ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ERR_SSL_PROTOCOL_ERROR using nginx with SE05x

Jump to solution
1,497 Views
CristianeBP
Contributor II

Good night,

we are facing the following problem:

when the secure element is accessed using the terminal, the web communication no longer works. The same problem can see verified performing multiple web accesses.

In the log I can see this messages:

2023-10-31 14:19:14 nginx: 2023/10/31 14:19:14 [crit] 525#525: *41 SSL_do_handshake() failed (SSL: error:14209044:SSL routines:tls_early_post_process_client_hello:internal error) while SSL handshaking, client: 192.168.1.5, server: 0.0.0.0:443

and in the browser I can see the message: "ERR_SSL_PROTOCOL_ERROR" (image.png in attached).

When I restart nginx, everything works again.

How to reproduce the problem:

1 - start nginx;

2 - open the browser and check that the communication works;

3 - in the terminal execute an openssl command or application that accesses the SE;

4 - refresh the browser (with clean cookies);

(in this point the comunication with the browser do not work anymore)

5 - restart nginx;

6 - refresh the browser (with clean cookies);

(in this point the communication restart to work).

In attached our yocto recipe used to build SE, openssl and nginx configuration (renamed to .txt, becouse the real extention are not supported by the forum).

[root@ABB-da-51-60-aa-06-e3 bin]# nginx -version
nginx version: nginx/1.22.0

[root@ABB-da-51-60-aa-06-e3 bin]# openssl version
OpenSSL 1.1.1l 24 Aug 2021

Thanks in advance,

Cristiane Bellenzier Piaia

 

Labels (1)
Tags (3)
0 Kudos
1 Solution
1,443 Views
rodolfoveltrigo
NXP Employee
NXP Employee

@CristianeBP 

Reply from NXP CAS2:

Please check whether ABB is using the Access Manager.

Only the Access Manager supports concurrent access from multiple linux processes to an SE05x IoT applet.

Please see MW docu 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet (see attachment).

 Another question:

Is nginx using the SE05x via OpenSSL?

Cheers

Rodolfo

View solution in original post

0 Kudos
4 Replies
1,380 Views
CristianeBP
Contributor II

Good morning Rodolfo,

thank you very much, you are right, this is the problem, sorry for that, with the access manager, everything works fine.

But without the SCP/auth enabled.

I did 3 tests:

1 - access manager and applications with SCP/auth: NOK.

But if I understood correctly, this is not needed because the access manager will be handle with the authentication/SCP.

458af8ab-cfe5-45dd-8e8c-dd4b9845800c.png

 

image.png

7aa06177-5cee-43f1-a7a1-b66d38d9e379.png

image.png

2 - access manager with SCP/auth and applications auth=none: NOK.

image.png

image.png

3 - access manager with SCP/auth, but started without scp enabled and applications auth=none: OK.

image.png

How can I enabled the SCP/Auth properly?

Another problem is that the getInfo application does not work properly (even if it build accessManager whithout auth/SCP).

image.png

Thanks!

0 Kudos
1,222 Views
rodolfoveltrigo
NXP Employee
NXP Employee

 

@CristianeBP 

Hi Cristiane,

attached a plain and SCP03 communication screen shot as well text files containing the I2C bytes in text from (captured with the help of a logic analyzer). It shows that the communication between the SE and the host is encrypted in case of using Platform SCP for the access manager.

In case ABB would like also to protect the communication to the access manger they would need to use an authenticated session.

In this case only two sessions are supported by the Secure Element! This may not be sufficient for ABB's use case.

 cheers

Rodolfo on behalf of CAS2 team in Austria

0 Kudos
1,475 Views
rodolfoveltrigo
NXP Employee
NXP Employee

Hi @CristianeBP 

your issue has been reported to our NXP Internal Blob. 

I will let you know when it will be processed.

Cheers

Rodolfo

0 Kudos
1,444 Views
rodolfoveltrigo
NXP Employee
NXP Employee

@CristianeBP 

Reply from NXP CAS2:

Please check whether ABB is using the Access Manager.

Only the Access Manager supports concurrent access from multiple linux processes to an SE05x IoT applet.

Please see MW docu 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet (see attachment).

 Another question:

Is nginx using the SE05x via OpenSSL?

Cheers

Rodolfo

0 Kudos