DTLS with certificate handshake debugging

RE: DTLS with certificate handshake debugging

Christian77 — Fri, 05 Sep 2025 18:11:27 GMT

It's working now. There where two problems I've got:

Misconfigured server with an expired certificate.
If I specify a ciphersuit list (with setsockopt()) it's not working. If I do not set such a list (all available ciphers are presented to the server) it is working.

Thanks for your help.

BR
Christian

RE: DTLS with certificate handshake debugging

Achim Kraus — Wed, 03 Sep 2025 04:56:22 GMT

There is a modem trace, which contains some more information than the IP capture, but the additional information is AFAIK only readable by Nordic.

In the past there was some documentation about the limits in TLS and DTLS and in some topics, there was a difference between TLS and DTLS. Currently I didn't find that again in the new documentation pages.

In general. using RSA for embedded is frequently a decision, which comes with pain. ECDSA certificates are smaller and work usually with less pain.

RE: DTLS with certificate handshake debugging

Christian77 — Tue, 02 Sep 2025 18:22:15 GMT

Hello.

Modem firmware version is 2.0.2
Is there a way to activate more debugging output of the modem to see what is happening?
With CONFIG_LOG_DEFAULT_LEVEL=4 there are still no modem debug infos.

Thanks
BR
Christian

RE: DTLS with certificate handshake debugging

Achim Kraus — Mon, 01 Sep 2025 19:08:36 GMT

From the capture:

The "Client Hello" doesn't contain any cipher suite (except the TLS_EMPTY_RENEGOTIATION_INFO_SCSV). Therefore the handshake is denied by the server with a "Handshake Failure".

Not sure, why the modem don't send a cipher suite. Maybe the DTLS implementation of the modem is compiled without support for MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (please provide the modem firmware version to check). Or the CA_CHAIN doesn't contain a RSA certificate, or that could not be used by the modem for some reasons.

RE: DTLS with certificate handshake debugging

Christian77 — Mon, 01 Sep 2025 18:26:25 GMT

Hi.

I followed the example from nrf IoT fundamental course: https://academy.nordicsemi.com/courses/cellular-iot-fundamentals/lessons/lesson-5-cellular-fundamentals/topic/lesson-5-exercise-2/
Except that I do not use PSK but certificate. Is there an example for CoAP over DTLS with certificate which I can follow?

I'm attaching a wireshark log: devzone.nordicsemi.com/.../coap_5F00_dtls_5F00_handshake_5F00_error.pcapng

And the log with CONFIG_LOG_DEFAULT_LEVEL=4: devzone.nordicsemi.com/.../devttyACM0.log

Thanks
BR
Christian

RE: DTLS with certificate handshake debugging

Benjamin — Mon, 01 Sep 2025 13:05:28 GMT

Hi,
Please provide a Wireshark capture and the logs. To enable debug-level logging, set CONFIG_LOG_DEFAULT_LEVEL=4.

Best regards,
Benjamin

RE: DTLS with certificate handshake debugging

Achim Kraus — Mon, 01 Sep 2025 10:35:30 GMT

If you followed an example, maybe a "short-cut" would be, if you provide a link to that.

And if you have a wireshark capture, that may also help, if you provide it.

In general it may require to check, if all components (e.g. modem and server) really supports MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for DTLS, including the size of the used certificates. And also checks, if that provided CA_CHAIN certificate also fits for that cipher suite.