MBEDTLS taking too long

RE: MBEDTLS taking too long

scath — Tue, 04 Jul 2023 21:19:52 GMT

Solved. You were absolutely correct, though getting your solution working was frustrating for me and my staff.

The guiconfig and documentation do terrible jobs of describing what prereqs need to be selected, and where.

Specifically:

1) The Custom mbed TLS configuration file "config-tls-generic.h" does not need further configuration from the engineer. This is not immediately apparent at first blush. This feature could be far better documented, and the file renamed to something akin to "config-tls-defaults.h".

2) When selecting ECDHE, it is necessary to choose which elliptic curves will be included in the build. This is not apparent from the documentation at all. Worse, no curves are selected by default, and no warning is given that no curves are selected.

This causes a handshaking error for no apparent reason and where none should be occurring, prima facia.

That said, it is still completely inappropriate for the build process to overwrite a configuration silently. This behavior isn't documented anywhere I've seen, and has caused numerous headaches for my staff.

While I understand this point is outside the scope of this ticket, we would all benefit from someone bringing this to the correct party's attention at Nordic.

With thanks for your kindness and patience.

RE: MBEDTLS taking too long

scath — Tue, 04 Jul 2023 19:57:05 GMT

Attempting to do this, but my choices inside the guiconfig (provided by the nRF Connect VSCode Plugin) are continually and consistently overwritten at some other part of the build process, silently reverting to defaults that do not work.

When I keep the guiconfig tool open and attempt to build or flash I get the following:

ninja: error: opening build log: Permission denied
FATAL ERROR: command exited with status 1: 'c:\nordic\toolchains\31f4403e35\opt\bin\cmake.EXE' --build 'd:\zephyr\samples\net\sockets\test_app\build'

If I then close and reopen guiconfig, I find that all of my configuration choices have reverted to said defaults - without warning!

This is ridiculous, to put it mildly.

None of this is your fault, but I can't even begin to use your proposed solution as it stands.

Can you point me to some guidance on

a) How to prevent the .config file generated by the guiconfig tool inside nRF Connect from being overwritten.

b) Configuring MBEDTLS options inside prj.conf, as opposed to using the guiconfig tool.

Many thanks.

RE: MBEDTLS taking too long

Emil Lenngren — Thu, 29 Jun 2023 20:06:29 GMT

This is just an educated guess but I assume the long computation time is due to the DHE cipher suite being used. I see that you have `CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y` so try disable that, and in general make sure all DH_* and DHE_* cipher suites are disabled.

Diffie-Hellman ephemeral is "deprecated" nowadays; you should use the much faster ECDHE instead. DHE is very slow and especially on low-end hardware such as nRF52 and particularly if it is a non-optimized software implementation written in C.

RE: MBEDTLS taking too long

scath — Thu, 29 Jun 2023 15:19:09 GMT

Hi there,

We aren't using the Nordic Security Module. Can enable it if you think this will help.

proj.conf

CONFIG_MAIN_STACK_SIZE=65536
CONFIG_HEAP_MEM_POOL_SIZE=16384
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y

# JSON
CONFIG_JSON_LIBRARY=y
CONFIG_CJSON_LIB=y

# Watchdog
CONFIG_WATCHDOG=y
CONFIG_WDT_LOG_LEVEL_DBG=y
CONFIG_WDT_DISABLE_AT_BOOT=n

# Networking config
CONFIG_NETWORKING=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=n
CONFIG_NET_TCP=y
CONFIG_NET_UDP=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_LOG=y

# Sockets
CONFIG_NET_SOCKETS_POLL_MAX=4

# Modem
CONFIG_MODEM=y
CONFIG_MODEM_HL7800=y
CONFIG_MODEM_HL7800_BOOT_DELAY=y
CONFIG_MODEM_LOG_LEVEL_INF=n
CONFIG_MODEM_LOG_LEVEL_DBG=n
CONFIG_MODEM_LOG_LEVEL_WRN=n
CONFIG_MODEM_LOG_LEVEL_ERR=y


# Sockets
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_MGMT=y
CONFIG_NET_MGMT_EVENT=y


# HTTP
CONFIG_HTTP_CLIENT=y
CONFIG_DNS_RESOLVER=y

# Network debug config
CONFIG_LOG=y
CONFIG_LOG_MODE_IMMEDIATE=y
CONFIG_NET_LOG=y
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=n
CONFIG_NET_HTTP_LOG_LEVEL_DBG=n
CONFIG_NET_HTTP_LOG_LEVEL_INF=n

