Closed coisme closed 6 years ago
ARM Internal Ref: MBOTRIAGE-1479
This is a bug, and we need to fix it before the next release.
Ok, thank you for your confirmation!
Hi @coisme,
Thank you for reporting this issue. I will try to answer each of your questions as best I can.
Since this change, issued date and expiration date of certificates are checked by default. ... Is this change intentional?
The change was introduced to take advantage of the RTC present in the targets that have it. This is why MBEDTLS_HAVE_DATE_TIME is only defined when DEVICE_RTC is defined in the patch you linked.
Programs that doesn't synchronize RTC will fail in certificate verification, including mbed-os-example-tls/tls-client example.
This is correct. In fact, this was reported in the original PR (https://github.com/ARMmbed/mbed-os/pull/4846) that introduces the change under "Migrations":
This patch modifies the behaviour of the X509 module in mbed TLS because now the certificate verification process will check that the certificates date/time validity is correct when it previously did not. For this to work correctly, the application needs to correctly set up the RTC with a call to set_time(). For example, this change causes the mbed TLS example application tls-client to fail.
However, I would like to point out that the failures can be avoided without the need to configure the clock. I submitted a PR (https://github.com/ARMmbed/mbed-os-example-tls/pull/109) to mbed-os-example-tls that illustrates how to do this. The idea was to have that merged shortly after the RTC patch was merged. There is also a GitHub issue reporting the problem (https://github.com/ARMmbed/mbed-os-example-tls/issues/192).
I hope this information helps, but please let me know if there are further questions.
(cc @sbutcher-arm)
Thank you for clarification. I understand very well!
description
Since this change, issued date and expiration date of certificates are checked by default. Programs that doesn't synchronize RTC will fail in certificate verification, including
mbed-os-example-tls/tls-client
example. Is this change intentional?What target does this relate to? Targets that have RTC are affected. In my case, FRDM-K64F.
What toolchain (name + version) are you using? GCC_ARM, gcc-arm-none-eabi-6-2017-q2-update
What tools (name + version - is it mbed-cli, online compiler or IDE) are you using? mbed-cli
What is the SHA of Mbed OS (git log -n1 --oneline)?
63f62165d (HEAD -> master, origin/master, origin/HEAD) Merge pull request #7565 from OpenNuvoton/nuc472_emac_rst
Steps to Reproduce
Use an official example program for example.
With mbed-cli, follow this steps:
$ mbed import https://github.com/ARMmbed/mbed-os-example-tls.git
$ cd mbed-os-example-tls/tls-client/
$ mbed compile -t GCC_ARM -m K64F
Run the application, TLS connection established successfully.Next, let's reproduce the error. Update mbed-os and recompile.
$ cd mbed-os
$ mbed udpate master
$ cd ..
$ mbed compile -t GCC_ARM -m K64F
When run the application, it fails.
Cause
The cause of this issue comes from this change. https://github.com/ARMmbed/mbed-os/blob/5ced8e4fdfa8fd781c0a39b29597762cedcedec6/features/mbedtls/platform/inc/platform_mbed.h#L24-L26 If
MBEDTLS_HAVE_TIME_DATE
is defined, issued date and expiration date are checked by these functions: https://github.com/ARMmbed/mbed-os/blob/63f62165d89f5562c529cd3ecb94823ce1dc7f13/features/mbedtls/src/x509.c#L999-L1017However, the clock on the board has to be synchronized to work these functions correctly.
Before this change,
MBEDTLS_HAVE_TIME_DATE
was not defined, and these functions always returned0
. Issued date and expiration date were not checked. https://github.com/ARMmbed/mbed-os/blob/63f62165d89f5562c529cd3ecb94823ce1dc7f13/features/mbedtls/src/x509.c#L1021-L1031Is this change to force sync RTC intentional?
Solution
Add time synchronization in the program. For example, I added NTPClient to
mbed-os-example-tls/tls-client
then the error resolved. https://github.com/coisme/Hello-TLSSocket/blob/3347d1dacc1eb468608942b5e4fdf76047853165/main.cpp#L25-L28Issue request type
[X] Question
[ ] Enhancement
[] Bug