Hi Nordic team,
Our requirement is creating two TLS server with same IP and different port no, but when I try to bind two servers only one server is getting bind to the network but other server is not binding
getting error no as 116 in bind API, here I am using two threads one for each server.
If I try with normal TCP multiple server it is working fine I am able to setup both the servers, why it is failing with the TLS server, please guide us on this.
Best Regards
Anitha S
Hello,
The DevZone support team is currently lower staffed due to Christmas holiday. Please expect longer response time.
Can you please provide what version of nRF Connect SDK you are using?
Our requirement is creating two TLS server with same IP and different port no
Are you doing this in the Serial LTE Modem? The documentation states: The TLS server role is currently not supported.
Kind regards,
Øyvind
Hi,
We are using nrf connect sdk 1.7.0, and I am not using Serial LTE Modem example.
Are you able to provide more information i.e. are you basing this on a special sample, are you using native TLS? What modem FW are you using on the device? This is relevant for me to reproduce the issue.
Kind regards,
Øyvind
I am not using any sample this is my own project, yes we are using native TLS and modem version is mfw_nrf9160_1.3.1.
below is my prj.conf
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=n
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
# Modem library
CONFIG_NRF_MODEM_LIB=y
# AT host library
CONFIG_AT_HOST_LIBRARY=y
CONFIG_UART_INTERRUPT_DRIVEN=y
# Stacks and heaps
CONFIG_MAIN_STACK_SIZE=3072
CONFIG_HEAP_MEM_POOL_SIZE=16384
#LTE
CONFIG_MODEM_KEY_MGMT=y
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n
CONFIG_NEWLIB_LIBC=y
#CONFIG_POSIX_MAX_FDS = 8
#CONFIG_ASSERT=y
#mbedtls and security
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_OFFLOAD_TLS=n
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_LIBRARY_NRF_SECURITY=y
CONFIG_MBEDTLS_SHA1_C=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y
Please tell us what is issue with multiple TLS server.
Thank you
Anitha S
Hi,
We are a bit short on capacity this week due to Christmas vacations, but I'll try to help you as best as I can.
Could you share some snippets of your code showing how you create the sockets, and how you use them?
Best regards,
Didrik
Yes I will share snippets of my code
int socketCreate(uint8_t ip_version,int *sock_fd)
{
uint8_t err;
if(ip_version == 4)
{
/*Creating the IPV4 socket NRF_SPROTO_TLS1v2 */
*sock_fd = nrf_socket(NRF_AF_INET,NRF_SOCK_STREAM, NRF_SPROTO_TLS1v2);
if (*sock_fd < 0)
{
printk("error in creating the socket\n");
return errno;
}
}}
int certProvision(void)
{
int err;
bool exists;
uint8_t unused;
if ((err = modem_key_mgmt_exists(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,&exists, &unused)) < 0)
{
printk("Failed to check for certificates err %d\n", err);
return err;
}
if (exists)
{
/* For the sake of simplicity we delete what is provisioned
* with our security tag and reprovision our certificate.
*/
if ((err = modem_key_mgmt_delete(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN)) < 0)
{
printk("Failed to delete existing certificate, err %d\n",
err);
return err;
}
}
printk("Provisioning certificate\n");
/* Provision certificate to the modem */
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,CA_cert, sizeof(CA_cert) - 1))<0) //Provisioning CA certificate
{
printk("Failed to provision certificate, err %d\n", err);
return err;
}
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,S_cert, sizeof(S_cert) - 1)) < 0) //Provisioning server certificate
{
printk("Failed to provision server cert, err %d\n", err);
return err;
}
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT,pr_key, sizeof(pr_key) - 1)) < 0) //Provisioning server private key
{
printk("Failed to provision server private key, err %d\n", err);
return err;
}
return TLS_SUCCESS;
}
int tlsCredentialAdd()
{
int err;
// Security tag that we have provisioned the certificate with
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_CA_CERTIFICATE,CA_cert,sizeof(CA_cert))) < 0) //adding CA certificate credentials
{
printk("erro in tls_add()\n");
return err;
}
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_SERVER_CERTIFICATE,S_cert,sizeof(S_cert))) < 0) //adding server certificate credentials
{
printk("erro in tls_add()\n");
return err;
}
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_PRIVATE_KEY,pr_key,sizeof(pr_key))) < 0) //adding server private key credentials
{
printk("erro in tls_add()\n");
return err;
}
return 0;
}
int tlsSetup(int fd)
{
int err;
int verify;
/* Security tag that we have provisioned the certificate with */
int opt = 1;
/* setting TLS role as server */
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_ROLE,&opt,sizeof(opt)))<0)
{
printk("T1 Failed to setup role, err %d\n", errno);
return err;
}
// verify = REQUIRED;
/* setting Peer verification */
verify = NONE;
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE,NRF_SO_SEC_PEER_VERIFY, &verify, sizeof(verify))) < 0)
{
printk("T1 Failed to setup peer verification, err %d\n", errno);
return err;
}
/* Associate the socket with the security tag
* we have provisioned the certificate with.
