samples: http_server: https variant not working on stm32h7s78dk

[bklaric1]

Problem

I tested the http_server sample on stm32h7s78dk (after enabling Ethernet like here #99296) without any issues.
I then wanted to test the same sample with overlay-tls.conf (https variant). But I can't get it to work.
The sample builds with addition of overlay-tls.conf and I can flash it to the board without issues.
After flashing, I can ping the board and open the http website in browser (http://<ip_address>). That part works without any problems.
Trying to open https://<ip_address> doesn't work. The website doesn't load and/or says that the website can't be trusted.
The https website is also not reachable via openssl s_client. Relevant command logs are listed below:

openssl s_client output with -state

PS <path>> openssl s_client -connect 10.21.20.147:443 -CAfile src/certs/ca_cert.pem -servername zephyr -tls1_2 -state
Connecting to 10.21.20.147
CONNECTED(0000018C)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 O=Zephyrproject, CN=Zephyrproject Sample Development CA
verify return:1
depth=0 O=Zephyrproject, CN=zephyr
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL3 alert write:fatal:decode error
SSL_connect:error in error
0C220000:error:0A000126:SSL routines::unexpected eof while reading:..\ssl\record\rec_layer_s3.c:701:
---
Certificate chain
 0 s:O=Zephyrproject, CN=zephyr
   i:O=Zephyrproject, CN=Zephyrproject Sample Development CA
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 20 10:20:02 2025 GMT; NotAfter: Nov 21 10:20:02 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBzCCAa2gAwIBAgIUCrvxXbarzzCQJtttPQF9gwQgn6IwCgYIKoZIzj0EAwIw
RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwHhcNMjUxMTIwMTAyMDAyWhcNMjUxMTIx
MTAyMDAyWjApMRYwFAYDVQQKDA1aZXBoeXJwcm9qZWN0MQ8wDQYDVQQDDAZ6ZXBo
eXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATsMlFk5HFvOXWw6OV0zDDwpZQo
sVMVMUfDqGRbP/pKsoL5+6ykVqKr3IlpiN+r4kpVzM5cPm9YJJQlkD1q4BCPo4GV
MIGSMB0GA1UdDgQWBBStKGKmNPjzMD5BcFUSIP5mDRFMDzAfBgNVHSMEGDAWgBQZ
jaTXYJOv/W9cym4wdACXJmDoojAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHREEFjAUggx6ZXBoeXIubG9jYWyH
BAoVFJMwCgYIKoZIzj0EAwIDSAAwRQIhAI91g8u5DpddcGmgpQfcUHDq5HqU/T9W
PwAErkGl2kiZAiBWjGC/8nT5b6a1W/8h+R45jfDd5ZFQwMC94GKuHyuW2Q==
-----END CERTIFICATE-----
subject=O=Zephyrproject, CN=zephyr
issuer=O=Zephyrproject, CN=Zephyrproject Sample Development CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 792 bytes and written 361 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 263CA42BADB73FF45E4B5E4C444D6DF25EF29A0523B9C213E662FF85B2281871
    Session-ID-ctx:
    Master-Key: 37EBF4B973F877726002F38F4149DC1E636CA7B0CB6B754D38292CF1B8ED1DCBBDE4916139343B63F8394FB563AB2CA7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1763634457
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
0C220000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in init:..\ssl\ssl_lib.c:2834:
 (.venv) PS C:\Users\111987\git\Zephyr_STM32H7S78-DK> 

openssl s_client output with -ignore_unexpected_eof and -state

PS <path>> openssl s_client -ignore_unexpected_eof -connect 10.21.20.147:443 -CAfile src/certs/ca_cert.pem -servername zephyr -tls1_2 -state
Connecting to 10.21.20.147
CONNECTED(0000019C)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 O=Zephyrproject, CN=Zephyrproject Sample Development CA
verify return:1
depth=0 O=Zephyrproject, CN=zephyr
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:error in SSLv3/TLS write finished
closed
---
Certificate chain
 0 s:O=Zephyrproject, CN=zephyr
   i:O=Zephyrproject, CN=Zephyrproject Sample Development CA
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 20 10:20:02 2025 GMT; NotAfter: Nov 21 10:20:02 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBzCCAa2gAwIBAgIUCrvxXbarzzCQJtttPQF9gwQgn6IwCgYIKoZIzj0EAwIw
RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwHhcNMjUxMTIwMTAyMDAyWhcNMjUxMTIx
MTAyMDAyWjApMRYwFAYDVQQKDA1aZXBoeXJwcm9qZWN0MQ8wDQYDVQQDDAZ6ZXBo
eXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATsMlFk5HFvOXWw6OV0zDDwpZQo
sVMVMUfDqGRbP/pKsoL5+6ykVqKr3IlpiN+r4kpVzM5cPm9YJJQlkD1q4BCPo4GV
MIGSMB0GA1UdDgQWBBStKGKmNPjzMD5BcFUSIP5mDRFMDzAfBgNVHSMEGDAWgBQZ
jaTXYJOv/W9cym4wdACXJmDoojAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHREEFjAUggx6ZXBoeXIubG9jYWyH
BAoVFJMwCgYIKoZIzj0EAwIDSAAwRQIhAI91g8u5DpddcGmgpQfcUHDq5HqU/T9W
PwAErkGl2kiZAiBWjGC/8nT5b6a1W/8h+R45jfDd5ZFQwMC94GKuHyuW2Q==
-----END CERTIFICATE-----
subject=O=Zephyrproject, CN=zephyr
issuer=O=Zephyrproject, CN=Zephyrproject Sample Development CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 793 bytes and written 330 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: DA83909154B9F8581EF73496887BC51498D7E033A9B350F882737663D74AAD4C
    Session-ID-ctx:
    Master-Key: AEA12B8C0C60233B36E13E43041FD9126EE1E0B756EBDE0420A8480842CE983CA886ECF05C4204A9BB668CDE3ABD69D0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1763634607
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
PS <path>> 

