Cannot connect to LwM2M server with X509 DTLS. Wireshark shows empty client certificate.

Question

Hi,

I am developing a product based on the nRF9160 using the LwM2M client. I successfully have this working using PSK, but want to use X509.

I am calling lwm2m_security_set_certificate() where I previously called lwm2m_security_set_psk() and have client certificate, client key, and server root CA certificate in PEM form created by following the guidance from dejans and SeppoTakalo in this other post: LWM2M Client With X.509 Certificate

The LwM2M library reports the following

[00:01:19.463,531] <err> net_lwm2m_engine: Cannot connect UDP (-111)
[00:01:19.474,121] <err> net_lwm2m_engine: lwm2m_engine_start lwm2m_socket_start() returned -111

...which is 'connection refused'

I have taken a modem lib trace of an attempt to connect to the leshan public server, and looking at this in Wireshark, the client DTLS handshake response to the server's 'Certificate Request' contains a zero length certificate, followed by the server returning a 'Bad Certificate' fatal error (which I'm assuming results in the -111 in the modem DTLS handling).

I have attached the device certificate that I'm using, and the modem lib trace.

I have confirmed with AT%CMNG=1 that the the sha256 checksum of the stored credentials match the sha256 sum of this certificate (the file I've attached).

I'd be grateful for someone to confirm my analysis of what's going on, and suggest why the modem is not including the content of the client certificate in the DTLS handshake.

Thanks

Ian

Fullscreen cert.txt Download

trace-2024-10-24T13-59-55.879Z.mtrace

Achim Kraus · Accepted Answer

short: 
 CONFIG_LWM2M_SECURITY_KEY_SIZE=1500 CONFIG_NRF_MODEM_LIB_TRACE=y CONFIG_APP_LWM2M_PSK="" CONFIG_LWM2M_CLIENT_UTILS_SERVER_TLS_TAG=16842753 
 does it on "my machine". 
 long: 
 With your detailed description it's fast and easy to reproduce the failure. To exclude the credentials, I've tested them with my own coap-client against leshan, works. Exchanging the CA causes my client to abort the handshake without client certificate. Changing the CA in the lwm2m sample didn't change the handshake. enable logging showed, that sec_tag 35724861 is used to write the credentials and to configure to the socket .... 
 However, the cellular monitor uses 16842753, and so I guess, that somewhere the socket config of lwm2m_engine is overwritten. That's it. Use 16842753 as sec_tag, and it starts working.

SeppoTakalo · Answer

Hi, I would like to comment here that problems described here are not caused by LwM2M engine itself, nor does it mean that X509 would not work. 
 What happens is as follows: 
 
 nRF91 modem stores security credential in placeholders called "security tags". You can store PSK credentials, private keys or X509 client or CA certificates on security tags. See AT command manual for CMNG command for details. These credential are stored before connection starts. 
 When given security tag contains both client certificate and PSK credentials the TLS stack inside modem tries to use PSK. 
 If you set a ciphersuite for TLS using `zsock_setsockopt (fd, SOL_TLS, TLS_CIPHERSUITE_LIST, ...)` this information is fed into TLS handshake, but does not affect the selection of PSK/X509 from given security tag. This ciphersuite socket option is used inside LwM2M engine to switch between X509 of PSK mode when connecting. 
 When LWM2M engine tries to connect in X509 mode, but sectag has both, modem runs into conflict as selected ciphersuites don't allow PSK, so it send empty certificate.

To fix the issue: 
 
 Remove all credentials from security tag before you write new ones, if new ones are different type.

Cannot connect to LwM2M server with X509 DTLS. Wireshark shows empty client certificate.

Top Replies