ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

CristianeBP · ‎10-31-2023

Good night,

we are facing the following problem:

when the secure element is accessed using the terminal, the web communication no longer works. The same problem can see verified performing multiple web accesses.

In the log I can see this messages:

2023-10-31 14:19:14 nginx: 2023/10/31 14:19:14 [crit] 525#525: *41 SSL_do_handshake() failed (SSL: error:14209044:SSL routines:tls_early_post_process_client_hello:internal error) while SSL handshaking, client: 192.168.1.5, server: 0.0.0.0:443

and in the browser I can see the message: "ERR_SSL_PROTOCOL_ERROR" (image.png in attached).

When I restart nginx, everything works again.

How to reproduce the problem:

1 - start nginx;

2 - open the browser and check that the communication works;

3 - in the terminal execute an openssl command or application that accesses the SE;

4 - refresh the browser (with clean cookies);

(in this point the comunication with the browser do not work anymore)

5 - restart nginx;

6 - refresh the browser (with clean cookies);

(in this point the communication restart to work).

In attached our yocto recipe used to build SE, openssl and nginx configuration (renamed to .txt, becouse the real extention are not supported by the forum).

[root@ABB-da-51-60-aa-06-e3 bin]# nginx -version
nginx version: nginx/1.22.0

[root@ABB-da-51-60-aa-06-e3 bin]# openssl version
OpenSSL 1.1.1l 24 Aug 2021

Thanks in advance,

Cristiane Bellenzier Piaia

rodolfoveltrigo · ‎11-03-2023

@CristianeBP

Reply from NXP CAS2:

Please check whether ABB is using the Access Manager.

Only the Access Manager supports concurrent access from multiple linux processes to an SE05x IoT applet.

Please see MW docu 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet (see attachment).

Another question:

Is nginx using the SE05x via OpenSSL?

Cheers

Rodolfo

在原帖中查看解决方案

CristianeBP · ‎11-06-2023

Good morning Rodolfo,

thank you very much, you are right, this is the problem, sorry for that, with the access manager, everything works fine.

But without the SCP/auth enabled.

I did 3 tests:

1 - access manager and applications with SCP/auth: NOK.

But if I understood correctly, this is not needed because the access manager will be handle with the authentication/SCP.

2 - access manager with SCP/auth and applications auth=none: NOK.

3 - access manager with SCP/auth, but started without scp enabled and applications auth=none: OK.

How can I enabled the SCP/Auth properly?

Another problem is that the getInfo application does not work properly (even if it build accessManager whithout auth/SCP).

Thanks!

rodolfoveltrigo · ‎11-10-2023

@CristianeBP

Hi Cristiane,

attached a plain and SCP03 communication screen shot as well text files containing the I2C bytes in text from (captured with the help of a logic analyzer). It shows that the communication between the SE and the host is encrypted in case of using Platform SCP for the access manager.

In case ABB would like also to protect the communication to the access manger they would need to use an authenticated session.

In this case only two sessions are supported by the Secure Element! This may not be sufficient for ABB's use case.

cheers

Rodolfo on behalf of CAS2 team in Austria

rodolfoveltrigo · ‎10-31-2023

Hi @CristianeBP

your issue has been reported to our NXP Internal Blob.

I will let you know when it will be processed.

Cheers

Rodolfo

rodolfoveltrigo · ‎11-03-2023

@CristianeBP

Reply from NXP CAS2:

Please check whether ABB is using the Access Manager.

Only the Access Manager supports concurrent access from multiple linux processes to an SE05x IoT applet.

Please see MW docu 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet (see attachment).

Another question:

Is nginx using the SE05x via OpenSSL?

Cheers

Rodolfo

ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

SE050