openssl s_client output with -ignore_unexpected_eof and -msg

PS <path>> openssl s_client -connect 10.21.20.147:443 -CAfile src/certs/ca_cert.pem -servername zephyr -tls1_2 -msg  
Connecting to 10.21.20.147
CONNECTED(00000194)
>>> TLS 1.0, RecordHeader [length 0005]
    16 03 01 00 c7
>>> TLS 1.2, Handshake [length 00c7], ClientHello
    01 00 00 c3 03 03 ea 73 9c fb 83 a6 71 14 34 fd
    d1 d7 ef ff 61 60 50 51 52 cd d6 da 2b 0b f4 b2
    dc 9d ef 03 69 07 00 00 36 c0 2c c0 30 00 9f cc
    a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
    6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
    13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 01
    00 00 64 ff 01 00 01 00 00 00 00 0b 00 09 00 00
    06 7a 65 70 68 79 72 00 0b 00 02 01 00 00 0a 00
    0c 00 0a 00 1d 00 17 00 1e 00 18 00 19 00 23 00
    00 00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04
    03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08
    04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03
    02 04 02 05 02 06 02
<<< TLS 1.2, RecordHeader [length 0005]
    16 03 03 00 57
<<< TLS 1.2, Handshake [length 0057], ServerHello
    02 00 00 53 03 03 00 00 00 83 78 40 2b cc 5d 3d
    34 7a aa a5 c4 86 2c 4a a9 d3 54 6a 32 fb d4 0c
    46 9c 32 16 b0 3f 20 f0 d4 21 b0 4e dc d5 25 94
    1c 50 3d ac 08 92 9e 55 02 12 09 f6 f5 29 e3 dc
    cd cd 11 16 58 31 c6 c0 2c 00 00 0b ff 01 00 01
    00 00 0b 00 02 01 00
<<< TLS 1.2, RecordHeader [length 0005]
    16 03 03 02 15
<<< TLS 1.2, Handshake [length 0215], Certificate
    0b 00 02 11 00 02 0e 00 02 0b 30 82 02 07 30 82
    01 ad a0 03 02 01 02 02 14 0a bb f1 5d b6 ab cf
    30 90 26 db 6d 3d 01 7d 83 04 20 9f a2 30 0a 06
    08 2a 86 48 ce 3d 04 03 02 30 46 31 16 30 14 06
    03 55 04 0a 0c 0d 5a 65 70 68 79 72 70 72 6f 6a
    65 63 74 31 2c 30 2a 06 03 55 04 03 0c 23 5a 65
    70 68 79 72 70 72 6f 6a 65 63 74 20 53 61 6d 70
    6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 20 43
    41 30 1e 17 0d 32 35 31 31 32 30 31 30 32 30 30
    32 5a 17 0d 32 35 31 31 32 31 31 30 32 30 30 32
    5a 30 29 31 16 30 14 06 03 55 04 0a 0c 0d 5a 65
    70 68 79 72 70 72 6f 6a 65 63 74 31 0f 30 0d 06
    03 55 04 03 0c 06 7a 65 70 68 79 72 30 59 30 13
    06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d
    03 01 07 03 42 00 04 ec 32 51 64 e4 71 6f 39 75
    b0 e8 e5 74 cc 30 f0 a5 94 28 b1 53 15 31 47 c3
    a8 64 5b 3f fa 4a b2 82 f9 fb ac a4 56 a2 ab dc
    89 69 88 df ab e2 4a 55 cc ce 5c 3e 6f 58 24 94
    25 90 3d 6a e0 10 8f a3 81 95 30 81 92 30 1d 06
    03 55 1d 0e 04 16 04 14 ad 28 62 a6 34 f8 f3 30
    3e 41 70 55 12 20 fe 66 0d 11 4c 0f 30 1f 06 03
    55 1d 23 04 18 30 16 80 14 19 8d a4 d7 60 93 af
    fd 6f 5c ca 6e 30 74 00 97 26 60 e8 a2 30 0c 06
    03 55 1d 13 01 01 ff 04 02 30 00 30 0e 06 03 55
    1d 0f 01 01 ff 04 04 03 02 07 80 30 13 06 03 55
    1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01
    30 1d 06 03 55 1d 11 04 16 30 14 82 0c 7a 65 70
    68 79 72 2e 6c 6f 63 61 6c 87 04 0a 15 14 93 30
    0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45
    02 21 00 8f 75 83 cb b9 0e 97 5d 70 69 a0 a5 07
    dc 50 70 ea e4 7a 94 fd 3f 56 3f 00 04 ae 41 a5
    da 48 99 02 20 56 8c 60 bf f2 74 f9 6f a6 b5 5b
    ff 21 f9 1e 39 8d f0 dd e5 91 50 c0 c0 bd e0 62
    ae 1f 2b 96 d9
depth=1 O=Zephyrproject, CN=Zephyrproject Sample Development CA
verify return:1
depth=0 O=Zephyrproject, CN=zephyr
verify return:1
<<< TLS 1.2, RecordHeader [length 0005]
    16 03 03 00 95
<<< TLS 1.2, Handshake [length 0095], ServerKeyExchange
    0c 00 00 91 03 00 17 41 04 fc b7 59 f6 c5 a5 ad
    8f 4b 8e 0d 40 38 6d 3e 74 b5 f7 e0 72 fe ba d7
    d4 52 09 e2 3e 6f 2f b5 b8 fd f8 0a 9a 0e dd 1a
    05 d0 0f d4 fc ef 45 01 d8 05 ef e5 4a c9 8c 28
    39 9c 90 69 78 1e a5 a1 fc 04 03 00 48 30 46 02
    21 00 a4 b6 39 9e 23 22 a5 48 c5 a9 f4 58 e0 06
    01 58 25 ca 9f 35 af 62 7b 30 6f 44 07 68 3b 7f
    3c 02 02 21 00 d2 3f 87 66 0e 69 68 ef 58 ec ac
    11 e2 62 83 ac eb 1b 44 5d 91 a4 d6 f9 ce 28 a7
    73 82 3a 9c c1
<<< TLS 1.2, RecordHeader [length 0005]
    16 03 03 00 04
<<< TLS 1.2, Handshake [length 0004], ServerHelloDone
    0e 00 00 00
>>> TLS 1.2, RecordHeader [length 0005]
    16 03 03 00 46
>>> TLS 1.2, Handshake [length 0046], ClientKeyExchange
    10 00 00 42 41 04 0b be 36 56 c8 d6 84 21 20 7b
    c7 67 5c ff 4f 27 77 56 4a df cd 73 c9 6f 3d 37
    56 78 68 62 11 0b 19 37 5a 9d 8a e6 33 49 d3 21
    af 03 5e d8 c8 26 d2 b7 44 6f 61 f1 af 8b 67 62
    70 eb d7 82 f7 ae
>>> TLS 1.2, RecordHeader [length 0005]
    14 03 03 00 01
>>> TLS 1.2, ChangeCipherSpec [length 0001]
    01
>>> TLS 1.2, RecordHeader [length 0005]
    16 03 03 00 28
>>> TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c ee 45 cd 5d 9c 06 f2 0b 32 dd 95 c6
closed
---
Certificate chain
 0 s:O=Zephyrproject, CN=zephyr
   i:O=Zephyrproject, CN=Zephyrproject Sample Development CA
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 20 10:20:02 2025 GMT; NotAfter: Nov 21 10:20:02 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBzCCAa2gAwIBAgIUCrvxXbarzzCQJtttPQF9gwQgn6IwCgYIKoZIzj0EAwIw
RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwHhcNMjUxMTIwMTAyMDAyWhcNMjUxMTIx
MTAyMDAyWjApMRYwFAYDVQQKDA1aZXBoeXJwcm9qZWN0MQ8wDQYDVQQDDAZ6ZXBo
eXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATsMlFk5HFvOXWw6OV0zDDwpZQo
sVMVMUfDqGRbP/pKsoL5+6ykVqKr3IlpiN+r4kpVzM5cPm9YJJQlkD1q4BCPo4GV
MIGSMB0GA1UdDgQWBBStKGKmNPjzMD5BcFUSIP5mDRFMDzAfBgNVHSMEGDAWgBQZ
jaTXYJOv/W9cym4wdACXJmDoojAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHREEFjAUggx6ZXBoeXIubG9jYWyH
BAoVFJMwCgYIKoZIzj0EAwIDSAAwRQIhAI91g8u5DpddcGmgpQfcUHDq5HqU/T9W
PwAErkGl2kiZAiBWjGC/8nT5b6a1W/8h+R45jfDd5ZFQwMC94GKuHyuW2Q==
-----END CERTIFICATE-----
subject=O=Zephyrproject, CN=zephyr
issuer=O=Zephyrproject, CN=Zephyrproject Sample Development CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 793 bytes and written 330 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: F0D421B04EDCD525941C503DAC08929E55021209F6F529E3DCCDCD11165831C6
    Session-ID-ctx:
    Master-Key: 478CCE6657BB90E34B440D436729F1ADBD7447A989B67A3B94CEA880769098F89441C568DA2045B62B43291780ABC98E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1763634630
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
PS <path>> 