*/
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_TAG_LIST, tls_sec_tag,sizeof(tls_sec_tag))) < 0) {
printk("T1 Failed to setup TLS sec tag, err %d\n", errno);
return err;
}
return TLS_SUCCESS;
}
Please suggest some solution for my actual question.
best regards
Yes I will share snippets of my code
int socketCreate(uint8_t ip_version,int *sock_fd)
{
uint8_t err;
if(ip_version == 4)
{
/*Creating the IPV4 socket NRF_SPROTO_TLS1v2 */
*sock_fd = nrf_socket(NRF_AF_INET,NRF_SOCK_STREAM, NRF_SPROTO_TLS1v2);
if (*sock_fd < 0)
{
printk("error in creating the socket\n");
return errno;
}
}}
int certProvision(void)
{
int err;
bool exists;
uint8_t unused;
if ((err = modem_key_mgmt_exists(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,&exists, &unused)) < 0)
{
printk("Failed to check for certificates err %d\n", err);
return err;
}
if (exists)
{
/* For the sake of simplicity we delete what is provisioned
* with our security tag and reprovision our certificate.
*/
if ((err = modem_key_mgmt_delete(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN)) < 0)
{
printk("Failed to delete existing certificate, err %d\n",
err);
return err;
}
}
printk("Provisioning certificate\n");
/* Provision certificate to the modem */
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,CA_cert, sizeof(CA_cert) - 1))<0) //Provisioning CA certificate
{
printk("Failed to provision certificate, err %d\n", err);
return err;
}
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,S_cert, sizeof(S_cert) - 1)) < 0) //Provisioning server certificate
{
printk("Failed to provision server cert, err %d\n", err);
return err;
}
if ((err = modem_key_mgmt_write(TLS_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT,pr_key, sizeof(pr_key) - 1)) < 0) //Provisioning server private key
{
printk("Failed to provision server private key, err %d\n", err);
return err;
}
return TLS_SUCCESS;
}
int tlsCredentialAdd()
{
int err;
// Security tag that we have provisioned the certificate with
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_CA_CERTIFICATE,CA_cert,sizeof(CA_cert))) < 0) //adding CA certificate credentials
{
printk("erro in tls_add()\n");
return err;
}
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_SERVER_CERTIFICATE,S_cert,sizeof(S_cert))) < 0) //adding server certificate credentials
{
printk("erro in tls_add()\n");
return err;
}
if((err = tls_credential_add(tls_sec_tag[0],TLS_CREDENTIAL_PRIVATE_KEY,pr_key,sizeof(pr_key))) < 0) //adding server private key credentials
{
printk("erro in tls_add()\n");
return err;
}
return 0;
}
int tlsSetup(int fd)
{
int err;
int verify;
/* Security tag that we have provisioned the certificate with */
int opt = 1;
/* setting TLS role as server */
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_ROLE,&opt,sizeof(opt)))<0)
{
printk("T1 Failed to setup role, err %d\n", errno);
return err;
}
// verify = REQUIRED;
/* setting Peer verification */
verify = NONE;
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE,NRF_SO_SEC_PEER_VERIFY, &verify, sizeof(verify))) < 0)
{
printk("T1 Failed to setup peer verification, err %d\n", errno);
return err;
}
/* Associate the socket with the security tag
* we have provisioned the certificate with.
*/
if ((err = nrf_setsockopt(fd, NRF_SOL_SECURE, NRF_SO_SEC_TAG_LIST, tls_sec_tag,sizeof(tls_sec_tag))) < 0) {
printk("T1 Failed to setup TLS sec tag, err %d\n", errno);
return err;
}
return TLS_SUCCESS;
}
Please suggest some solution for my actual question.
best regards
Thanks for the code.
Note that when you are using native TLS (which you must to have a TLS server), you must use Zephyr's sockets, not nrf_sockets.
I've attached a project that opens and binds and listens to two TLS sockets.
Note that I am not able to test if it actually can connect to clients, because of limitations with my SIM card.
Thank you Didrik I am able to bind both server.
best regards
Hi Didrik,
we are able to bind two TLS server, but not able to accept clients on the two server at the same time, we are able to accept only one client ,for other server we are getting error while accepting (error no:12).
we are using threads to implement two servers. Please guide us on this.
best regards
Because of limitation s with my SIM cards, I am not really able to reproduce this.
So, could you take a modem trace, so I can see if the error comes from the modem or the application?
