RE: CoAP with DTLS on download sample

Harvey Zheng — Mon, 04 Jul 2022 10:41:03 GMT

hi Øyvind,

I use PSK in my sample, my configuration is as follow, I'm not sure that's the right setup

# General config
CONFIG_HEAP_MEM_POOL_SIZE=4096
CONFIG_NEWLIB_LIBC=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=n
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# LTE link control
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n

# Modem library
CONFIG_NRF_MODEM_LIB=y
CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y
CONFIG_MODEM_KEY_MGMT=y

# AT Host
CONFIG_UART_INTERRUPT_DRIVEN=y
CONFIG_AT_HOST_LIBRARY=y

# CoAP
CONFIG_COAP=y

# Main thread
CONFIG_MAIN_STACK_SIZE=4096

CONFIG_LTE_NETWORK_MODE_NBIOT=y

CONFIG_TLS_CREDENTIALS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_ENABLE_DTLS=y

#define SEC_TAG 2

static const char psk_id[] = "Client_identity";

static uint8_t key[] = {
    0x73, 0x65, 0x63, 0x72, 0x65, 0x7c, 0x50, 0x53, 0x4c
};

/* Provision certificate to modem */
static int cert_provision(void)
{
	int err;
	bool exists;

    /*----------- PSK -----------------*/
    err = modem_key_mgmt_exists(SEC_TAG,
				    MODEM_KEY_MGMT_CRED_TYPE_PSK,
				    &exists);
	if (err) {
		printk("Failed to check for certificates err %d\n", err);
		return err;
	}

	if (exists) {
		printk("PSK ");
		/* Let's compare the existing credential */
		err = modem_key_mgmt_cmp(SEC_TAG,
					 MODEM_KEY_MGMT_CRED_TYPE_PSK,
					 key, sizeof(key));
		printk("%s\n", err ? "mismatch" : "match");
		if (!err) {
			return 0;
		}
	} else {
        printk("PSK is nonexistent\n");
    }

    printk("Provisioning PSK\n");
	/*  Provision PSK to the modem */
	err = modem_key_mgmt_write(SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_PSK,
				   key, sizeof(key));
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

    err = modem_key_mgmt_write(SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_IDENTITY,
				   psk_id, sizeof(psk_id) -1);
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

	return 0;
}

static int socket_sectag_set(int fd, int sec_tag)
{
	int err;
	int verify;
	sec_tag_t sec_tag_list[] = { sec_tag };

	enum {
		NONE = 0,
		OPTIONAL = 1,
		REQUIRED = 2,
	};

	verify = REQUIRED;

	err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
	if (err) {
		printk("Failed to setup peer verification, errno %d", errno);
		return -errno;
	}

	printk("Setting up TLS credentials, tag %d\n", sec_tag);
	err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
			 sizeof(sec_tag_list));
	if (err) {
		printk("Failed to setup socket security tag, errno %d", errno);
		return -errno;
	}

    nrf_sec_cipher_t cipher_list[] = { 0xC0A8 };

    err = setsockopt(fd, SOL_TLS, TLS_CIPHERSUITE_LIST, cipher_list, sizeof(cipher_list));
    if (err) {
       /* Failed to set up cipher suite list. */
       return -errno;
    }

	return 0;
}

static int socket_tls_hostname_set(int fd)
{
	int err;

	err = setsockopt(fd, SOL_TLS, TLS_HOSTNAME, CONFIG_COAP_SERVER_HOSTNAME,
			 strlen(CONFIG_COAP_SERVER_HOSTNAME));
	if (err) {
		printk("Failed to setup TLS hostname (%s), errno %d",
			CONFIG_COAP_SERVER_HOSTNAME, errno);
		return -errno;
	}

	return 0;
}

And, based on this configuration, I still can't connect. There's no CLIENT_KEY_EXCHANGE after

SERVER_HELLO_DONE. My modem trace log is as follow.

devzone.nordicsemi.com/.../trace_2D00_2022_2D00_07_2D00_04T10_2D00_29_2D00_08.340Z.rar

RE: CoAP with DTLS on download sample

Øyvind — Thu, 30 Jun 2022 12:42:23 GMT

Yes, it seems likely that this is the root cause.

-Øyvind

RE: CoAP with DTLS on download sample

Harvey Zheng — Thu, 30 Jun 2022 12:15:37 GMT

hi,

DTLS supports PSK authentication only

I use CA certificates, so based on this information, the certificate type is incorrect?

RE: CoAP with DTLS on download sample

Øyvind — Thu, 30 Jun 2022 12:10:06 GMT

Hello,

The DevZone team is currently entering summer vacation period, some delays in answers must be expected.

Are you able to share full log output from the application? What certificates are you using? What modem FW are you running on your device?

Errno ECONNREFUSED 111 /* Connection refused */

Please be aware of the following limitations in the modem:

- TLS/DTLS
    - One TLS handshake at a time is supported.
    - Up to three simultaneous TLS/DTLS connections are possible.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

We might need a modem trace to see what is failing.

Kind regards,
Øyvind