After enabling CONFIG_MBEDTLS_LOG_LEVEL_DBG=y and CONFIG_MBEDTLS_DEBUG=y, I get this output everytime I try to connect to the https server (same output for connect via browser, openssl and curl):

console log

...
uart:~*** Booting Zephyr OS build v4.3.0-748-gf1c2ce4f4026 ***
I: Initializing network
I: Waiting interface 1 (0x24002d10) to be up...
$ I: PHY (0) Link speed 100 Mb, full duplex
I: Interface 1 (0x24002d10) coming up
I: IPv4 address: 10.21.20.147
D: (http_server_tid): socket: ctx=0x24008d84, fd=4
D: Initialized HTTP Service <any>:80
D: (http_server_tid): Allocated TLS context, 0x240037a0
D: (http_server_tid): socket: ctx=0x24008e34, fd=6
D: Initialized HTTP Service <any>:443
D: Starting HTTP server
D: (rx_q[0]): parent=0x24008e34, ctx=0x24008ee4, st=0
D: (http_server_tid): accept: ctx=0x24008ee4, fd=8
D: (http_server_tid): Allocated TLS context, 0x24003c88
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:1332: The SSL configuration is tls12 only.
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:4667: => handshake
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 0
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 0 (MBEDTLS_SSL_HELLO_REQUEST) -> 1 (MBEDTLS_SSL_CLIENT_HELLO)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 1
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0913: => parse client hello
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2156: => fetch input
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2296: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2316: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:4678: <= handshake
D: (rx_q[0]): ctx=0x24008ee4, pkt=0x2403ac20, st=0, user_data=0
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:4667: => handshake
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 1
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0913: => parse client hello
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2156: => fetch input
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2296: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2316: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2319: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2341: <= fetch input
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0942: dumping 'record header' (5 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0942: 0000:  16 03 01 00 c7                                   .....
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0953: client hello, message type: 22
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0961: client hello, message len.: 199
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0964: client hello, protocol version: [3:1]
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2156: => fetch input
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2296: in_left: 5, nb_want: 204
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2316: in_left: 5, nb_want: 204
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2319: ssl->f_recv(_timeout)() returned 199 (-0xffffff39)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2341: <= fetch input
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: dumping 'record contents' (199 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0000:  01 00 00 c3 03 03 7a a7 e8 5b b0 7c ca 4d 94 31  ......z..[.|.M.1
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0010:  ef 2e 1e e8 7c da 94 86 f8 9a ee d7 39 b8 f0 33  ....|.......9..3
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0020:  d6 6e f0 94 3a ac 00 00 36 c0 2c c0 30 00 9f cc  .n..:...6.,.0...
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0030:  a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00  ......+./...$.(.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0040:  6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0  k.#.'.g.....9...
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0050:  13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 01  ..3.....=.<.5./.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0060:  00 00 64 ff 01 00 01 00 00 00 00 0b 00 09 00 00  ..d.............
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0070:  06 7a 65 70 68 79 72 00 0b 00 02 01 00 00 0a 00  .zephyr.........
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0080:  0c 00 0a 00 1d 00 17 00 1e 00 18 00 19 00 23 00  ..............#.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 0090:  00 00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04  ............*.(.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 00a0:  03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08  ................
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 00b0:  04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03  ................
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1033: 00c0:  02 04 02 05 02 06 02                             .......
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1054: client hello v3, handshake type: 1
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1139: dumping 'client hello, version' (2 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1139: 0000:  03 03                                            ..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1156: dumping 'client hello, random bytes' (32 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1156: 0000:  7a a7 e8 5b b0 7c ca 4d 94 31 ef 2e 1e e8 7c da  z..[.|.M.1....|.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1156: 0010:  94 86 f8 9a ee d7 39 b8 f0 33 d6 6e f0 94 3a ac  ......9..3.n..:.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1173: dumping 'client hello, session id' (0 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1246: dumping 'client hello, ciphersuitelist' (54 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1246: 0000:  c0 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f  .,.0.........+./
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1246: 0010:  00 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a  ...$.(.k.#.'.g..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1246: 0020:  c0 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d  ...9.....3.....=
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1246: 0030:  00 3c 00 35 00 2f                                .<.5./
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1268: dumping 'client hello, compression' (1 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1268: 0000:  00                                               .
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: dumping 'client hello extensions' (100 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0000:  ff 01 00 01 00 00 00 00 0b 00 09 00 00 06 7a 65  ..............ze
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0010:  70 68 79 72 00 0b 00 02 01 00 00 0a 00 0c 00 0a  phyr............
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0020:  00 1d 00 17 00 1e 00 18 00 19 00 23 00 00 00 16  ...........#....
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0030:  00 00 00 17 00 00 00 0d 00 2a 00 28 04 03 05 03  .........*.(....
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0040:  06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05  ................
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0050:  08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 02  ................
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1296: 0060:  05 02 06 02                                      ....
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1329: found renegotiation extension
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1468: unknown extension found: 0 (ignoring)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1366: found supported point formats extension
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0274: point format selected: 0
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1357: found supported elliptic curves extension
