[2024-12-12 15:00:01] 2024-12-10 13:03:53.702 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(281): NamedGroup: secp256r1 ( 17 )[2024-12-12 15:00:01] 2024-12-10 13:03:53.732 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(301): dumping 'Supported groups extension' (4 bytes)[2024-12-12 15:00:01] 2024-12-10 13:03:53.770 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(301): 0000:  00 02 00 17                                      ....[2024-12-12 15:00:01] 2024-12-10 13:03:53.800 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9593): adding signature_algorithms extension[2024-12-12 15:00:01] 2024-12-10 13:03:53.830 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9613): got signature scheme [403] ecdsa_secp256r1_sha256[2024-12-12 15:00:01] 2024-12-10 13:03:53.862 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9622): sent signature scheme [403] ecdsa_secp256r1_sha256[2024-12-12 15:00:01] 2024-12-10 13:03:53.892 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9613): got signature scheme [401] rsa_pkcs1_sha256[2024-12-12 15:00:01] 2024-12-10 13:03:53.920 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(9622): sent signature scheme [401] rsa_pkcs1_sha256[2024-12-12 15:00:01] 2024-12-10 13:03:53.954 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(105): client hello, adding supported_point_formats extension[2024-12-12 15:00:01] 2024-12-10 13:03:53.990 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(688): client hello, total extension length: 24[2024-12-12 15:00:01] 2024-12-10 13:03:53.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): dumping 'client hello extensions' (24 bytes)[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): 0000:  00 18 00 0a 00 04 00 02 00 17 00 0d 00 06 00 04  ................[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(690): 0010:  04 03 04 01 00 0b 00 02                          ........[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2783): => write handshake message[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2943): => write record[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3027): output record: msgtype = 22, version = [3:3], msglen = 73[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): dumping 'output record sent to network' (78 bytes)[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0000:  16 03 03 00 49 01 00 00 45 03 03 a4 8b 90 c0 3e  ....I...E......>[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0010:  15 05 f1 83 68 b4 36 51 03 85 9d 75 6a 95 74 34  ....h.6Q...uj.t4[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0020:  67 5e a9 58 51 33 ce 61 69 2b 2f 00 00 04 c0 2b  g^.XQ3.ai+/....+[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0030:  00 ff 01 00 00 18 00 0a 00 04 00 02 00 17 00 0d  ................[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3032): 0040:  00 06 00 04 04 03 04 01 00 0b 00 02 01 00        ..............[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3080): <= write record[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2904): <= write handshake message[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_client.c(1012): <= write client hello[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2367): message length: 78, out_left: 78[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2374): ssl->f_send() returned 78 (-0xffffffb2)[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2401): <= flush output[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_SERVER_HELLO[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1193): => parse server hello[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4189): => read record[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 0, nb_want: 5[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 0, nb_want: 5[2024-12-12 15:00:02] 2024-12-10 13:03:53.999 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4617): <= handshake[2024-12-12 15:00:02] 2024-12-10 13:03:54.040 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output[2024-12-12 15:00:02] 2024-12-10 13:03:54.042 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output[2024-12-12 15:00:02] 2024-12-10 13:03:54.044 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4606): => handshake[2024-12-12 15:00:02] 2024-12-10 13:03:54.044 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2353): => flush output[2024-12-12 15:00:02] 2024-12-10 13:03:54.046 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2362): <= flush output[2024-12-12 15:00:02] 2024-12-10 13:03:54.046 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4525): client state: MBEDTLS_SSL_SERVER_HELLO[2024-12-12 15:00:02] 2024-12-10 13:03:54.048 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1193): => parse server hello[2024-12-12 15:00:02] 2024-12-10 13:03:54.074 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4189): => read record[2024-12-12 15:00:02] 2024-12-10 13:03:54.100 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input[2024-12-12 15:00:02] 2024-12-10 13:03:54.126 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 0, nb_want: 5[2024-12-12 15:00:02] 2024-12-10 13:03:54.154 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 0, nb_want: 5[2024-12-12 15:00:02] 2024-12-10 13:03:54.180 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2318): ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)[2024-12-12 15:00:02] 2024-12-10 13:03:54.210 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2340): <= fetch input[2024-12-12 15:00:02] 2024-12-10 13:03:54.240 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3855): dumping 'input record header' (5 bytes)[2024-12-12 15:00:02] 2024-12-10 13:03:54.266 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3855): 0000:  15 03 03 00 02                                   .....[2024-12-12 15:00:02] 2024-12-10 13:03:54.294 [Debug] [Http] 3 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3857): input record: msgtype = 21, version = [0x303], msglen = 2[2024-12-12 15:00:02] 2024-12-10 13:03:54.320 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2155): => fetch input[2024-12-12 15:00:02] 2024-12-10 13:03:54.350 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2295): in_left: 5, nb_want: 7[2024-12-12 15:00:02] 2024-12-10 13:03:54.382 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2315): in_left: 5, nb_want: 7[2024-12-12 15:00:02] 2024-12-10 13:03:54.408 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2318): ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)[2024-12-12 15:00:02] 2024-12-10 13:03:54.444 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(2340): <= fetch input[2024-12-12 15:00:02] 2024-12-10 13:03:54.480 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3964): dumping 'input record from network' (7 bytes)[2024-12-12 15:00:02] 2024-12-10 13:03:54.514 [Debug] [Http] 4 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(3964): 0000:  15 03 03 00 02 02 28                             ......([2024-12-12 15:00:07] 2024-12-10 13:03:54.540 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(5092): got an alert message, type: [2:40][2024-12-12 15:00:07] 2024-12-10 13:03:54.568 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(5099): is a fatal alert message (msg 40)[2024-12-12 15:00:07] 2024-12-10 13:03:54.596 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_msg.c(4244): mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)[2024-12-12 15:00:07] 2024-12-10 13:03:54.628 [Debug] [Http] 1 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls12_client.c(1197): mbedtls_ssl_read_record() returned -30592 (-0x7780)[2024-12-12 15:00:07] 2024-12-10 13:03:54.656 [Debug] [Http] 2 - /home/dev/app/thirdparty/mbedtls/library/ssl_tls.c(4617): <= handshake[2024-12-12 15:00:07] 2024-12-10 13:03:54.688 [Debug] [External] mbedtls_ssl_handshake failed: -30592[2024-12-12 15:00:07] 2024-12-10 13:03:59.002 [Debug] [Http] Download failed: httpc_result 4, srv_resp 0, err -15

Can anybody find any hint of why the client hello is rejected on the server?

Are there tools that help me dig deeper on why the server rejects the client hello?