- mbed-tls - lists.trustedfirmware.org

by Thompson, Jeff

The TLS handshake between my device and ghs.googlehosted.com gets stalled when the server sends the device a Change Cipher Spec message-the device waits forever, wanting 5 more bytes. From what I Google'd, I need to change the cipher suite I'm using. How do I know which cipher the server doesn't like (so I can avoid that in future), and which one I should be using-there are scores of these available in the config file, though some of them clearly should not be used, as they are commented that way.. Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D64B9D.863E3220]

5 years, 9 months

1
1
0 0

SSL/TLS Handshake Failure

by Thompson, Jeff

Much thanks to Manuel and Gilles for helping me get this far! I'm trying to connect to endpoint hosted by Google for IoT devices. The handshake appears to progress through certificate verification and key exchange, encrypts a payload and then times out waiting for 5 expected bytes. I've attached the last part of the mbedTLS output generated with DEBUG_LEVEL 5 (the entrie thing is too big to include here). I'm sure the problem is either my code, network configuration, or somewhere else on my end. Can anyone give me a clue as to what might be wrong? The starting point for attempting the connection is https_client_tls_xchg(), found in the attached snippet from the example httpsclient.c file as I've modified it. FWIW, I'm using mbedTLS 2.13.1 running on an MIMXRT1062DVJ6A with MCUXpresso SDK 2.6.2. My HTTPS client is based on NXPs example project lwip_httpscli_mbedtls_freertos. Thanks, Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D64AE1.D6CB8F10]

5 years, 9 months

1
0
0 0

Re: [mbed-tls] Working with a PEM file

by Gilles Peskine

[I assume you meant to reply to the list.] If you don't have a filesystem, call mbedtls_x509_crt_parse instead of mbedtls_x509_crt_parse_file. To save static data size, you may want to store the data in binary form instead of base64. To do this: 1. Split the PEM file into individual certificates. 2. Convert each file to DER (you can use programs/util/pem2der, but you need to split the file first, because it only converts the first PEM chunk). 3. Convert each binary file to a C unsigned char array literal. 4. In your code, call mbedtls_x509_crt_parse_der in a loop over the array. Your code might look something like this: const uint8_t cert1_der[] = {0x30, …}; const uint8_t cert2_der[] = {0x30, …}; … const struct {const uint8_t *data; size_t size;} root_certs_der = { {cert1_der, sizeof(cert1_der)}, … }; … mbedtls_x509_crt roots; mbedtls_x509_crt_init(&roots); for (i = 0; i < sizeof(root_certs_der)/sizeof(root_certs_der[0]); i++) mbedtls_x509_crt_parse_der(&roots, root_certs_der[i].data, root_certs_der[i].size); Best regards, -- Gilles Peskine Mbed TLS developer On 23/06/2020 23:31, Thompson, Jeff wrote: > I did see that function, but it assumes a file system, doesn't it? I'm not using one, and that would be a really big change to make this late in the development cycle, if I can avoid it. I can program the PEM file into flash memory, where it can be addressed, for reading only, just like ROM. Is there a way to use it like that? > > Jeff Thompson | Senior Electrical Engineer-Firmware > +1 704 752 6513 x1394 > www.invue.com > -----Original Message----- > From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> On Behalf Of Gilles Peskine via mbed-tls > Sent: Tuesday, June 23, 2020 4:38 PM > To: mbed-tls(a)lists.trustedfirmware.org > Subject: Re: [mbed-tls] Working with a PEM file > > Hi Jeff, > > Don't modify or use the certificates in certs.c. The certificates in the certs module are only intended for testing and they will be moved from the library to the test code soon. They are never used automatically and should never be used outside of tests. > > The easiest way to set these root certificates is to pass the file to mbedtls_x509_crt_parse_file(). This gives you an object that represents the certificates and you can use those as the trusted CAs for certificate verification through the X.509 or TLS API. > > Your code might look like this (error checking and rest of the code > omitted): > > mbedtls_x509_crt roots; // head of the list of trusted CAs mbedtls_x509_crt_init(&roots); mbedtls_x509_crt_parse_file(&roots, "roots.pem"); … // Verify that there is a chain of trust from a certificate to one of the trusted CAs mbedtls_x509_crt_verify(&crt_to_verify, &roots, NULL, NULL, &flags, NULL, NULL); … // Use the trusted CAs for a TLS connection mbedtls_ssl_conf_ca_chain(&ssl_config, roots, NULL); … // Once the certificates are no longer used anywhere mbedtls_x509_crt_free(&roots); > > > Best regards, > > -- > Gilles Peskine > Mbed TLS developer > > On 23/06/2020 21:38, Thompson, Jeff via mbed-tls wrote: >> I’ve downloaded https://pki.goog/roots.pem and want to use the >> certificates in it with mbedTLS. Is there some documentation that >> tells me how to do this? >> >> >> >> The certs.c file only contains only a handful of certs, while the PEM >> file has nearly 40. How do I know which one to use for what purpose? >> The certs.c file has these certificate char[]’s: >> >> >> >> mbedtls_test_ca_crt_ec >> >> mbedtls_test_srv_crt_ec >> >> mbedtls_test_cli_crt_ec >> >> mbedtls_test_ca_crt_rsa >> >> mbedtls_test_ca_crt_rsa >> >> mbedtls_test_srv_crt_rsa >> >> mbedtls_test_cli_crt_rsa >> >> >> >> I’m reasonably sure I don’t need to replace mbedtls_test_cli_crt_ec >> and mbedtls_test_cli_crt_rsa, since I am not using a client >> certificate. But I’m not at all sure about whether I need to replace >> the 3 **_ca_crt_** certs, the 2 **_srv_crt_** certs, or all 5. And, if >> so, using which certs from the PEM file to replace which certs in >> certs.c?. How do I figure out what to do here? I’ve never dealt with >> cloud communication like this before, so please pardon my ignorance; >> I’m eager to learn, but overwhelmed by so much that is new to me. >> >> >> >> Thanks, >> >> >> >> *Jeff Thompson* | Senior Electrical Engineer-Firmware >> +1 704 752 6513 x1394 >> www.invue.com >> >> >> >> > > -- > mbed-tls mailing list > mbed-tls(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls

5 years, 9 months

1
0
0 0

Re: [mbed-tls] Working with a PEM file

by Gilles Peskine

Hi Jeff, Don't modify or use the certificates in certs.c. The certificates in the certs module are only intended for testing and they will be moved from the library to the test code soon. They are never used automatically and should never be used outside of tests. The easiest way to set these root certificates is to pass the file to mbedtls_x509_crt_parse_file(). This gives you an object that represents the certificates and you can use those as the trusted CAs for certificate verification through the X.509 or TLS API. Your code might look like this (error checking and rest of the code omitted): mbedtls_x509_crt roots; // head of the list of trusted CAs mbedtls_x509_crt_init(&roots); mbedtls_x509_crt_parse_file(&roots, "roots.pem"); … // Verify that there is a chain of trust from a certificate to one of the trusted CAs mbedtls_x509_crt_verify(&crt_to_verify, &roots, NULL, NULL, &flags, NULL, NULL); … // Use the trusted CAs for a TLS connection mbedtls_ssl_conf_ca_chain(&ssl_config, roots, NULL); … // Once the certificates are no longer used anywhere mbedtls_x509_crt_free(&roots); Best regards, -- Gilles Peskine Mbed TLS developer On 23/06/2020 21:38, Thompson, Jeff via mbed-tls wrote: > > I’ve downloaded https://pki.goog/roots.pem and want to use the > certificates in it with mbedTLS. Is there some documentation that > tells me how to do this? > > > > The certs.c file only contains only a handful of certs, while the PEM > file has nearly 40. How do I know which one to use for what purpose? > The certs.c file has these certificate char[]’s: > > > > mbedtls_test_ca_crt_ec > > mbedtls_test_srv_crt_ec > > mbedtls_test_cli_crt_ec > > mbedtls_test_ca_crt_rsa > > mbedtls_test_ca_crt_rsa > > mbedtls_test_srv_crt_rsa > > mbedtls_test_cli_crt_rsa > > > > I’m reasonably sure I don’t need to replace mbedtls_test_cli_crt_ec > and mbedtls_test_cli_crt_rsa, since I am not using a client > certificate. But I’m not at all sure about whether I need to replace > the 3 **_ca_crt_** certs, the 2 **_srv_crt_** certs, or all 5. And, if > so, using which certs from the PEM file to replace which certs in > certs.c?. How do I figure out what to do here? I’ve never dealt with > cloud communication like this before, so please pardon my ignorance; > I’m eager to learn, but overwhelmed by so much that is new to me. > > > > Thanks, > > > > *Jeff Thompson* | Senior Electrical Engineer-Firmware > +1 704 752 6513 x1394 > www.invue.com > > > >

