tls – why is the certificate in mbedtls unknown

I’m working on a client application that will connect to an FTPS server (vsftpd) to download files.
Now, I have ca-cert, cert and key files all setup to work with curl like:

curl -3 -k -v --ftp-ssl --tlsv1.2 --ftp-ssl-reqd --ftp-pasv --verbose 
   --ssl 
   --cert ./en-cert.pem                     
   --cert-type PEM                                    
   --key ./en-cert.key                    
   --key-type PEM                                     
   --cacert ./ca-cert                    
   ftp://user:pass@10.10.100.1/test.txt -O

I use the same cert, key & ca-cert with mbedtls but am unable to handshake, mbedtls_ssl_handshake() keeps returning an error (-78), this is what is done in order:

  • init cert, ca-cert, key, entropy, drbg, ssl, config

  • parse ca-cert, cert & key

  • seed RNG – mbedtls_ctr_drbg_seed with mbedtls_hardware_poll

  • set config defaults MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT

  • mbedtls_ssl_conf_ca_chain

  • mbedtls_ssl_conf_rng with mbedtls_ctr_drbg_random

  • mbedtls_ssl_conf_dbg

  • mbedtls_ssl_conf_own_cert

  • mbedtls_ssl_setup

  • mbedtls_ssl_set_bio

  • mbedtls_ssl_handshake
    which up to the handshake all seems to go through without any issues.
    When I look at it with wireshark, I see something like:

    Response: 234 Proceed with negotiation.
    Request:looks like the certificate jumbled up
    Response 500 OOPS:
    Response :SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

Any hints on how I best go about troubleshooting this? I have confirmed that ca-cert, cert & key are identical to the ones that are used for the above curl command.