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1468: unknown extension found: 35 (ignoring)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1413: found encrypt then mac extension
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1468: unknown extension found: 23 (ignoring)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1342: found signature_algorithms extension
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x403 ecdsa_secp256r1_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: ecdsa_secp256r1_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x503 ecdsa_secp384r1_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: ecdsa_secp384r1_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x603 ecdsa_secp521r1_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: ecdsa_secp521r1_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x807 ed25519
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x808 ed448
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x809 rsa_pss_pss_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x80a rsa_pss_pss_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x80b rsa_pss_pss_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x804 rsa_pss_rsae_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x805 rsa_pss_rsae_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x806 rsa_pss_rsae_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x401 rsa_pkcs1_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: rsa_pkcs1_sha256
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x501 rsa_pkcs1_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: rsa_pkcs1_sha384
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x601 rsa_pkcs1_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6669: valid signature algorithm: rsa_pkcs1_sha512
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x303 UNKNOWN
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x301 UNKNOWN
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x302 UNKNOWN
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x402 UNKNOWN
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x502 UNKNOWN
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:6658: received signature algorithm: 0x602 UNKNOWN
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0812: trying ciphersuite: 0xc02c (TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0719: ciphersuite requires certificate
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: candidate certificate chain, certificate #1:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: cert. version     : 3
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: serial number     : 0A:BB:F1:5D:B6:AB:CF:30:90:26:DB:6D:3D:01:7D:83:04:20:9F:A2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: issuer name       : O=Zephyrproject, CN=Zephyrproject Sample Development CA
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: subject name      : O=Zephyrproject, CN=zephyr
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: issued  on        : 2025-11-20 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: expires on        : 2025-11-21 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: signed using      : ECDSA with SHA256
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: EC key size       : 256 bits
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: basic constraints : CA=false
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: subject alt name  :
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:     dNSName : zephyr.local
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:     iPAddress : 10.21.20.147
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: key usage         : Digital Signature
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: ext key usage     : TLS Web Server Authentication
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: value of 'crt->eckey.Q(X)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:  ec 32 51 64 e4 71 6f 39 75 b0 e8 e5 74 cc 30 f0
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:  a5 94 28 b1 53 15 31 47 c3 a8 64 5b 3f fa 4a b2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728: value of 'crt->eckey.Q(Y)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:  82 f9 fb ac a4 56 a2 ab dc 89 69 88 df ab e2 4a
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0728:  55 cc ce 5c 3e 6f 58 24 94 25 90 3d 6a e0 10 8f
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: selected certificate chain, certificate #1:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: cert. version     : 3
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: serial number     : 0A:BB:F1:5D:B6:AB:CF:30:90:26:DB:6D:3D:01:7D:83:04:20:9F:A2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: issuer name       : O=Zephyrproject, CN=Zephyrproject Sample Development CA
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: subject name      : O=Zephyrproject, CN=zephyr
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: issued  on        : 2025-11-20 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: expires on        : 2025-11-21 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: signed using      : ECDSA with SHA256
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: EC key size       : 256 bits
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: basic constraints : CA=false
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: subject alt name  :
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:     dNSName : zephyr.local
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:     iPAddress : 10.21.20.147
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: key usage         : Digital Signature
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: ext key usage     : TLS Web Server Authentication
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: value of 'crt->eckey.Q(X)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:  ec 32 51 64 e4 71 6f 39 75 b0 e8 e5 74 cc 30 f0
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:  a5 94 28 b1 53 15 31 47 c3 a8 64 5b 3f fa 4a b2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783: value of 'crt->eckey.Q(Y)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:  82 f9 fb ac a4 56 a2 ab dc 89 69 88 df ab e2 4a
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:0783:  55 cc ce 5c 3e 6f 58 24 94 25 90 3d 6a e0 10 8f
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1634: selected ciphersuite: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 1 (MBEDTLS_SSL_CLIENT_HELLO) -> 2 (MBEDTLS_SSL_SERVER_HELLO)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1654: client hello v3, signature_algorithm ext: 4
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1662: <= parse client hello
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 2
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2149: => write server hello
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2174: server hello, chosen version: [3:3]
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2182: server hello, current time: 76
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2226: dumping 'server hello, random bytes' (32 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2226: 0000:  00 00 00 4c 69 dd 67 39 92 93 bd 38 37 47 5c b3  ...Li.g9...87G\.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2226: 0010:  db df d5 68 39 6f c6 1c ec c6 61 05 85 50 9a fd  ...h9o....a..P..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 2 (MBEDTLS_SSL_SERVER_HELLO) -> 3 (MBEDTLS_SSL_SERVER_CERTIFICATE)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2279: server hello, session id len.: 32
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2280: dumping 'server hello, session id' (32 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2280: 0000:  5d d5 22 01 90 40 9a 64 fe ba 48 ce 3e 8e e8 73  ]."..@.d..H.>..s
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2280: 0010:  91 27 a1 40 5f b7 18 5a b0 3b 0d 24 68 3e b3 4f  .'.@_..Z.;.$h>.O
