search

iotivity / iotivity-constrained

This mirror is deprecated. Please visit https://github.com/iotivity/iotivity-lite for forking the IoTivity-Lite project. To contribute code to the project, please visit https://www.iotivity.org/get-involved, https://www.iotivity.org/
https://iotivity.org/getting-started
Apache License 2.0
66 stars 42 forks source link

Linux SECURE mode simpleclient/simpleserver connection fail(handshake) #21

Open fengyunlai opened 6 years ago

fengyunlai commented 6 years ago

Hi everyone,

I found an issue for iotivity-constrained on ubuntu, in port/linux :

make DEBUG=1 SECURE=1

then running the ./simpleserver and ./simpleclient script which are created in port/linux.

ISSUE : Handshake fail. Simpleserver:

DEBUG: ../../security/oc_tls.c : oc_tls: Got nonce DEBUG: ../../security/oc_tls.c : 56 4E 9D 9A 0F DC D1 FA 49 EF A2 E4 C2 C9 62 21 3B 98 91 73 54 97 49 4A 18 2D 34 AB FA 02 4A 7A BF 8A 29 8C 0F B7 B0 E5 0E 52 A8 6E 4E AE 3B F0 8B CC 6E E8 17 46 D8 32 8C FB 3F D2 5F AB 1B BA ERROR: ../../security/oc_tls.c : oc_tls: mbedtls_error: SSL - A fatal alert message was received from our peer DEBUG: ../../security/oc_tls.c : oc_tls: removing peer DEBUG: ../../messaging/coap/observe.c : Unregistering observers for client at: DEBUG: ../../messaging/coap/observe.c : [fe80:0000:0000:0000:0a00:27ff:fe59:8c23]:37360 DEBUG: ../../messaging/coap/observe.c : Removed 0 observers mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7634: => free mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7701: <= free DEBUG: ../../api/oc_buffer.c : buffer: freed TX/RX buffer; num free: 6 DEBUG: ../../security/oc_tls.c : oc_tls: In read_application_data DEBUG: ../../security/oc_tls.c : oc_tls: read_application_data: Peer not active

Simpleclient:

mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2349: in_left: 25, nb_want: 25 mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2356: <= fetch input mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1348: dumping 'record contents' (12 bytes) mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1348: 0000: 0e 00 00 00 00 03 00 00 00 00 00 00 ............ mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1366: client hello v3, handshake type: 14 mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1370: bad client hello message ERROR: ../../security/oc_tls.c : oc_tls: mbedtls_error: SSL - Processing of the ClientHello handshake message failed DEBUG: ../../security/oc_tls.c : oc_tls: removing peer mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7634: => free mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7701: <= free

The Linux security connection just fail, either for the latest version that after updating to mbedtls 2.7.0, or the old version which needs to apply mbedTLS patches into deps/mbedtls using: patch -p1 < ../../patches/mbedtls_ocf_patch_1 patch -p1 < ../../patches/mbedtls_iotivity_constrained_patch_2

Is this a real issue? Does Linux simpleclient/simpleserver support SECURE=1 connection?

fengyunlai commented 6 years ago

@kmaloor Really sorry for disturbing you. May I have any advice about the procedure to run Security connection?

fengyunlai commented 6 years ago

@kmaloor Hi. Just to add some error logs:

DEBUG: ../../security/oc_tls.c : oc_tls: In PSK callback DEBUG: ../../security/oc_tls.c : oc_tls: Found peer object mbedtls_log: ../../deps/mbedtls/library/ssl_cli.c:2130: dumping 'Unknown PSK identity' (16 bytes)

It seems that get_psk_cb in oc_tls.c failed to find peer credential. After tracing oc_sec_get_cred, which adds creds, I found that oc_sec_load_cred in oc_store.c :

ret = oc_storage_read(svr_tag, buf, OC_MAX_APP_DATA_SIZE);

failed to read and then

oc_sec_decode_cred(rep, NULL, true, device);

not called to give credential.

Would that error the reason dtls handshake fail?

kimjj81 commented 6 years ago

I also encounter same problem. Any progress?

micrcx commented 5 years ago

You will get the same error even if you build a project with DEBUG = 1 SECURITY = 0. Apparently the problem is the lack of certificate. It is strange that there is no possibility of using some kind of fake certificate for developers to simply check how IoTivity Lite works:

mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2349: in_left: 0, nb_want: 5
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2389: f_recv_timeout: 0 ms
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2397: ssl->f_recv(_timeout)() returned 15 (-0xfffffff1)
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2490: <= fetch input
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1238: dumping 'record header' (13 bytes)
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1238: 0000:  15 fe fd 00 00 00 00 00 00 00 03 00 02           .............
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1250: client hello v3, message type: 21
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1254: bad client hello message
ERROR: ../../security/oc_tls.c <read_application_data:938>: oc_tls: mbedtls_error: SSL - Processing of the ClientHello handshake message failed
DEBUG: ../../security/oc_tls.c <oc_tls_free_peer:115>: 
oc_tls: removing peer
jjqquu commented 4 years ago

if you build iotivity-lite with DEBUG = 1 SECURE = 0, you can run simpleserver & simpleclient happily.

make -e DEBUG = 1 -e SECURE = 0