SSL: Fatal error during petitioning

[OlivierGre]

I have an OTBR running Thread 1.1. I'm doing the commissioning from Android OpenThread Commissioner and I'm getting this error during the petitioning phase:

[kSecurity] : SSL - A fatal alert message was received from our peer

Would you have some hints to help me to investigate this error?

Thank you

[wgtdkp]

Are you following https://openthread.io/guides/commissioner/build#non-ccm_configuration to set the PSKc?

You can get the PSKc from the BR with command sudo ot-ctl pskc.

[OlivierGre]

@wgtdkp Thank you. Is this also needed when using Android commissioner? I don't see how "non-ccm-config.json" is used by Android openthread_commissioner.

Thanks

[wgtdkp]

You can follow https://openthread.io/guides/border-router/external-commissioning/android and you will see.

[OlivierGre]

Sure. I can explain why I asked this question:

I have started working on Thread in July. I have built the openthread commissioner application on an Ubuntu machine (a Desktop machine) and used a border router provided by a colleague. It worked fine.

Due to the covid, I'm not always at the office so I needed to be able to build the android openthread commissioner app from my windows laptop. I have copied the full ot-commissioner directory (where the build had been done on Linux) to my windows machine. I was then able to build the android commissioner app on windows..

Some time ago, I was playing with OTBR CLI and I have overwritten the dataset. From that point I started getting SSL errors. I learn with your message that I should set the PSKc on the Commissioner.

I'm not in the office right now (I will go on wednesday) so I don't have access to my linux machine. I was wondering if I could find where the PSKc information has been stored and update it manually (on my windows machine). That's the reason of my question :o)

[wgtdkp]

@OlivierGre Try clearing the app data of the android commissioner app if you run into SSL errors (https://openthread.io/guides/border-router/external-commissioning/android#thread_commissioning_app_troubleshooting).

[OlivierGre]

Thanks. I have tried but it didn't fix the error.

[OlivierGre]

@wgtdkp One question : If you take 2 OTBR, I expect that they will have different PSKc. If this PSKc has to be known by the Android commissioner, then it can only work with the OTBR corresponding to this PSKc. Did I missunderstood something? I have used the OT commissioner with 2 differents OpenThread Border Routers and it worked (NB: I don't remember if the 2 raspberry pi were running the same image).

[jwhui]

@wgtdkp One question : If you take 2 OTBR, I expect that they will have different PSKc. If this PSKc has to be known by the Android commissioner, then it can only work with the OTBR corresponding to this PSKc. Did I missunderstood something? I have used the OT commissioner with 2 differents OpenThread Border Routers and it worked (NB: I don't remember if the 2 raspberry pi were running the same image).

All border routers in a typical Thread network should share the same PSKc. The PSKc is a part of the Active Operational Dataset, which is synchronized across the Thread network.

[OlivierGre]

@jwhui If I type the following commands, a new PSKc will be saved:

dataset init new
dataset
dataset commit active

How should I proceed if I want to have the same PSKc in every OTBRs? (ideally the "default" one present in https://github.com/openthread/ot-commissioner/blob/main/src/app/etc/commissioner/non-ccm-config.json, which is "3aa55f91ca47d1e4e71a08cb35e91591")

shall I call "pskc 3aa55f91ca47d1e4e71a08cb35e91591" before calling "dataset commit active"?

Thank you

[jwhui]

All Thread devices in the same Thread network should have the exact same Active Operational Dataset.

One way to achieve that is by following the Quick Start section in src/cli/README_DATASET.md

You can also use the dataset active -x and dataset set commands to copy the entire Active Operational Dataset from one device to another.

[OlivierGre]

@jwhui Thank you, what you indicated helped me to fix my SSL issue: I have copied the working dataset from another raspberry pi and copied it to my current raspberry pi. Now the commissioning is working fine from end to end.