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2281: no session has been resumed
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2288: server hello, chosen ciphersuite: TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2290: server hello, compress alg.: 0x00
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1817: server hello, secure renegotiation extension
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:1885: server hello, supported_point_formats extension
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2355: server hello, total extension length: 11
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2784: => write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2944: => write record
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3028: output record: msgtype = 22, version = [3:3], msglen = 87
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: dumping 'output record sent to network' (92 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0000:  16 03 03 00 57 02 00 00 53 03 03 00 00 00 4c 69  ....W...S.....Li
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0010:  dd 67 39 92 93 bd 38 37 47 5c b3 db df d5 68 39  .g9...87G\....h9
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0020:  6f c6 1c ec c6 61 05 85 50 9a fd 20 5d d5 22 01  o....a..P.. ].".
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0030:  90 40 9a 64 fe ba 48 ce 3e 8e e8 73 91 27 a1 40  .@.d..H.>..s.'.@
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0040:  5f b7 18 5a b0 3b 0d 24 68 3e b3 4f c0 2c 00 00  _..Z.;.$h>.O.,..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0050:  0b ff 01 00 01 00 00 0b 00 02 01 00              ............
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2368: message length: 92, out_left: 92
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2375: ssl->f_send() returned 92 (-0xffffffa4)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2402: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3081: <= write record
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2905: <= write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2369: <= write server hello
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 3
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7616: => write certificate
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: own certificate #1:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: cert. version     : 3
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: serial number     : 0A:BB:F1:5D:B6:AB:CF:30:90:26:DB:6D:3D:01:7D:83:04:20:9F:A2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: issuer name       : O=Zephyrproject, CN=Zephyrproject Sample Development CA
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: subject name      : O=Zephyrproject, CN=zephyr
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: issued  on        : 2025-11-20 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: expires on        : 2025-11-21 10:20:02
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: signed using      : ECDSA with SHA256
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: EC key size       : 256 bits
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: basic constraints : CA=false
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: subject alt name  :
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:     dNSName : zephyr.local
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:     iPAddress : 10.21.20.147
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: key usage         : Digital Signature
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: ext key usage     : TLS Web Server Authentication
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: value of 'crt->eckey.Q(X)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:  ec 32 51 64 e4 71 6f 39 75 b0 e8 e5 74 cc 30 f0
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:  a5 94 28 b1 53 15 31 47 c3 a8 64 5b 3f fa 4a b2
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643: value of 'crt->eckey.Q(Y)' (256 bits) is:
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:  82 f9 fb ac a4 56 a2 ab dc 89 69 88 df ab e2 4a
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7643:  55 cc ce 5c 3e 6f 58 24 94 25 90 3d 6a e0 10 8f
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 3 (MBEDTLS_SSL_SERVER_CERTIFICATE) -> 4 (MBEDTLS_SSL_SERVER_KEY_EXCHANGE)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2784: => write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2944: => write record
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3028: output record: msgtype = 22, version = [3:3], msglen = 533
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: dumping 'output record sent to network' (538 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0000:  16 03 03 02 15 0b 00 02 11 00 02 0e 00 02 0b 30  ...............0
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0010:  82 02 07 30 82 01 ad a0 03 02 01 02 02 14 0a bb  ...0............
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0020:  f1 5d b6 ab cf 30 90 26 db 6d 3d 01 7d 83 04 20  .]...0.&.m=.}..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0030:  9f a2 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 46  ..0...*.H.=...0F
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0040:  31 16 30 14 06 03 55 04 0a 0c 0d 5a 65 70 68 79  1.0...U....Zephy
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0050:  72 70 72 6f 6a 65 63 74 31 2c 30 2a 06 03 55 04  rproject1,0*..U.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0060:  03 0c 23 5a 65 70 68 79 72 70 72 6f 6a 65 63 74  ..#Zephyrproject
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0070:  20 53 61 6d 70 6c 65 20 44 65 76 65 6c 6f 70 6d   Sample Developm
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0080:  65 6e 74 20 43 41 30 1e 17 0d 32 35 31 31 32 30  ent CA0...251120
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0090:  31 30 32 30 30 32 5a 17 0d 32 35 31 31 32 31 31  102002Z..2511211
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00a0:  30 32 30 30 32 5a 30 29 31 16 30 14 06 03 55 04  02002Z0)1.0...U.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00b0:  0a 0c 0d 5a 65 70 68 79 72 70 72 6f 6a 65 63 74  ...Zephyrproject
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00c0:  31 0f 30 0d 06 03 55 04 03 0c 06 7a 65 70 68 79  1.0...U....zephy
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00d0:  72 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08  r0Y0...*.H.=....
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00e0:  2a 86 48 ce 3d 03 01 07 03 42 00 04 ec 32 51 64  *.H.=....B...2Qd
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 00f0:  e4 71 6f 39 75 b0 e8 e5 74 cc 30 f0 a5 94 28 b1  .qo9u...t.0...(.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0100:  53 15 31 47 c3 a8 64 5b 3f fa 4a b2 82 f9 fb ac  S.1G..d[?.J.....
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0110:  a4 56 a2 ab dc 89 69 88 df ab e2 4a 55 cc ce 5c  .V....i....JU..\
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0120:  3e 6f 58 24 94 25 90 3d 6a e0 10 8f a3 81 95 30  >oX$.%.=j......0
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0130:  81 92 30 1d 06 03 55 1d 0e 04 16 04 14 ad 28 62  ..0...U.......(b
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0140:  a6 34 f8 f3 30 3e 41 70 55 12 20 fe 66 0d 11 4c  .4..0>ApU. .f..L
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0150:  0f 30 1f 06 03 55 1d 23 04 18 30 16 80 14 19 8d  .0...U.#..0.....
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0160:  a4 d7 60 93 af fd 6f 5c ca 6e 30 74 00 97 26 60  ..`...o\.n0t..&`
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0170:  e8 a2 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00  ..0...U.......0.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0180:  30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07 80  0...U...........
