AnsweredAssumed Answered

External Commissioner/Secure CoAP and DTLS

Question asked by RYAN BRYNGELSON on Apr 29, 2016
Latest reply on Dec 7, 2017 by Ovidiu Alexandru Usturoi

Hello,


I'm trying to implement an External Commissioner and can't seem to perform the initial DTLS handshaking correctly with the Border Router.  Here's my setup...

  • I have a FRDM-KW24D running the thread_host_controlled_device_imx6ulevk firmware.
  • I have Thread_KW2xD_Tun running that allows me to access the Thread network from Linux.
  • I can ping the Border Router using the IPv6 address 'fd01::1' as well as ping end devices on the Thread network.
  • I found that mbedtls implements the EC-JPAKE cipher and even has a Thread configuration file (configs/config-thread.h).
  • I've built the mbedtls code and modified the dtls_client.c program (programs/ssl/dtls_client.c) to make a connection to IP fd01::1 on port 19779.

I do not get a response from the Border Router when I run the thread_client.c (my modified version of dtls_client.c) program.  Here's the output of the thread_client program...

 

  . Seeding the random number generator... ok

  . Connecting to udp/localhost/19779... ok

  . Setting up the DTLS structure...ssl_tls.c:0083: set_timer to 0 ms

ok

  . Performing the SSL/TLS handshake...ssl_tls.c:6302: => handshake

ssl_cli.c:3264: client state: 0

ssl_tls.c:2429: => flush output

ssl_tls.c:2441: <= flush output

ssl_cli.c:3264: client state: 1

ssl_tls.c:2429: => flush output

ssl_tls.c:2441: <= flush output

ssl_cli.c:0712: => write client hello

ssl_cli.c:0750: client hello, max version: [254:253]

ssl_cli.c:0759: dumping 'client hello, random bytes' (32 bytes)

ssl_cli.c:0759: 0000:  86 e2 2c bc aa 0d e4 cf 26 1b 25 66 96 03 c9 0b  ..,.....&.%f....

ssl_cli.c:0759: 0010:  52 d9 65 66 3c c7 21 ba fa df 47 af a6 64 8b 12  R.ef<.!...G..d..

ssl_cli.c:0812: client hello, session id len.: 0

ssl_cli.c:0813: dumping 'client hello, session id' (0 bytes)

ssl_cli.c:0823: no verify cookie to send

ssl_cli.c:0913: client hello, got 1 ciphersuites

ssl_cli.c:0944: client hello, compress len.: 1

ssl_cli.c:0946: client hello, compress alg.: 0

ssl_cli.c:0263: client hello, adding supported_elliptic_curves extension

ssl_cli.c:0321: client hello, adding supported_point_formats extension

ssl_cli.c:1018: client hello, total extension length: 14

ssl_tls.c:0136: update timeout value to 1000 millisecs

ssl_tls.c:0083: set_timer to 1000 ms

ssl_tls.c:2714: => write record

ssl_tls.c:2849: output record: msgtype = 22, version = [254:255], msglen = 70

ssl_tls.c:2852: dumping 'output record sent to network' (83 bytes)

ssl_tls.c:2852: 0000:  16 fe ff 00 00 00 00 00 00 00 00 00 46 01 00 00  ............F...

ssl_tls.c:2852: 0010:  3a 00 00 00 00 00 00 00 3a fe fd 86 e2 2c bc aa  :.......:....,..

ssl_tls.c:2852: 0020:  0d e4 cf 26 1b 25 66 96 03 c9 0b 52 d9 65 66 3c  ...&.%f....R.ef<

ssl_tls.c:2852: 0030:  c7 21 ba fa df 47 af a6 64 8b 12 00 00 00 02 00  .!...G..d.......

ssl_tls.c:2852: 0040:  ff 01 00 00 0e 00 0a 00 04 00 02 00 17 00 0b 00  ................

ssl_tls.c:2852: 0050:  02 01 00                                         ...

ssl_tls.c:2429: => flush output

ssl_tls.c:2448: message length: 83, out_left: 83

ssl_tls.c:2454: ssl->f_send() returned 83 (-0xffffffad)

ssl_tls.c:2473: <= flush output

ssl_tls.c:2861: <= write record

ssl_cli.c:1044: <= write client hello

ssl_cli.c:3264: client state: 2

ssl_tls.c:2429: => flush output

ssl_tls.c:2441: <= flush output

ssl_cli.c:1396: => parse server hello

ssl_tls.c:3739: => read record

ssl_tls.c:2221: => fetch input

ssl_tls.c:2282: in_left: 0, nb_want: 13

ssl_tls.c:2320: f_recv_timeout: 1000 ms

ssl_tls.c:2328: ssl->f_recv(_timeout)() returned -26624 (-0x6800)

ssl_tls.c:2336: timeout

 

I've attached the thread_client.c.  My questions are...

  • Is there a trick to getting the Border Router to respond on port 19779 as shown on page 20 of Kinetis Thread Stack Host API User's Guide.pdf?
  • Are there any examples that demonstrate how to establish a DTLS connection?
    • I have the Thread 1.0 specification (Affiliate Member of Thread Group) and that has helped to understand how it's supposed to work, but given the Border Router isn't responding when spoken to on port 19779 leads me to believe something is wrong with my setup.

I would also like to try and send a secure CoAP packet (on port 5684 in the demo firmware).

 

Any help with DTLS would be appreciated.

 

Thank you,

Ryan

Outcomes