search

eclipse-leshan / leshan

Java Library for LWM2M
https://www.eclipse.org/leshan/
BSD 3-Clause "New" or "Revised" License
652 stars 407 forks source link

x509 certificates Registration failed: FORBIDDEN. #813

Closed strautins closed 4 years ago

strautins commented 4 years ago

Trying to use x509 certificates folowing https://github.com/eclipse/leshan/wiki/Credential-files-format

In client getting result

Trying to register to coaps://...:5684 ... 2020-02-20 14:13:02,585 ERROR DefaultRegistrationEngine - Registration failed: FORBIDDEN .

Wireshark image

two data packets and silences

In server logs no errors.

Is something I am missing?

Thanks.

strautins commented 4 years ago 
 DEBUG Handshaker - handshake completed dtls-con: CID=94343F556D, /10.55.4.102:49510, session established F7DC383EC395, is alive

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,427 DEBUG InMemoryConnectionStore - connection: CID=94343F556D updated usage!

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,428 DEBUG DTLSConnector - Received APPLICATION_DATA for DTLS(10.55.4.102:49510,ID:F7DC383EC3)

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,430 DEBUG ReliabilityLayer - Exchange[R4] send response null-4.03   MID=   -1, Token=null, OptionSet={"Content-Format":"text/plain"}, no payload, failed transmissions: 0

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,430 DEBUG Exchange - Exchange[R4, complete]!

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,430 DEBUG Exchange - Remote Exchange[R4, complete] completed ACK-4.03   MID=63263, Token=2878653BAEDF3457, OptionSet={"Content-Format":"text/plain"}, no payload!

Feb 20 14:50:21 iot bash[2820]: 2020-02-20 14:50:21,431 DEBUG DTLSConnector - Sending application layer message to [DTLS(10.55.4.102:49510,ID:F7DC383EC3)]
sbernard31 commented 4 years ago

If you get a "Registration Failed : FORBIDDEN" that means the handshake succeed but the server reject you at application layer. The LWM2M server must check if the DTLS security identity match the LWM2M endpoint name and if the device connect itself with the expected mode.

To which server do you try to connect to ?

If this is leshan-server-demo, in security tab you need to create a new entry to explain that your device will connect using X509. x509

For X509, common name (CN) from client certificate should be equals to the endpoint client name. (This is how this is implemented in Leshan even if it's not clear to me if this should be more flexible, see : https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/257#issuecomment-589015186)

This information is visible in leshan-client-demo help : 

                ================================[X509]==================================
                | By default Leshan demo use non secure connection.                    |
                | To use X509, -ccert -cprik -scert options should be used together.   |
                | To get helps about files format and how to generate it, see :        |
                | See https://github.com/eclipse/leshan/wiki/Credential-files-format   |
                ------------------------------------------------------------------------
 -ccert <arg>   The path to your client certificate file.
                The certificate Common Name (CN) should generaly be equal to the client
                endpoint name (see -n option).
                The certificate should be in X509v3 format (DER encoding).
 -scert <arg>   The path to your server certificate file.
                The certificate should be in X509v3 format (DER encoding).

But maybe we should repeat it, in the wiki page :thinking: ?

I hope this is clearer, tell if it works for you now.

strautins commented 4 years ago

Yes, thank you! Did not read all info :/ Common Name (CN) was not set correctly.

sbernard31 commented 4 years ago

No problem, glad to see it works for you now.