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0190:  30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01  0...U.%..0...+..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01a0:  05 05 07 03 01 30 1d 06 03 55 1d 11 04 16 30 14  .....0...U....0.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01b0:  82 0c 7a 65 70 68 79 72 2e 6c 6f 63 61 6c 87 04  ..zephyr.local..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01c0:  0a 15 14 93 30 0a 06 08 2a 86 48 ce 3d 04 03 02  ....0...*.H.=...
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01d0:  03 48 00 30 45 02 21 00 8f 75 83 cb b9 0e 97 5d  .H.0E.!..u.....]
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01e0:  70 69 a0 a5 07 dc 50 70 ea e4 7a 94 fd 3f 56 3f  pi....Pp..z..?V?
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 01f0:  00 04 ae 41 a5 da 48 99 02 20 56 8c 60 bf f2 74  ...A..H.. V.`..t
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0200:  f9 6f a6 b5 5b ff 21 f9 1e 39 8d f0 dd e5 91 50  .o..[.!..9.....P
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0210:  c0 c0 bd e0 62 ae 1f 2b 96 d9                    ....b..+..
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2368: message length: 538, out_left: 538
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2375: ssl->f_send() returned 538 (-0xfffffde6)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2402: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3081: <= write record
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2905: <= write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:7689: <= write certificate
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 4
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3234: => write server key exchange
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2971: ECDHE curve: secp256r1
E: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2985: Perform PSA-based ECDH computation.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3130: pick hash algorithm 9 for signing
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:9174: Perform PSA-based computation of digest of ServerKeyExchange
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3148: dumping 'parameters hash' (32 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3148: 0000:  d8 fd 86 4c 63 5a 73 37 4a 97 fa c3 59 65 d5 ec  ...LcZs7J...Ye..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3148: 0010:  e0 72 c0 ea cf e7 a3 48 4e ad 18 c3 24 98 c7 56  .r.....HN...$..V
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: dumping 'my signature' (71 bytes)
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: 0000:  30 45 02 21 00 f9 b4 0e 71 8c 42 95 fe 66 06 fe  0E.!....q.B..f..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: 0010:  f2 88 32 3f e7 7c ce b4 44 0c 03 d7 36 31 93 f5  ..2?.|..D...61..
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: 0020:  af f3 b6 d3 c8 02 20 1e cd 7e a7 3d e2 b9 26 db  ...... ..~.=..&.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: 0030:  84 20 6e 8c 1e 0c dc 92 ba c5 02 59 8f 9b 7d ad  . n........Y..}.
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3296: 0040:  51 01 d3 85 88 dd e3                             Q......
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 4 (MBEDTLS_SSL_SERVER_KEY_EXCHANGE) -> 5 (MBEDTLS_SSL_CERTIFICATE_REQUEST)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2784: => write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2944: => write record
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3028: output record: msgtype = 22, version = [3:3], msglen = 148
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: dumping 'output record sent to network' (153 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0000:  16 03 03 00 94 0c 00 00 90 03 00 17 41 04 c6 f6  ............A...
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0010:  17 99 cb 33 0e 13 ba 8e 0c 57 a5 74 be 8b 6f 25  ...3.....W.t..o%
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0020:  07 ea 44 10 17 cb f5 a1 9d b3 49 0c 62 03 78 01  ..D.......I.b.x.
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0030:  36 e9 d5 64 a8 4f 82 d4 74 8d 1b ef 55 0a b5 d5  6..d.O..t...U...
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0040:  6a f9 6b e9 17 2e 7b b2 2d b7 04 5d a1 47 04 03  j.k...{.-..].G..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0050:  00 47 30 45 02 21 00 f9 b4 0e 71 8c 42 95 fe 66  .G0E.!....q.B..f
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0060:  06 fe f2 88 32 3f e7 7c ce b4 44 0c 03 d7 36 31  ....2?.|..D...61
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0070:  93 f5 af f3 b6 d3 c8 02 20 1e cd 7e a7 3d e2 b9  ........ ..~.=..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0080:  26 db 84 20 6e 8c 1e 0c dc 92 ba c5 02 59 8f 9b  &.. n........Y..
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0090:  7d ad 51 01 d3 85 88 dd e3                       }.Q......
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2368: message length: 153, out_left: 153
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2375: ssl->f_send() returned 153 (-0xffffff67)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2402: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3081: <= write record
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2905: <= write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3316: <= write server key exchange
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2406: => write certificate request
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 5 (MBEDTLS_SSL_CERTIFICATE_REQUEST) -> 6 (MBEDTLS_SSL_SERVER_HELLO_DONE)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:2419: <= skip write certificate request
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 6
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3325: => write server hello done
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 6 (MBEDTLS_SSL_SERVER_HELLO_DONE) -> 7 (MBEDTLS_SSL_CLIENT_CERTIFICATE)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2784: => write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2944: => write record
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3028: output record: msgtype = 22, version = [3:3], msglen = 4
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: dumping 'output record sent to network' (9 bytes)
D: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3033: 0000:  16 03 03 00 04 0e 00 00 00                       .........
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2368: message length: 9, out_left: 9
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2375: ssl->f_send() returned 9 (-0xfffffff7)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2402: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:3081: <= write record
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2905: <= write handshake message
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3352: <= write server hello done
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 7
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:8021: => parse certificate
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:8025: <= skip parse certificate
I: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_misc.h:1353: handshake state: 7 (MBEDTLS_SSL_CLIENT_CERTIFICATE) -> 8 (MBEDTLS_SSL_CLIENT_KEY_EXCHANGE)
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2354: => flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2363: <= flush output
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:4304: server state: 8
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls12_server.c:3650: => parse client key exchange
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:4299: => read record
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2156: => fetch input
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2296: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_msg.c:2316: in_left: 0, nb_want: 5
W: WEST_TOPDIR/modules/crypto/mbedtls/library/ssl_tls.c:4678: <= handshake
D: (http_server_tid): close: ctx=0x24008ee4, fd=8
D: [5] accept failed (-11)
D: accept: -11

