search

eclipse-threadx / netxduo

Eclipse ThreadX - NetXDuo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications
https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/index.md
MIT License
242 stars 137 forks source link

Adding root certificates to trusted certificates does not work #112

Closed rk3399 closed 2 years ago

rk3399 commented 2 years ago

For example "github.com", if you just add the certificate of "DigiCert Global Root CA" to the trusted certificate, NETXDUO will report a certificate error when connecting to github.com, you must add the complete certificate of github.com to connect successfully

TiejunMS commented 2 years ago

Hi @rk3399 , did you use nx_secure_tls_remote_certificate_allocate twice to allocate buffer for two server certificates or use nx_secure_tls_session_packet_buffer_set to set a large enough buffer to hold incoming TLS record plus certificate buffer?

rk3399 commented 2 years ago

Hi @rk3399 , did you use nx_secure_tls_remote_certificate_allocate twice to allocate buffer for two server certificates or use nx_secure_tls_session_packet_buffer_set to set a large enough buffer to hold incoming TLS record plus certificate buffer?

Thanks, I am using nx_secure_tls_session_packet_buffer_set to allocate 40000 bytes of memory

TiejunMS commented 2 years ago

Do you set packet buffer to 40000 bytes or 4000 bytes? I have created a sample project here and NetX Duo is able to connect to github.com with root ca.

rk3399 commented 2 years ago

Do you set packet buffer to 40000 bytes or 4000 bytes? I have created a sample project here and NetX Duo is able to connect to github.com with root ca.

Is 40000 bytes.Thanks for the sample code, but I'm sorry that I encountered some errors that prevented it from executing image When tracing the source code, it is found that the function "_nx_secure_x509_store_certificate_find" returns "NOT_FOUND". The nx_secure_x509_trusted_certificates member of the parameter store points to the only trusted root certificate, and the parameter name points to the issuer of the server certificate. If you add the certificate of the server certificate issuer as trusted, you can successfully connect to the server (From Google Translate, the following is the original Chinese text) 追踪源码时发现是函数”_nx_secure_x509_store_certificate_find“返回“NOT_FOUND”。参数store的nx_secure_x509_trusted_certificates成员指向了唯一一个受信任的根证书,参数name指向了服务器证书的颁发者,如果将服务器证书颁发者的证书添加为受信任的话,就可以成功连接服务器

TiejunMS commented 2 years ago

我建议对比下这个源文件里的和你本地的TLS初始化代码,看看有什么区别。上面提到的工程建议在GitHub的CodeSpace里直接打开运行。如果是需要本地运行的话可以自行编译docker image然后在docker里运行。

从你的调试信息看来,TLS的服务器证书没有正确的存储到TLS session里。首先请确保运行的是最新版本的NetX Duo 6.1.11。如果问题还存在的话,可以在这里设置个断点,然后继续单步执行看看为什么packet_buffer无法用来存储服务器的两张证书。

rk3399 commented 2 years ago

我建议对比下这个源文件里的和你本地的TLS初始化代码,看看有什么区别。上面提到的工程建议在GitHub的CodeSpace里直接打开运行。如果是需要本地运行的话可以自行编译docker image然后在docker里运行。

从你的调试信息看来,TLS的服务器证书没有正确的存储到TLS session里。首先请确保运行的是最新版本的NetX Duo 6.1.11。如果问题还存在的话,可以在这里设置个断点,然后继续单步执行看看为什么packet_buffer无法用来存储服务器的两张证书。

是的,将netxduo升级后问题得以解决,谢谢