esp-mbetdls as Server Questions

[yanshay]

@ivmarkov @AnthonyGrondin A couple of questions about using esp-mbedtls as server.

1. I notice there is a pretty long delay from time of request to time of response on the connect phase. It's about a second or so. Is that expected? I guess that's the handshake, but with all hw acceleration with a single request is it expected to feel that noticable?

2. Regarding usage of self signed certificates.

   • On FireFox/Safari things work as expected - they warn and let me visit the site.
   • On chrome it mostly doesn't. It takes me through the sequence of confirming it's a risky site and if I want to visit the site, but then comes an error, and in the example's log it says to enable self signed certificates, which is an extra step not many users will want to deal with. When I tried multiple times, sometimes it did work, or some requests worked and other didn't which was strange, so maybe something with the TLs implementation in this case not fully compatible with Chrome? Maybe the slow handshake is an issue?

On another device I have at home (NAS) it works in Chrome like in Firefox. Looks like the certificate there is isues by a CA (althoguh not for internal ip I use of course, and also revoked by now). Does it mean if I issue a CA signed certificate I can use it on the device and get a more reasonable experience on Chrome?
Is there a way to get a reasonable experience with https using self signed certificates somehow? Or they just block (even though initially showing as if it is in the users's control).

[AnthonyGrondin]

1. I notice there is a pretty long delay from time of request to time of response on the connect phase. It's about a second or so. Is that expected? I guess that's the handshake, but with all HW acceleration with a single request is it expected to feel that noticeable?

There is a noticeable delay during the handshake phase. I tried to get it under 1 second using hardware acceleration. It is greatly depending on your certificate size. Using certificates with 4096 bits takes way longer than using certificates with 2048 bits. I'm looking forward for further optimization as I'd also like this delay to be reduced further. Once a session is established, there shouldn't be much delay on the transport socket and it should be approximately the same (minus some encryption / decryption time) as using plain text.

As for the flow of Self-signed certificates, I know the TLS protocol specify specific flags to request client certificates, I mainly test the flow on Firefox and on a custom enterprise app. There might be existing issues with different clients with the current flow. If using self-signed certificates, you might need to import your CA into your client's chain of trusted CA to remove the self-signed error.

[yanshay]

I took the certificate from the examples here, what size are they?

Is this done in rust that can be optimized? Not in the mbedtls code?
Maybe the fact that the binary was compiled including logs now has any effect even if disabled?

Is the self signed certificates flow developed in the rust part? Not in the mbedtls part?

It also feel it isn't very reliable, many times I see read failures, then on next try it's working. Have you seen that issue as well?