Zephyr echo_client sample and openssl server- certification failure.

gronoarona — Wed, 03 Aug 2022 08:22:52 GMT

Hello

I need to setup TLS communication using UDP, betwen:

- mimxrt1060-ekvb as client

- ubuntu pc, openssl server as server (ofc)

I modify prj.conf of sample disabling all TCP and IPv6:

# Generic networking options CONFIG_NETWORKING=y CONFIG_NET_UDP=y CONFIG_NET_TCP=n CONFIG_NET_IPV6=n CONFIG_NET_IPV4=y CONFIG_NET_SOCKETS=y CONFIG_NET_SOCKETS_POSIX_NAMES=y CONFIG_NET_SOCKETS_POLL_MAX=4 CONFIG_NET_CONNECTION_MANAGER=y # Kernel options CONFIG_MAIN_STACK_SIZE=2048 CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_INIT_STACKS=y CONFIG_DEBUG=y # Logging CONFIG_NET_LOG=y CONFIG_LOG=y CONFIG_NET_STATISTICS=y CONFIG_PRINTK=y # Network buffers CONFIG_NET_PKT_RX_COUNT=16 CONFIG_NET_PKT_TX_COUNT=16 CONFIG_NET_BUF_RX_COUNT=80 CONFIG_NET_BUF_TX_COUNT=80 CONFIG_NET_CONTEXT_NET_PKT_POOL=y # IP address options # CONFIG_NET_IF_UNICAST_IPV6_ADDR_COUNT=3 # CONFIG_NET_IF_MCAST_IPV6_ADDR_COUNT=4 CONFIG_NET_MAX_CONTEXTS=10 # Network shell CONFIG_NET_SHELL=y # The addresses are selected so that qemu<->qemu connectivity works ok. # For linux<->qemu connectivity, create a new conf file and swap the # addresses (so that peer address is ending to 2). CONFIG_NET_CONFIG_SETTINGS=y # CONFIG_NET_CONFIG_NEED_IPV6=y # CONFIG_NET_CONFIG_MY_IPV6_ADDR="2001:db8::2" # CONFIG_NET_CONFIG_PEER_IPV6_ADDR="2001:db8::1" CONFIG_NET_CONFIG_NEED_IPV4=y CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.1.225" CONFIG_NET_CONFIG_PEER_IPV4_ADDR="192.168.1.240" CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048

To build i using command:

west build -p always -b mimxrt1060_evkb -s samples/net/sockets/echo_client -- -DCONF_FILE="prj.conf overlay-tls.conf"

On server site, running openssl server by:

openssl s_server -key ssl_keys/echo-apps-key.der -cert ssl_keys/echo-apps-cert.der -dtls1_2 -accept 4242 -certform DER

Where is the problem:

Zephyr application running on uP tries to connect to ssl server but it fails, returning error log:

<err> net_sock_tls: TLS handshake error: -2700

On server side i got log:

Using default temp DH parameters ACCEPT ERROR 80CB36578F7F0000:error:0A000412:SSL routines:dtls1_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_d1.c:613:SSL alert number 42 shutting down SSL CONNECTION CLOSED

On wireshark there is also the same information

26255 343.215228125 192.168.1.225 192.168.1.240 DTLSv1.2 62 Alert (Level: Fatal, Description: Bad Certificate)

I think the problem in configuration, but i can't find where.

Cert and key files i took from echo_server sample, but if i regenerate them by my self, the result is the same.

Re: Zephyr echo_client sample and openssl server- certification failure.

dereksnell — Wed, 03 Aug 2022 18:07:05 GMT

Hi @gronoarona ,

We recommend posting Zephyr questions like this in Zephyr's GitHub, see Zephyr NXP Support for more details. Looking through this, the issue does not seem specific to NXP hardware, but is a general Zephyr Networking question. So if you post in Zephyrs GitHub Discussions, others in the Zephyr Community who know the Networking stack can provide some support.

BTW, I found you also posted this issue on Nordic's forums?

i.MX Processors中的主题 Re: Zephyr echo_client sample and openssl server- certification failure.

Zephyr echo_client sample and openssl server- certification failure.

Re: Zephyr echo_client sample and openssl server- certification failure.