As far as I can tell, the handshake completes and the connections breaks directly after the handshake. But I can't figure out why that happens.

Setup

• src: I used the sample's code, without changing anything, except the two .sh scripts used to generate the certificates.

• certs: since I am developing on Windows, I rewrote the gen_ca_cert.sh and gen_server_cert.sh to a Powershell script:

  Powershell script

  # Cleanup
  Remove-Item src\certs\* -Exclude *.gitignore*
  
  # Generate a root CA private key
  & openssl ecparam -name prime256v1 -genkey -out src\certs\ca_privkey.pem
  
  # Generate a root CA certificate using private key
  & openssl req -new -x509 -days 1 -key src\certs\ca_privkey.pem -out src\certs\ca_cert.pem -subj "/O=Zephyrproject/CN=Zephyrproject Sample Development CA" -config "<path_to>\openssl-3.6.0\ssl\openssl.cnf"
  
  # Create DER encoded version of CA certificate
  & openssl x509 -outform der -in src\certs\ca_cert.pem -out src\certs\ca_cert.der
  
  # Generate a server private key
  & openssl ecparam -name prime256v1 -genkey -out src\certs\server_privkey.pem
  
  # Generate a certificate signing request using server key
  & openssl req -new -sha256 -key src\certs\server_privkey.pem -out src\certs\server_csr.pem -subj "/O=Zephyrproject/CN=zephyr" -config "C:\Users\111987\openssl-3.6.0\ssl\openssl.cnf"
  
  # Create a file containing server CSR extensions in UTF-8 encoding
  & Add-Content -Path src\certs\server_csr.ext -Value "subjectKeyIdentifier = hash" -Encoding Default
  & Add-Content -Path src\certs\server_csr.ext -Value "authorityKeyIdentifier = keyid,issuer" -Encoding Default
  & Add-Content -Path src\certs\server_csr.ext -Value "basicConstraints = critical,CA:FALSE" -Encoding Default
  & Add-Content -Path src\certs\server_csr.ext -Value "keyUsage = critical,digitalSignature" -Encoding Default
  & Add-Content -Path src\certs\server_csr.ext -Value "extendedKeyUsage = serverAuth" -Encoding Default
  & Add-Content -Path src\certs\server_csr.ext -Value "subjectAltName = DNS:zephyr.local,IP:10.21.20.147" -Encoding Default
  
  # Create a server certificate by signing the server CSR using the CA cert/key
  & openssl x509 -req -sha256 -CA src\certs\ca_cert.pem -CAkey src\certs\ca_privkey.pem -days 1 -CAcreateserial -CAserial src\certs\ca.srl -in src\certs\server_csr.pem -out src\certs\server_cert.pem -extfile src\certs\server_csr.ext
  
  # Create DER encoded versions of server certificate and private key
  & openssl ec -outform der -in src\certs\server_privkey.pem -out src\certs\server_privkey.der
  
  & openssl x509 -outform der -in src\certs\server_cert.pem -out src\certs\server_cert.der
  
  Write-Output "Finished generating certificates and keys"
  

  Note that I tried getting this to work using the certificates and keys already provided in the sample, but got the same result.

• config: I used the sample's config with the addition of overlay-tls.conf

Everything else stayed exactly the same.

What I already tried

• Increasing the stack and heap size
• Changing the used SHA algorithm: I tried switching to SHA384 (note that I changed this in my Powershell script and in overlay-tls.conf: CONFIG_PSA_WANT_ALG_SHA_384=y)
• Increasing inactivity timeout via CONFIG_HTTP_SERVER_CLIENT_INACTIVITY_TIMEOUT=60
• Increasing network buffers count in overlay-tls.conf
• Installing certificates in Windows, so that they are trusted
• Building with -DCONFIG_NET_SAMPLE_HTTPS_USE_ALPN
• Connecting via curl using --insecure:

  PS <path>> curl.exe -v --compressed https://10.21.20.147 --insecure
  * Trying 10.21.20.147:443...
  * schannel: disabled automatic use of client certificate
  * schannel: using IP address, SNI is not supported by OS.
  * ALPN: curl offers http/1.1
  * schannel: failed to receive handshake, SSL/TLS connection failed
  * closing connection #0
  curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
  PS <path>>
  

Am I missing something obvious here? I have been at this for 2 days now and can't get it to work no matter what I try.
Also, this might not be a bug but rather a problem in my implementation. Since I don't know definitively, I will mark it as a bug.

Regression

• This is a regression.

Steps to reproduce

Steps to reproduce:

1. Use an STM32H7S78-DK board
2. Enable Ethernet like in boards: st: stm32h7s78_dk: add Ethernet support #99296
3. Build and flash the http_server sample with overlay-tls.conf.
   (Optional: generate certificates and keys using the provided scripts or the PowerShell script shared above.)
4. Try to connect to the board via HTTPS (e.g., using a browser, openssl s_client, or curl).

Relevant log output

Listed above in collapsible sections

Impact

Functional Limitation – Some features not working as expected, but system usable.

Environment

• OS: Windows 10
• Latest commit: f1c2ce4
• OpenSSL version: 3.6.0

[rlubos]

D: accept: -11

That's EAGAIN, and it seems that TLS accept() can reutrn EAGAIN on handshake timeout, not very intuitive, need to change that. Try increasing CONFIG_NET_SOCKETS_CONNECT_TIMEOUT.

Other than that, I've been testing the http_server sample with TLS in an out with nucleo_h723zg, both default and regenerated certificates (building on Linux though but I doubt that matters), connecting from both Linux and Windows worked fine. I've been using Firefox and Curl.

Trying to open https://<ip_address> doesn't work. The website doesn't load and/or says that the website can't be trusted.

At least on Firefox I had to import the root CA in the browser itself so that it stopped complaining about lack of trust. And still, it only worked if the certificate was regenerated for the board's target IP (maybe we should consider enabling mDNS in the sample, but from experience mDNS resolution doesn't always work on the browser side).

