leshan bootstrap demo server could not verify the client x509 ceritification

[schSpring]

I used leshan demo bootstrap server and leshan demo client to do the test using cert mode(x509), the bootstrap server could not verify the client certification.

The detailed process is

• Start leshan demo bootstrap server:

  java -jar ./leshan-server-demo.jar -lh 192.168.1.114 -slh 192.168.1.114 -wh 192.168.1.414

• Generate client keys and certificate (self signed/CA signed all tested) following the guide https://github.com/eclipse/leshan/wiki/Credential-files-format

• Add client bootstrap configuration (x509 cert mode)

• Start leshan demo client with bootstrap certificate and client private key and certificate java -jar ./leshan-client-demo.jar -n testca -b -u 192.168.1.133 -lh 192.168.1.123 -ccert ../ca_signed/ccert.der -scert ../bsServerCertificate.der -cprik ../ca_signed/cprik.der

The verification will fail, the log is _2021-01-20 17:00:35,601 INFO LeshanClient - Starting Leshan client ... 2021-01-20 17:00:35,623 INFO LeshanClient - Leshan client[endpoint:testca] started. 2021-01-20 17:00:35,626 INFO DefaultRegistrationEngine - Trying to start bootstrap session to coaps://192.168.1.133:5684 ... 2021-01-20 17:00:36,082 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://192.168.1.133:5684 at coaps://192.168.1.123:46042 2021-01-20 17:00:36,280 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ... 2021-01-20 17:00:36,783 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : FAILED (Received 'fatal alert/BAD_CERTIFICATE') 2021-01-20 17:00:36,783 INFO DefaultRegistrationEngine - Unable to send Bootstrap request : Received 'fatal alert/BADCERTIFICATE' 2021-01-20 17:00:36,790 INFO DefaultRegistrationEngine - Try to initiated bootstarp in 600s...

We check with the wireshark data, the failure is happening in the DTLS hand-shake fifth step. In this step, client sends certificates to server for verify, and server returns an error: Bad Certificate.

Could you help on this problem? Thank you!

[sbernard31]

Which version of Leshan are you using ?

[schSpring]

We use the version 1.0.2

[sbernard31]

Ok I will try to reproduce this.

[sbernard31]

Regarding your order steps :

• Start leshan demo bootstrap server
• Add client bootstrap configuration (x509 cert mode)
• Generate client keys and certificate (self signed/CA signed all tested) following the guide https://github.com/eclipse/leshan/wiki/Credential-files-format
• Start leshan demo client with bootstrap certificate and client private key and certificate

I have some concern about "adding client bootstrap config" before "generating client key and certificate". How to you fit fields below if you didn't generate credentials before ?

[schSpring]

Sorry, the sequence need to change to be : generate first and add configuration after.

[schSpring]

The configuration is configured after the certificate and private key is generated. And using xxd -p -c 512 ccert.der and xxd -p -c 512 cprik.der to change to hex format to fill in the leshan bootstrap server configuration.

[sbernard31]

Ok just tested with v1.0.2 following your steps and using self-signed certificate at client side and I succeed:

2021-01-21 15:08:12,781 INFO LeshanClient - Starting Leshan client ...
2021-01-21 15:08:12,790 INFO LeshanClient - Leshan client[endpoint:issue_960] started.
2021-01-21 15:08:12,791 INFO DefaultRegistrationEngine - Trying to start bootstrap session to coaps://localhost:5684 ...
2021-01-21 15:08:12,905 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://localhost:5684 at coaps://0.0.0.0:36820
2021-01-21 15:08:12,946 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ...
2021-01-21 15:08:13,033 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : SUCCEED
2021-01-21 15:08:13,043 INFO DefaultRegistrationEngine - Bootstrap started

In bootstrap config you correctly copy past value from leshan-client-demo command line ?

java -jar leshan-client-demo-1.0.2-jar-with-dependencies.jar -scert bsServerCertificate.der -ccert self_signed_cert.der -cprik cprik.der -n issue_960 -b                                    ⏎
2021-01-21 15:08:12,780 INFO LeshanClientDemo - Client uses X509 : 
 X509 Certificate (Hex): 308202093 ... ... ... .... .... .... 537dc20b 
 Private Key (Hex): 308187020100 ... ... ... 29d82e2aceb7284f83f4e3ff8

[sbernard31]

Using xxd -p -c 512 cert.der should work too. :thinking:

[schSpring]

Could you specify some details on the configuration of leshan bootstrap server? If not use xxd -p -c 512 cert.der to get hex format, how could you fit the field on the web to configure? Maybe the problem is the configuration on our side.

[sbernard31]

If not use xxd -p -c 512 cert.der to get hex format, how could you fit the field on the web to configure?

This is what I explained above, the leshan-demo-client log output give you the Hex value you can just copy/paste it.

[sbernard31]

Generate client keys and certificate (self signed/CA signed all tested)

Could you first try to make it work with self-signed certificate at client side. CA signed could be complicated. By the way if you plan to use CA signed certificate you should have a look at this https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/502 which is a kind of limitation of the LWM2M specification.

[sbernard31]

I rethinking more about this but by default leshan-bsserver-demo should trust all certificate. (This is OK only for demo purpose) So I'm not sure how a BAD_REQUEST could be generated ? :thinking: Unless you are using the -truststore option ?

[sbernard31]

Maybe we can get more information if you activate some logs :https://github.com/eclipse/leshan/wiki/F.A.Q.#how-to-activate-more-log-

I guess org.eclipse.californium.scandium.DTLSConnector (or more radical org.eclipse.californium.scandium.dtls) in DEBUG or TRACE could help to understand the issue.

[schSpring]

Thank you for all your information, I have just tested the self-signed certificate, and the bootstrap verification passed.

[schSpring]

We will finally switch to CA signed certification, I will try to open logs to get more information on the CA certificate verification error.

[sbernard31]

For CA signed certificate, I understand the only compatible way with LWM2M is with chain like this : "Root CA" -> "client Certificate" (Because of https://github.com/OpenMobileAlliance/OMA_LwM2M_for_Developers/issues/502 at least this is my understanding)

[sbernard31]

Should we close this issue ?

[schSpring]

OK. You could close this issue.