CoAP Secure CLI Example

Hi,

I'm running into some issues testing the CoAP Secure (CoAPS) functionality on the nRF "Thread: CLI" example".  I have attempted to use both pre-shared key (pskc) and the default x509 certificate as authentication types, but both are producing errors, albeit slightly different ones. The "pskc" authentication fails when executing the "ot coaps connect" command and returns Error 7 "Invalid Args". On the other hand, the x509 authentication processes the "connect" command, but disconnects instantly.

I've been following the "OpenThread- CoAPS Example" documentation. I can run the standard "OpenThread CoAP" example without authentication ok.

Example Set up

HW : 2x nrf52840 DK 
nrf connect SDK : Tried v2.2.0 and v2.1.0

Instructions thread set up

  1. Flash both Dev kits with Thread: CLI" example
  2. Connect both dev kits to the same thread network, using commands ot channel, ot panid, ot networkkey, ot ifconfig up, ot thread start
  3. run ot ipaddr on the Server node to get Server the ip address
  4. ping Server ip address from the Client node to confirm connection over Thread

Authentication type pskc

  1. Set server and client node authentication  psk* using command 
    ot coaps set psk 123 pskid
  2. run CoAP server on Node 1
    ot coaps start
    ot coaps resource test-resource
  3. run CoAP client on Node 2

    ot coaps start
    ot coaps connect <peer-ip6-address>

After running the connect command I get the InvalidArgs error. 

Authentication type x509

  1. Tell Server and client to use the default certificate for authentication
    ot coaps x509
  2. run CoAp server on Node 1
    ot coaps resource test-resource
  3. run CoAP client on Node 2 
    ot coaps start
    ot coaps connect <peer-ip6-address>
  4. CoAP client fails to connect and returns;
    coaps disconnected

Is there anything I am doing wrong here?

Thank you,

Parents Reply
  • Here is a workaround for now:

    "

    The original error is a tls handshake failure caused by selection of incorrect ciphersuite by the server (MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 instead of MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8).

    It's possible to make x509 usable by disabling ECJPAKE ciphersuite (CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=n) and raising mbedtls heap size (CONFIG_MBEDTLS_HEAP_SIZE=15200) - disabling ECJPAKE will result in openthread compilation error, as some files stop being included, which results in undeclared symbols. This can be solved by #ifdef guarding erroneous lines.

    This, however, is a workaround - openthread relies on ECJPAKE for some functionalities (like commissioning). Those functionalities will fail after disabling the ciphersuite.

    "

    Regards,
    Sigurd Hellesvik

Children
Related