[bklaric1]

Thank you for the comment.

That's EAGAIN, and it seems that TLS accept() can reutrn EAGAIN on handshake timeout, not very intuitive, need to change that. Try increasing CONFIG_NET_SOCKETS_CONNECT_TIMEOUT.

I can try this on monday and let you know if this solved the problem.

At least on Firefox I had to import the root CA in the browser itself so that it stopped complaining about lack of trust. And still, it only worked if the certificate was regenerated for the board's target IP (maybe we should consider enabling mDNS in the sample, but from experience mDNS resolution doesn't always work on the browser side).

I will also try with Firefox and importing the root CA in the browser. Forgot to mention that I used Microsoft Edge and Google Chrome as browser when testing.

[bklaric1]

@rlubos Sorry for the delay. I wanted to test this thoroughly before commenting.

Increasing the CONFIG_NET_SOCKETS_CONNECT_TIMEOUT to at least 8000 (8 seconds) solves this problem when connecting via OpenSSL and browser. When connecting via Curl, an increase to at least 10000 (10 seconds) is needed, otherwise the handshake fails.
I don't know why Curl needs a bit more time, but the fact stays the same: increasing the CONFIG_NET_SOCKETS_CONNECT_TIMEOUT is needed for HTTPS variant to work on stm32h7s78_dk board.

However, I don't know why such an increase is needed. Compared to default, which is 3000 (3 seconds), this seems like a huge increase.
Out of curiosity, what could be the cause of this?

Also importing the certificate directly in browser fixes the lack of trust problem, as you said (missed that in the sample's readme).

Important note: when connecting via browser (after increasing the CONFIG_NET_SOCKETS_CONNECT_TIMEOUT), the website seems a bit, for a lack of better word, buggy.
Take a look at the following console log:

...
I: PHY (0) Link speed 100 Mb, full duplex ------------------------------------- 1.
I: Interface 1 (0x24002cb0) coming up ----------------------------------------- 1.
I: IPv4 address: 10.21.20.147 ------------------------------------------------- 1.
D: Uptime handler status 1 ---------------------------------------------------- 2.
I: Accepted websocket connection for net stats -------------------------------- 2.
E: [0x2402c5e0] new bytes 459 during TIME-WAIT state sending reset ------------ 3.
D: Uptime handler status 1 ---------------------------------------------------- 4.
E: HTTP request handling error (-77) ------------------------------------------ 4.
...

1. These lines are printed intially, as the app boots.
2. This is printed after the webiste loads, after some delay. When these two lines are printed, the first values are loaded on the website (uptime, packets, etc.). BUT the values don't update with the CONFIG_NET_SAMPLE_WEBSOCKET_STATS_INTERVAL=200 interval. They stay the same for about 10-15 seconds. That is when the next lines are printed.
3. This indicates that new values are sent (and received) but the server is not in state to display them. At least that is what I understood from this print.
4. When these two lines are printed, new values appear. But afterwards there is a delay of the same 10-15 seconds. After that delay, the two same lines are printed and new values are displayed. This keeps repeating and as far as I can tell, it doesn't suddenly stabilize (I waited for around 5-6 minutes).

If I increase this timeout from the default 10 seconds to 20 seconds:

CONFIG_HTTP_SERVER_CLIENT_INACTIVITY_TIMEOUT=20

the website loads and after a delay (about >15 seconds), the new data is displayed without any issues and the website doesn't behave buggy.
From what I can tell, the connection is dropped since the inactivity timeout of 10 seconds is reached, resulting in new connection (and disconnect) every time the data is sent, causing the website to behave buggy.

Note that I got this behavior with default prj.conf and overlay-tls.conf configs, CONFIG_NET_SAMPLE_HTTPS_USE_ALPN=y and CONFIG_NET_SOCKETS_CONNECT_TIMEOUT increase. I also updated the project to a newer commit: c9b01e8. Everything else stayed the same.

This might be related to something else, so if wanted, I can close this issue and open a new one, specific to this problem related to dropping the connection due to CONFIG_HTTP_SERVER_CLIENT_INACTIVITY_TIMEOUT being set too low for this board.

Also thanks for your help. The core problem was solved with your specified config.

[rlubos]

However, I don't know why such an increase is needed. Compared to default, which is 3000 (3 seconds), this seems like a huge increase.

I'm thinking about increasing the default, I didn't personally have a problem with 3 second timeout for handshakes, but apparently others do seem to report this occasionally.

Out of curiosity, what could be the cause of this?

Hard to tell out of the blue, if HTTP server over TCP works and the issue appears only with TLS I'd suspect the crypto part to be the bottleneck here. But on the other hand the board you use does not seem to be that slow from what I read. Maybe worth asking in the STM channel on Discord (https://discord.com/channels/720317445772017664/883445358821249084).

If I increase this timeout from the default 10 seconds to 20 seconds:
CONFIG_HTTP_SERVER_CLIENT_INACTIVITY_TIMEOUT=20
the website loads and after a delay (about >15 seconds), the new data is displayed without any issues and the website doesn't behave buggy.

Websocket will establish another TLS session to my understanding, so if the crypto is the bottleneck here, the timeout would be explainable. The TLS hanshake is done synchronously, so it would block the HTTP server thread.

[bklaric1]

I'm thinking about increasing the default, I didn't personally have a problem with 3 second timeout for handshakes, but apparently others do seem to report this occasionally.

Should I leave the issue open until you make a PR that increases the default?

Also thanks for the Discord channel link. I will try my luck there. But from what I suspect, the crypto part might not be fully supported or similar, since the board isn't as slow as the HTTPS sample shows it to be.

Websocket will establish another TLS session to my understanding, so if the crypto is the bottleneck here, the timeout would be explainable. The TLS hanshake is done synchronously, so it would block the HTTP server thread.

Ahh, okay. Didn't know this. So the crypto remains the main suspect.

Thanks for the quick reply.

[rlubos]

Should I leave the issue open until you make a PR that increases the default?

Just opened the PR: #99972 and linked it with this issue. GH will close it automatically when merged.

[bklaric1]

Alright. Thank you for all the help.