5 years, 9 months

1
0
0 0

Working with a PEM file

by Thompson, Jeff

I've downloaded https://pki.goog/roots.pem and want to use the certificates in it with mbedTLS. Is there some documentation that tells me how to do this? The certs.c file only contains only a handful of certs, while the PEM file has nearly 40. How do I know which one to use for what purpose? The certs.c file has these certificate char[]'s: mbedtls_test_ca_crt_ec mbedtls_test_srv_crt_ec mbedtls_test_cli_crt_ec mbedtls_test_ca_crt_rsa mbedtls_test_ca_crt_rsa mbedtls_test_srv_crt_rsa mbedtls_test_cli_crt_rsa I'm reasonably sure I don't need to replace mbedtls_test_cli_crt_ec and mbedtls_test_cli_crt_rsa, since I am not using a client certificate. But I'm not at all sure about whether I need to replace the 3 *_ca_crt_* certs, the 2 *_srv_crt_* certs, or all 5. And, if so, using which certs from the PEM file to replace which certs in certs.c?. How do I figure out what to do here? I've never dealt with cloud communication like this before, so please pardon my ignorance; I'm eager to learn, but overwhelmed by so much that is new to me. Thanks, Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D64974.02162CD0]

5 years, 9 months

1
0
0 0

Re: [mbed-tls] Using mbed without a client certificate

by Manuel Pegourie-Gonnard

Hi Jeff, if you don't want to provision a client certificate in your TLS client, all you have to do is to not call `mbedtls_ssl_conf_own_cert()` in your client code. Then the library will send an empty certificate list as required by the standard. Actually in the example code you have, if you look at the second and third argument in the call to `mbedtls_ssl_conf_own_cert()`, you should be able to remove all references to those arguments, and end up with a functional example without client certificates. Also, you might want to have a look at this example from our source, which is a simple client without client-side certificates: https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client… Hope that helps, Manuel. ________________________________ From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Thompson, Jeff via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Sent: 22 June 2020 16:03 To: 'mbed-tls(a)lists.trustedfirmware.org' <mbed-tls(a)lists.trustedfirmware.org> Subject: [mbed-tls] Using mbed without a client certificate I'm usiing: #define MBEDTLS_VERSION_NUMBER 0x020D0100 #define MBEDTLS_VERSION_STRING "2.13.1" #define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1" According to RFC5246: If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length list. Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D64864.692FAD30]

5 years, 9 months

2
1
0 0

Re: [mbed-tls] BLE and Mbed TLS

by Janos Follath

Hi, The packet size limitations can be accommodated by using the Maximum Fragment Length extension (https://tools.ietf.org/html/rfc6066#section-4, enabled by MBEDTLS_SSL_MAX_FRAGMENT_LENGTH in Mbed TLS). In Mbed TLS this is only implemented for application data and DTLS handshake messages so far, and therefore you will need to use DTLS. Also the negotiation is driven by the client and it needs to be enabled both on the server and on the client. (See the documentation of mbedtls_ssl_conf_max_frag_len() for more details.) I hope that helps, Janos From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of "Fatima, Fariya via mbed-tls" <mbed-tls(a)lists.trustedfirmware.org> Reply to: "Fatima, Fariya" <Fariya.Fatima(a)Carrier.com> Date: Tuesday, 23 June 2020 at 11:47 To: "mbed-tls(a)lists.trustedfirmware.org" <mbed-tls(a)lists.trustedfirmware.org> Subject: Re: [mbed-tls] BLE and Mbed TLS Hi, Can anyone help if mbedTLS TLS/DTLS code would work on top of BLE (specifically SPP). I am not sure if the packet size limitation on SPP would make TLS work.. any pointers anyone? Would be really helpful. Regards, Fariya From: Fatima, Fariya Sent: Monday, June 15, 2020 9:21 AM To: 'mbed-tls(a)lists.trustedfirmware.org' <mbed-tls(a)lists.trustedfirmware.org> Subject: BLE and Mbed TLS Hi, I wanted to use TLS over BLE application. When I googled, I figured out that MbedTLS can work on BLE. If someone can share a sample application where-in MbedTLS APIs are used as part of a BT/BLE application, it will be of great help. Regards, Fariya

