CoAP with DTLS on download sample

hello，

I use download sample on nRF9160DK with NCS2.0. I tried to change the SAMPLE_FILE_URL to my server URL, and the certificate was also modified, my configuration is as follow.

CONFIG_NRF_MODEM_LIB=y

CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_NATIVE=n

CONFIG_HEAP_MEM_POOL_SIZE=1024
CONFIG_MAIN_STACK_SIZE=2048

CONFIG_MODEM_KEY_MGMT=y
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n

CONFIG_DOWNLOAD_CLIENT=y

CONFIG_NEWLIB_LIBC=y

CONFIG_LTE_NETWORK_MODE_NBIOT=y
CONFIG_COAP=y
CONFIG_SAMPLE_SECURE_SOCKET=y
CONFIG_LOG_PRINTK=y
CONFIG_LOG=y

However, the connection to the server was rejected.

I know that this sample supports COAP and DTLS, this is explained in the documentation:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/download/README.html#downloading-from-a-coap-server

But I could never achieve it.

Thanks!

Parents

0 Øyvind over 2 years ago

Hello,

The DevZone team is currently entering summer vacation period, some delays in answers must be expected.

Are you able to share full log output from the application? What certificates are you using? What modem FW are you running on your device?

Errno ECONNREFUSED 111 /* Connection refused */

Please be aware of the following limitations in the modem:

- TLS/DTLS
    - One TLS handshake at a time is supported.
    - Up to three simultaneous TLS/DTLS connections are possible.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

We might need a modem trace to see what is failing.

Kind regards,
Øyvind

0 Harvey Zheng over 2 years ago in reply to Øyvind

hi,

DTLS supports PSK authentication only

I use CA certificates, so based on this information, the certificate type is incorrect?

Reply

0 Harvey Zheng over 2 years ago in reply to Øyvind

hi,

DTLS supports PSK authentication only

I use CA certificates, so based on this information, the certificate type is incorrect?

Children

0 Øyvind over 2 years ago in reply to Harvey Zheng

Yes, it seems likely that this is the root cause.

-Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Harvey Zheng over 2 years ago in reply to Øyvind

hi Øyvind,

I use PSK in my sample, my configuration is as follow, I'm not sure that's the right setup

# General config
CONFIG_HEAP_MEM_POOL_SIZE=4096
CONFIG_NEWLIB_LIBC=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=n
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# LTE link control
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n

# Modem library
CONFIG_NRF_MODEM_LIB=y
CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y
CONFIG_MODEM_KEY_MGMT=y

# AT Host
CONFIG_UART_INTERRUPT_DRIVEN=y
CONFIG_AT_HOST_LIBRARY=y

# CoAP
CONFIG_COAP=y

# Main thread
CONFIG_MAIN_STACK_SIZE=4096

CONFIG_LTE_NETWORK_MODE_NBIOT=y

CONFIG_TLS_CREDENTIALS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_ENABLE_DTLS=y

#define SEC_TAG 2

static const char psk_id[] = "Client_identity";

static uint8_t key[] = {
    0x73, 0x65, 0x63, 0x72, 0x65, 0x7c, 0x50, 0x53, 0x4c
};

/* Provision certificate to modem */
static int cert_provision(void)
{
	int err;
	bool exists;

    /*----------- PSK -----------------*/
    err = modem_key_mgmt_exists(SEC_TAG,
				    MODEM_KEY_MGMT_CRED_TYPE_PSK,
				    &exists);
	if (err) {
		printk("Failed to check for certificates err %d\n", err);
		return err;
	}

	if (exists) {
		printk("PSK ");
		/* Let's compare the existing credential */
		err = modem_key_mgmt_cmp(SEC_TAG,
					 MODEM_KEY_MGMT_CRED_TYPE_PSK,
					 key, sizeof(key));
		printk("%s\n", err ? "mismatch" : "match");
		if (!err) {
			return 0;
		}
	} else {
        printk("PSK is nonexistent\n");
    }

    printk("Provisioning PSK\n");
	/*  Provision PSK to the modem */
	err = modem_key_mgmt_write(SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_PSK,
				   key, sizeof(key));
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

    err = modem_key_mgmt_write(SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_IDENTITY,
				   psk_id, sizeof(psk_id) -1);
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

	return 0;
}

static int socket_sectag_set(int fd, int sec_tag)
{
	int err;
	int verify;
	sec_tag_t sec_tag_list[] = { sec_tag };

	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = REQUIRED;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, errno %d", errno);
		return -errno;
	}

	printk("Setting up TLS credentials, tag %d\n", sec_tag);
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
			 sizeof(sec_tag_list));
	if (err) {
		printk("Failed to setup socket security tag, errno %d", errno);
		return -errno;
	}

    nrf_sec_cipher_t cipher_list[] = { 0xC0A8 };

    err = setsockopt(fd, SOL_TLS, TLS_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
    if (err) {
       /* Failed to set up cipher suite list. */
       return -errno;
    }

	return 0;
}

static int socket_tls_hostname_set(int fd)
{
	int err;

	err = setsockopt(fd, SOL_TLS, TLS_HOSTNAME, CONFIG_COAP_SERVER_HOSTNAME,
			 strlen(CONFIG_COAP_SERVER_HOSTNAME));
	if (err) {
		printk("Failed to setup TLS hostname (%s), errno %d",
			CONFIG_COAP_SERVER_HOSTNAME, errno);
		return -errno;
	}

	return 0;
}

And, based on this configuration, I still can't connect. There's no CLIENT_KEY_EXCHANGE after

SERVER_HELLO_DONE. My modem trace log is as follow.

trace-2022-07-04T10-29-08.340Z.rar