• State
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 280 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

LAUNCHCC3235MOD: TLS1.3 authentication by certificate crushes device.

LAUNCHCC3235MOD: LTS 1.2 coneciton failure

Aliaksandr Dubinchyn
Prodigy 50 points
Part Number: LAUNCHCC3235MOD
Other Parts Discussed in Thread: CC3235SF

During exploring previous issue, I tried to enable TLS1.2 mode. To achieve this goal I disabled TLS1.3 support in my prototype, based on mqtt_client_over_tls_1_3_CC3235SF_LAUNCHXL_tirtos7_ticlang example switched following macro: 

-#define SUPPORT_TLS1_3              (1)
+#define SUPPORT_TLS1_3              (0)

After trying to connect to https://test.mosquitto.org/ public broker on port 8883: MQTT, encrypted, unauthenticated. Following failure happens: 

[SL-MBEDTLS::INFO]  Performing the mbedTLS SSL/TLS handshake...
[SL-MBEDTLS::ERROR]    Failed ! mbedtls_ssl_handshake returned -0x7500

Where Error means "0x7500 SSL - Our own certificate(s) is/are too large to send in an SSL message". During attempt to connect to port  8884: MQTT, encrypted, client certificate required got same failure. 

Used same certificates, that in TLS1.3 issue. Suppose, that certificates are valid because authenticated connection with desktop third party software was successful.

What I need to do to achieve connection with TLS 1.2 with authentication? 

Thanks, 

Aliaksandr. 

  • 0
    TI__Guru 63006 points

    Are you setting client certificate in the case? 

    Did the mbedtls_ssl_conf_own_cert returned with successful code and the the failure only happens during connect?

    How long is the client certificate chain? (how many certificates are in the chain and what are their lengths?) 

  • 0 in reply to Kobi Leibovitch
    Prodigy 50 points

    Thanks for response. 

    Yep, I'm setting client certificate. As well, mbedtls_ssl_conf_own_cert returns 0, that means everything should be ok: 

    [SL-MBEDTLS::INFO]  [SlNetIfWifi_sockstartSec] mbedtls_ssl_conf_own_cert returned 0

    Certificate length is following: 

    adub@LiL-Tommy:~/mosquitto-certs$ ls -l
total 12
-rwxr-xr-x 1 adub adub 1342 Jun 22 20:02 client.crt
-rw------- 1 adub adub 1704 Jun 22 20:02 client.key
-rwxr-xr-x 1 adub adub 1452 Jun 22 20:03 mosquitto.org.crt

    Also I suppose, my chain contain only one certificate.

    CA certificate issued by https://test.mosquitto.org/. It can be downloaded right here.

    Then on this page https://test.mosquitto.org/ssl/ according instructions was generated client certificate. 

    Thanks,

    Aliaksander

  • 0 in reply to Aliaksandr Dubinchyn
    TI__Guru 63006 points

    If I understand correctly - this works with TLS1.3.

    If you want to use TLS1.2, you can use the standard TLS stack in the NWP (you can simply exclude the "slnetifwifi.c" from the build and the default NWP implementation will be used).

    We will check this (seems like an mbedTLS configuration) before the next SDK release, but this is not the preferred method when using TLS1.2 thus the priority of the issue is limited.

  • 0 in reply to Kobi Leibovitch
    Prodigy 50 points

    Hi, Kobi. 

    Yes, after stack was fixed, TLS1.3 provided by mbedtls begin work properly. But for case of switching between TLS1.2 and TLS1.3 during runtime, it looks like a potential issue.


    Thanks, 

    Aliaksandr 

  • 0 in reply to Aliaksandr Dubinchyn
    TI__Guru 63006 points

    We will check this (if you can send me more details in the private channel, it will help us recreate and solve it faster).