search

eclipse-californium / californium

CoAP/DTLS Java Implementation
https://www.eclipse.org/californium/
Other
728 stars 364 forks source link

cf-server certificate doesn't match #2254

Closed sakphea closed 2 months ago

sakphea commented 3 months ago

Hi, I am implementing CoAP over DTLS based on Californium released 3.11.0. Everything is working fine Based on the secured client/server example. The challenge is that when I let the client connect to a specific IP address of the server rather than the loopback address "127.0.0.1", the handshake process fails at the certificate verification stage with this error message [ClientHandshaker]: Start certificate verification. Error occurred while sending request: java.io.IOException: org.eclipse.californium.scandium.dtls.HandshakeException: Certificate cf-server: Literal IP x.x.x.x doesn't match!]

Can you please advise me on this issue?

boaks commented 3 months ago

I guess, you use a x509 certificate on the server side. If so, a client verifies the "subject" of the x509 certificate to match the hostname. If you use the Demo Certificates, the subjects are provided in the create-keystores.sh script, and that obvious doesn't contain your hostname nor ip-address.

There two ways to go:

"fast and dirty":

Ignore that for first tests disable that verification on the client-side. Edit the "Californium3.properties" and change:

# DTLS verifies the server certificate's subjects.
# Default: true
DTLS.VERIFY_SERVER_CERTIFICATES_SUBJECT=true

to false.

Server Certificate with hostname and/or ip-address as subjects

A x509 tutorial is out of the scope of this project.

You may start with generate your own root, CA, and/or server certificate. See the create-keystores.sh as point to start with. If you use you own root or CA, please add that also the the clients trust-store.

sakphea commented 3 months ago

Thanks for your swift response. I managed to get the first option working right now. I will look at the second option in due course. Thank you very much.

boaks commented 3 months ago

You're welcome.

Setting up a x509 infrastructure requires some knowledge. And once you have the certificates you need to provide them. Only a few demos support that per CLI. For the most you need to adapt the example code. If you managed to create your x509 certificate, let me know, which examples you use.

sakphea commented 3 months ago

I am now using SecureServer and SecureClient under cf-secure module inside demo-apps. I will let know once I can generate x509 certificate later on.

For the time being, can you please give me a bit of guidance on how to start to implement OSCORE as I find it a bit tricky to start with unlike CoAP over DTLS which gives me a good example to start with.

Thank you in advance.

boaks commented 3 months ago

Unfortunately, I'm not common with OSCORE.

There are some samples in the cf-oscore / tests and the plugtest-server and -client also contains some samples.

sakphea commented 3 months ago

Hi, I managed to get the x509 certificate on the server side working now. The sample of cf-oscore/test pointed out by you is a good point to start for OSCORE. Thank you so much.

boaks commented 3 months ago

You're welcome.