5 years, 9 months

2
2
0 0

Re: [mbed-tls] BLE and Mbed TLS

by Fatima, Fariya

Hi, Can anyone help if mbedTLS TLS/DTLS code would work on top of BLE (specifically SPP). I am not sure if the packet size limitation on SPP would make TLS work.. any pointers anyone? Would be really helpful. Regards, Fariya From: Fatima, Fariya Sent: Monday, June 15, 2020 9:21 AM To: 'mbed-tls(a)lists.trustedfirmware.org' <mbed-tls(a)lists.trustedfirmware.org> Subject: BLE and Mbed TLS Hi, I wanted to use TLS over BLE application. When I googled, I figured out that MbedTLS can work on BLE. If someone can share a sample application where-in MbedTLS APIs are used as part of a BT/BLE application, it will be of great help. Regards, Fariya

5 years, 9 months

1
0
0 0

Re: [mbed-tls] ECDH set custom private key

by Manuel Pegourie-Gonnard

Hi Oleksandr, I understand you want to validate your implementation against the test vectors in the cited reference. It's obvious, but just in case my reply is read out of context some day, I want to emphasize: what I'm recommending below is for testing purposes only, importing a private key from a public reference must never be done in production. In your situation the simplest way to proceed is probably to directly import the private and public key from the test vector to your ECDH context. For example (assuming the data in the reference is big-endian, and omitting error checking for brevity): static unsigned char private_a[32] = { 0x3f, 0x49, /* ... from the reference */ }; static unsigned char public_a[65] = { 0x04, /* this special value marks the start of an uncompressed public key */ 0x20, 0xb0, /* ... (public A(x) from the reference) */ 0xdc, 0x80, /* ... (public B(x) from the reference) */ }; static mbedtls_ecdh_context ctx_a; mbedtls_ecdh_init(&ctx_a); /* load the private/public key pair * this replaces mbedtls_ecdh_gen_public() */ mbedtls_mpi_read_binary( &ctx_a->d, private_a, sizeof( private_a ) ); /* should check errors! */ mbedtls_ecp_point_read_binary( &ctx_a->Q, public_a, sizeof( public_a ) ); /* should check errors! */ Doing the same with ctx_b and then exchanging public keys and computing the shared secret as usual, you should obtain values that match the reference. Again, this is only for validating against known test vectors. Importing a private key from a public reference must never be done in production. Hope that helps, Manuel. ________________________________ From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Oleksandr Nychyporuk via mbed-tls <mbed-tls(a)lists.trustedfirmware.org> Sent: 22 June 2020 15:33 To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org> Subject: [mbed-tls] ECDH set custom private key Hi, I wanna configure the ECDH algorithm to repeat the following keys: [image.png] I was able to configure the algorithm, generate private and public keys on both: client and server sides. And it works as expected. The secret keys are equal on both sides. But I did not manage to calculate the secret key that is on the picture. I do not know how to set these private keys. Could someone help me to do that? Thanks,

5 years, 9 months

1
0
0 0

Using mbed without a client certificate

by Thompson, Jeff

I'm usiing: #define MBEDTLS_VERSION_NUMBER 0x020D0100 #define MBEDTLS_VERSION_STRING "2.13.1" #define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1" According to RFC5246: If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length list. Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com [cid:image001.gif@01D64864.692FAD30]

5 years, 9 months

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

mbed-tls