CONFIG_HWINFO=y

# BLE
CONFIG_BT=y
CONFIG_BT_DEBUG_LOG=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y
CONFIG_BT_GATT_CLIENT=y

CONFIG_BT_SCAN=y
CONFIG_BT_SCAN_FILTER_ENABLE=y
CONFIG_BT_SCAN_UUID_CNT=0
CONFIG_BT_SCAN_NAME_CNT=1
CONFIG_BT_GATT_DM=y

# TLS
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_HEAP_SIZE=30000
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096

CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6

# ciphers - this is necessary because some part of NCS/Zephyr has a tendancy to overwrite 
#           our configs silently, causing builds to break for no apparent reason.
#           Very strange.
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
CONFIG_MBEDTLS_AES_ROM_TABLES=y
CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y

# SHA hash
CONFIG_MBEDTLS_HASH_SHA256_ENABLED=y
CONFIG_MBEDTLS_HASH_SHA384_ENABLED=y
CONFIG_MBEDTLS_HASH_SHA512_ENABLED=y

# MD5 & MAC
CONFIG_MBEDTLS_MAC_MD5_ENABLED=y
CONFIG_MBEDTLS_MAC_SHA1_ENABLED=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
CONFIG_MBEDTLS_SHA256_SMALLER=y
CONFIG_MBEDTLS_MAC_SHA384_ENABLED=y
CONFIG_MBEDTLS_MAC_SHA512_ENABLED=y

# Random number generators
CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y


# Other TLS
CONFIG_MBEDTLS_CIPHER=y
CONFIG_MBEDTLS_MD=y

#TLS DEBUG
CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_LEVEL=3
CONFIG_MBEDTLS_LOG_LEVEL_INF=n
CONFIG_MBEDTLS_LOG_LEVEL_WRN=n
CONFIG_MBEDTLS_LOG_LEVEL_ERR=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=n

Socket Creation/Config

int create_socket(struct addrinfo *res){
	int sock = -1;
	
	while ( sock < 0 ){
		if (IS_ENABLED(CONFIG_NET_SOCKETS_SOCKOPT_TLS)) {
			LOG_WRN("** CREATING SECURE SOCKET **");
			sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
		}
		else
			sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
    ...
    
    int result = tls_setup_http(sock);
	LOG_INF("tls_setup_http returned %d", result);
	if (result < 0 ){
		LOG_ERR("ERROR creating Secure Socket: %d", errno);
	}
}


int tls_setup_http(int sock)
{

    int err = 0;
    int verify = TLS_PEER_VERIFY_REQUIRED;
    
	LOG_INF("Setting Secure Socket Options");

    const sec_tag_t tls_sec_tag[] = {
        CA_CERTIFICATE_TAG,
    };

	tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
			   ca_certificate, sizeof(ca_certificate));

  
    err = setsockopt(sock, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
    if (err)
    {
        LOG_ERR("Failed to setup peer verification, err %d\n", errno);
        return err;
    }

    err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag,
             sizeof(tls_sec_tag));
    if (err)
    {
        LOG_ERR("Failed to setup TLS sec tag, err %d\n", errno);
        return err;
    }
	
	LOG_INF("Setting HOST NAME and PORT for TLS");
    err = setsockopt(sock, SOL_TLS, TLS_HOSTNAME, HTTP_HOST, sizeof(HTTP_HOST));
    if (err)
    {
        LOG_ERR("Failed to setup TLS_HOSTNAME, err %d\n", errno);
        return err;
    }
	

	LOG_INF("Socket=%d with Security Tag Id %d is ready\n",  sock, CA_CERTIFICATE_TAG);    

    return 0;
}

Cheers,

S.

RE: MBEDTLS taking too long

Øyvind — Thu, 29 Jun 2023 07:54:19 GMT

Hi, thanks for clarifying how the product works.

Could you provide the prj.conf of your project and where you configure the TLS? Are you using the Nordic Security module, which can be enabled with either PSA driver support or with Legacy crypto support?

Thanks
Kind regards,
Øyvind

RE: MBEDTLS taking too long

scath — Wed, 28 Jun 2023 16:30:46 GMT

Thanks for getting back, Oyvind.

The MG100 is shipped with an hl7800 onboard - they have a socket specifically made for it on their PCB.

To make calls, we set up socket for an IPv4 connection using TLS 1.2 as follows:

a. We use a signed certificate and require peer verification ( TLS_PEER_VERIFY = TLS_PEER_VERIFY_REQUIRED).

b. We associate the socket the the security tag placed into an array of valid CA Certs (TLS_SEC_TAG_LIST = sec_tag_t array that we create and populate).

Let me know what other information I can provide.

Best,

S.

RE: MBEDTLS taking too long

Øyvind — Tue, 27 Jun 2023 07:29:26 GMT

Hello,

Sorry for the late reply. Are you able to provide more information on how you have implemented this feature in your application? How is the modem and M100 connected?

Thanks.

Kind regards,
Øyvind