Linux SECURE mode simpleclient/simpleserver connection fail(handshake)

[fengyunlai]

Hi everyone,

I found an issue for iotivity-constrained on ubuntu, in port/linux :

make DEBUG=1 SECURE=1

then running the ./simpleserver and ./simpleclient script which are created in port/linux.

ISSUE :
Handshake fail.
Simpleserver:

DEBUG: ../../security/oc_tls.c <read_application_data:876>: oc_tls: Got nonce
DEBUG: ../../security/oc_tls.c <read_application_data:877>: 56 4E 9D 9A 0F DC D1 FA 49 EF A2 E4 C2 C9 62 21 3B 98 91 73 54 97 49 4A 18 2D 34 AB FA 02 4A 7A BF 8A 29 8C 0F B7 B0 E5 0E 52 A8 6E 4E AE 3B F0 8B CC 6E E8 17 46 D8 32 8C FB 3F D2 5F AB 1B BA
ERROR: ../../security/oc_tls.c <read_application_data:894>: oc_tls: mbedtls_error: SSL - A fatal alert message was received from our peer
DEBUG: ../../security/oc_tls.c <oc_tls_free_peer:115>:
oc_tls: removing peer
DEBUG: ../../messaging/coap/observe.c <coap_remove_observer_by_client:179>: Unregistering observers for client at:
DEBUG: ../../messaging/coap/observe.c <coap_remove_observer_by_client:180>: [fe80:0000:0000:0000:0a00:27ff:fe59:8c23]:37360
DEBUG: ../../messaging/coap/observe.c <coap_remove_observer_by_client:191>: Removed 0 observers
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7634: => free
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7701: <= free
DEBUG: ../../api/oc_buffer.c <oc_message_unref:87>: buffer: freed TX/RX buffer; num free: 6
DEBUG: ../../security/oc_tls.c <read_application_data:855>: oc_tls: In read_application_data
DEBUG: ../../security/oc_tls.c <read_application_data:857>: oc_tls: read_application_data: Peer not active

Simpleclient:

mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2349: in_left: 25, nb_want: 25
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2356: <= fetch input
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1348: dumping 'record contents' (12 bytes)
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1348: 0000: 0e 00 00 00 00 03 00 00 00 00 00 00 ............
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1366: client hello v3, handshake type: 14
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1370: bad client hello message
ERROR: ../../security/oc_tls.c <read_application_data:894>: oc_tls: mbedtls_error: SSL - Processing of the ClientHello handshake message failed
DEBUG: ../../security/oc_tls.c <oc_tls_free_peer:115>:
oc_tls: removing peer
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7634: => free
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:7701: <= free

The Linux security connection just fail, either for the latest version that after updating to mbedtls 2.7.0, or the old version which needs to apply mbedTLS patches into deps/mbedtls using:
patch -p1 < ../../patches/mbedtls_ocf_patch_1
patch -p1 < ../../patches/mbedtls_iotivity_constrained_patch_2

Is this a real issue？ Does Linux simpleclient/simpleserver support SECURE=1 connection?

[fengyunlai]

@kmaloor Really sorry for disturbing you. May I have any advice about the procedure to run Security connection?

[fengyunlai]

@kmaloor Hi. Just to add some error logs:

DEBUG: ../../security/oc_tls.c <get_psk_cb:307>: oc_tls: In PSK callback
DEBUG: ../../security/oc_tls.c <get_psk_cb:316>: oc_tls: Found peer object
mbedtls_log: ../../deps/mbedtls/library/ssl_cli.c:2130: dumping 'Unknown PSK identity' (16 bytes)

It seems that get_psk_cb in oc_tls.c failed to find peer credential.
After tracing oc_sec_get_cred, which adds creds, I found that oc_sec_load_cred in oc_store.c ：

ret = oc_storage_read(svr_tag, buf, OC_MAX_APP_DATA_SIZE);

failed to read and then

oc_sec_decode_cred(rep, NULL, true, device);

not called to give credential.

Would that error the reason dtls handshake fail?

[kimjj81]

I also encounter same problem.
Any progress?

[micrcx]

You will get the same error even if you build a project with DEBUG = 1 SECURITY = 0. Apparently the problem is the lack of certificate. It is strange that there is no possibility of using some kind of fake certificate for developers to simply check how IoTivity Lite works:

mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2349: in_left: 0, nb_want: 5
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2389: f_recv_timeout: 0 ms
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2397: ssl->f_recv(_timeout)() returned 15 (-0xfffffff1)
mbedtls_log: ../../deps/mbedtls/library/ssl_tls.c:2490: <= fetch input
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1238: dumping 'record header' (13 bytes)
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1238: 0000:  15 fe fd 00 00 00 00 00 00 00 03 00 02           .............
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1250: client hello v3, message type: 21
mbedtls_log: ../../deps/mbedtls/library/ssl_srv.c:1254: bad client hello message
ERROR: ../../security/oc_tls.c <read_application_data:938>: oc_tls: mbedtls_error: SSL - Processing of the ClientHello handshake message failed
DEBUG: ../../security/oc_tls.c <oc_tls_free_peer:115>: 
oc_tls: removing peer

[jjqquu]

if you build iotivity-lite with DEBUG = 1 SECURE = 0, you can run simpleserver & simpleclient happily.

make -e DEBUG = 1 -e SECURE = 0