• State Not Answered
  • Replies 19 replies
  • Subscribers 87 subscribers
  • Views 2054 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 333944
Options

MBEDTLS time/date support with nRF Security

Ligo George

Is MBEDTLS date/time is not supported in nRF security ?

warning: MBEDTLS_HAVE_TIME_DATE (defined at modules/mbedtls/Kconfig.tls-generic:458,
modules/mbedtls/Kconfig.tls-generic:458) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_HAVE_TIME_DATE and/or look up
MBEDTLS_HAVE_TIME_DATE in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.

We would like to have certificate validity check, but unable to enable it. 

  • 0 in reply to Ligo George

    Hi,

    No, not yet, but I have reached out to our developers. I am aware that looking into this takes longer time than initially expected. I am sorry for any inconvenience this might cause. Although it is difficult to give any estimate on resolution at this point, I expect to get back to you again in several weeks (possibly earlier if there is any update on this). Thank you for your patience.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi,

    We have looked further into checking certificate expiration date. Please have a look at this PR which enables usage of TLS DATE_TIME into the config system. It should work for both legacy APIs and PSA APIs. 

    To enable DATE/TIME checking, try to enable these Kconfig options

    CONFIG_DATE_TIME=y
CONFIG_MBEDTLS_HAVE_TIME_DATE=y

    and set date/time in the code
    #include "date_time.h"

...

// Setting year to 2035, which is past certificate expiration date -> SSL alert number 45
struct tm new_date_time = {0,0,0,1,0,135,0,0,0};
(void) date_time_set(&new_date_time);

...

    The changes were tested using crypto psa_tls sample in sdk-nrf. struct tm can be found in this reference.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hello,

    Sorry to revive this post, but I am facing the same issues.

    The PR mentioned to enable the usage of TLS DATE_TIME was never merged and is now closed.


    Is there another way to have tls date time validation for NCS 3.0.2 without "MBEDTLS_BUILTIN" ? 

    Thanks

  • 0 in reply to c.lancea

    Hi  ,

    You could try to add changes from previously mentioned PR manually.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hello,

    Modifying directly the sdk is not an option for us. We use the sdk though nrf connect vs code extension, so it's is not in our repository. Also our build machine has another installation that we would need to modify. 
    Those two point alone makes it impossible or a very bad practice which would be impossible to maintain.

    Do you have any other suggestion ? 
    Is the tls date time verification planned for another release ?

    Thanks 

Related
Terms of service