Unusual socket errno 122 when using NRF91 TLS-PSK

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

Didrik Rokhaug — Wed, 15 Nov 2023 15:17:47 GMT

[quote userid="122854" url="~/f/nordic-q-a/91700/unusual-socket-errno-122-when-using-nrf91-tls-psk/454586"]there is no messages in the column length more then 760 bites. [/quote]

Those are the TCP packets. A TLS fragment can consist of more than one TCP packet.

In the attached screenshot, you can see that one of the TLS fragments have a length of 3216.

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

Roman Veselskyi — Wed, 08 Nov 2023 07:57:03 GMT

Hi Didrik Rokhaug ,

May you please explain how to see in the Wireshark that server send a TLS fragment which is larger then 2 kb?
I looked into this file 5700.trace-2022-09-06T17-19-37.981Z.bin but there is no messages in the column length more then 760 bites.

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

Achim Kraus — Mon, 26 Sep 2022 07:42:17 GMT

Just to mention:

In the meantime there is a alternative extension for the record size defined in RFC 8449.

> At least last time we looked into it,

Not sure, when that was, but I'm pretty sure, mbedTLS supports that feature (see MBEDTLS_SSL_MAX_FRAG_LEN_1024). Maybe someone opens an issue at Mbed-TLS Issues to ask for help.

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

Didrik Rokhaug — Fri, 09 Sep 2022 13:42:31 GMT

[quote user="matharman"]

I do have one followup question / remark: One of my colleagues pointed out that RFC 6066 includes an extension to negotiate a "maximum_fragment_length" in the Client Hello.

Has the modem firmware team considered implementing this extension? 2kb is a tight constraint, and it would be useful to advertise that to servers support the extension.

[/quote]

At least last time we looked into it, it was not yet implemented in mbedTLS, which is the TLS stack used by the modem.

It is in our backlog though.

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

matharman — Thu, 08 Sep 2022 20:57:51 GMT

Hi Didrik,

Thanks for your time analyzing the modem trace. Based on your advice, we were able to decrease the maximum TLS record size on the server to work around this constraint.

I do have one followup question / remark: One of my colleagues pointed out that RFC 6066 includes an extension to negotiate a "maximum_fragment_length" in the Client Hello.

Has the modem firmware team considered implementing this extension? 2kb is a tight constraint, and it would be useful to advertise that to servers support the extension.

RE: Unusual socket errno 122 when using NRF91 TLS-PSK

Didrik Rokhaug — Wed, 07 Sep 2022 09:15:26 GMT

Hi,

The modem trace shows that the server sends a TLS fragment that is larger than what the modem is able to store in its internal buffers (and thereby decode).

This is what causes the connection to be closed, and EMSGSIZE to be returned.

For TLS, the fragments can be max 2kB, while for DTLS the limit is 1kB.

Best regards,

Didrik