CoAP Secure CLI Example

RE: CoAP Secure CLI Example

hugzy123 — Thu, 27 Apr 2023 14:34:26 GMT

Hi Sigurd,

Thanks for the update. We're using authentication with PSK instead for now, we'll migrate to using certificates when there's a full solution available in the future.

Regards,

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Fri, 21 Apr 2023 13:51:52 GMT

Here is a workaround for now:

The original error is a tls handshake failure caused by selection of incorrect ciphersuite by the server (MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 instead of MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8).

It's possible to make x509 usable by disabling ECJPAKE ciphersuite (CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=n) and raising mbedtls heap size (CONFIG_MBEDTLS_HEAP_SIZE=15200) - disabling ECJPAKE will result in openthread compilation error, as some files stop being included, which results in undeclared symbols. This can be solved by #ifdef guarding erroneous lines.

This, however, is a workaround - openthread relies on ECJPAKE for some functionalities (like commissioning). Those functionalities will fail after disabling the ciphersuite.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Tue, 04 Apr 2023 08:22:26 GMT

Here is an update:

The issue is not solved yet, but we're getting closer.

One thing that should be done is setting hostname of the server device. Cli sample's default certificate has Common Name set as "PXC3.E75-100A", which is the expected hostname of a device using it.

Another discovered issue is that the ciphersuite used by the cli app by default is untested and not recommended. Disabling MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED config and setting MBEDTLS_SSL_CIPHERSUITES to ECDHE_ECDSA_WITH_AES_128_CCM8 fixes one of the issues.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Tue, 07 Mar 2023 08:26:24 GMT

I polled our developers on this, and they said:

This is under investigation by one of the engineers. He was able to confirm the issue but hasn't found the root cause yet.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

hugzy123 — Thu, 02 Mar 2023 11:45:20 GMT

OK thanks for looking into it

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Tue, 28 Feb 2023 14:14:21 GMT

We have had the same issue reported by another cusomer as well.

Our developers have started to look into this, but I have not gotten any answers yet.

I will keep you updated.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Wed, 22 Feb 2023 14:20:18 GMT

Due to nRF Connect SDK v2.3.0 being released soon, it will take longer than usual to get back to this answer.

I hope that we will get an answer by Monday.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

hugzy123 — Tue, 21 Feb 2023 14:10:54 GMT

OK thanks.

Regards,

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Tue, 21 Feb 2023 13:51:32 GMT

Today I gave it another try but could not find the correct configuration for x509.
From RFC7252: X.509 Certificates, I think it should be CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED.
But no luck.

So I have asked our Thread developers for assistance with this.
I will let you know as soon as I hear back from them.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Fri, 17 Feb 2023 14:31:22 GMT

I have unfortunately not been able to figure this out today.

But I will continue to look into it on Monday.

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

hugzy123 — Thu, 16 Feb 2023 16:36:44 GMT

Hi,

Thanks for the quick reply.

I tried your suggestion but no luck unfortunately, it still won't connect. One interesting thing I noticed was the coaps connect command with certificate authentication type only triggers on the v2.1.0 sdk. On the v2.2.0 sdk the command fails with error "InvalidArgs" every time, even with CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED. I'm guessing there must some differences in the kconfig of the CLI example between v2.1.0 and v2.2.0.

Is there any other suggestions you recommend?

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Wed, 15 Feb 2023 07:33:24 GMT

Hi,

[quote user="hugzy123"]I've managed to get the psk authentication type working by setting CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED in the kconfig.[/quote]

Good job!

[quote user="hugzy123"]However, i'm still having issues with the x509 certificate based authentication. Is there an equivalent I should set in the kconfig to get the x509 type working?[/quote]

I do not know for sure which configuration it would be now.
But to test, I searched for the following:

To check if it is any key exchange configuration, try with CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED.
Does x509 work with this?

Regards,
Sigurd Hellesvik

RE: CoAP Secure CLI Example

hugzy123 — Tue, 14 Feb 2023 17:38:33 GMT

Thanks for looking into this.

I've managed to get the psk authentication type working by setting CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED in the kconfig. However, i'm still having issues with the x509 certificate based authentication. Is there an equivalent I should set in the kconfig to get the x509 type working?

RE: CoAP Secure CLI Example

Sigurd Hellesvik — Tue, 14 Feb 2023 15:55:30 GMT

Hi,

I will look into this and return with more information tomorrow.

Regards,
Sigurd Hellesvik