topic Re: ERR_SSL_PROTOCOL_ERROR using nginx with SE05x in Secure Authentication

ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

CristianeBP — Tue, 31 Oct 2023 15:08:05 GMT

Good night,

we are facing the following problem:

when the secure element is accessed using the terminal, the web communication no longer works. The same problem can see verified performing multiple web accesses.

In the log I can see this messages:

2023-10-31 14:19:14 nginx: 2023/10/31 14:19:14 [crit] 525#525: *41 SSL_do_handshake() failed (SSL: error:14209044:SSL routines:tls_early_post_process_client_hello:internal error) while SSL handshaking, client: 192.168.1.5, server: 0.0.0.0:443

and in the browser I can see the message: "ERR_SSL_PROTOCOL_ERROR" (image.png in attached).

When I restart nginx, everything works again.

How to reproduce the problem:

1 - start nginx;

2 - open the browser and check that the communication works;

3 - in the terminal execute an openssl command or application that accesses the SE;

4 - refresh the browser (with clean cookies);

(in this point the comunication with the browser do not work anymore)

5 - restart nginx;

6 - refresh the browser (with clean cookies);

(in this point the communication restart to work).

In attached our yocto recipe used to build SE, openssl and nginx configuration (renamed to .txt, becouse the real extention are not supported by the forum).

[root@ABB-da-51-60-aa-06-e3 bin]# nginx -version
nginx version: nginx/1.22.0

[root@ABB-da-51-60-aa-06-e3 bin]# openssl version
OpenSSL 1.1.1l 24 Aug 2021

Thanks in advance,

Cristiane Bellenzier Piaia

Re: ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

rodolfoveltrigo — Tue, 31 Oct 2023 15:35:37 GMT

Hi @CristianeBP

your issue has been reported to our NXP Internal Blob.

I will let you know when it will be processed.

Cheers

Rodolfo

Re: ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

rodolfoveltrigo — Fri, 03 Nov 2023 08:18:37 GMT

@CristianeBP

Reply from NXP CAS2:

Please check whether ABB is using the Access Manager.

Only the Access Manager supports concurrent access from multiple linux processes to an SE05x IoT applet.

Please see MW docu 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet (see attachment).

Another question:

Is nginx using the SE05x via OpenSSL?

Cheers

Rodolfo

Re: ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

CristianeBP — Mon, 06 Nov 2023 12:01:40 GMT

Good morning Rodolfo,

thank you very much, you are right, this is the problem, sorry for that, with the access manager, everything works fine.

But without the SCP/auth enabled.

I did 3 tests:

1 - access manager and applications with SCP/auth: NOK.

But if I understood correctly, this is not needed because the access manager will be handle with the authentication/SCP.

2 - access manager with SCP/auth and applications auth=none: NOK.

3 - access manager with SCP/auth, but started without scp enabled and applications auth=none: OK.

How can I enabled the SCP/Auth properly?

Another problem is that the getInfo application does not work properly (even if it build accessManager whithout auth/SCP).

Thanks!

Re: ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

rodolfoveltrigo — Fri, 10 Nov 2023 14:54:09 GMT

@CristianeBP

Hi Cristiane,

attached a plain and SCP03 communication screen shot as well text files containing the I2C bytes in text from (captured with the help of a logic analyzer). It shows that the communication between the SE and the host is encrypted in case of using Platform SCP for the access manager.

In case ABB would like also to protect the communication to the access manger they would need to use an authenticated session.

In this case only two sessions are supported by the Secure Element! This may not be sufficient for ABB's use case.

cheers

Rodolfo on behalf of CAS2 team in Austria