DTLS with PSK #1792
Comments
|
Start reading our issue template? Answer the questions there, best you can. Provide logs and captures, as told in that issue template, maybe using our wiki page.
Therefore the issue template, to guide you, what we need to help you.
PSK is mainly used for authentication (ensure exchanging messages with right peer), the encryption is then done by negotiated keys. You don't need to care about the details, that is done by (proper) implementations. |
|
Thanks for your reply I am using the development kit nrf9160 of nordic semiconductor. The server hostname in my code is "californium.eclipseprojects.io" und peer "5683". With the PUT method of CoAP, i want to be able to send encrypted data to the peer. here is a screenhot of what i get:
|
|
And you sure, your read issue template? Anyway, RFC7252 defines two default ports: The first thing to change would be either the scheme to coaps and/or the port. |
|
By the way: please ensure first without encryption, that the coap-request are responded as intended by you. That's easier without encryption. |
Yeah i read it this time sorry, truely i also having difficulties running californium on Eclipse IDE, that's why i can present some captures from my running Californium. What i got from wireshark: |
Again read the issue template! There is a lot you easily can provide ahead! About the capture: The ClientHello contains: Cipher Suites (8 suites) With that, PSK is not proposed by the client. You must consider the documentation of the client's dtls library, who to setup the that library to use PSK. |
|
Just to mention: I run Californium from the Eclipse IDE without trouble. |
Yeah i will be able to run it for sure
here is what i got: |
|
That contains now the DNS request and response, and stops after that ... |
|
Yeah and here is what i get from my code: 2021-10-22T12_31_06.274Z-log.zip any idea of what, i can do to reach the server? |
Maybe mbedtls TLS_PEER_VERIFY helps. |
|
And you still use x509 rather then PSK. |
|
thanks very much for your support. Now i am trying to open californium with Intellij IDEA, here is what i got. any idea on how i can handle this error? |
|
Sorry, I don't use Intellij IDEA, so I can't be of too much help. It looks like, Intellij uses "mvn" to start the executable, but that starts on it's own without maven. Otherwise, you may consult the doc of the exec-maven-plugin on yourself. |
|
I tried again. Is it how it suppose to respond when Plugtestserver is started? |
|
Yes, as far as a picture can show ... |
|
Here is what i get this time from wireshark: And this one from my code: 2021-10-25T10_59_41.978Z-log.zip Meaning the network is unreachable |
Maybe. But that is hardly related to Californium. That may be an issue of:
On all that, I'm not able to help you. Once you have a IP capture from the same host, you run the Californium server, which then show the dtls messages and the Californium's logs, and you still have an issue, then I may be able to help you. |
Is PlugtestServer Californium server? |
|
yes. |
Here is all what i get when i run the californium server |
|
As I already wrote, there is a lot of "home keeping" for you, where I can't help. |
|
Thanks very much for your advices |
|
Your welcome. Just to mention it again: |
Good Morning @boaks i know i ask too much questions. But the only way for to learn is by asking questions since i am a newbee in this area and i also want to thank you for your patience, comprehension and advices. for me to run a host on californium server, does it means i have to add an Endpoint like this: server.addEndpoint(new CoapEndpoint(new InetSocketAddress("10.200.1.2", 5684))); Or should i create a new server and then add it to the list List servers = new CopyOnWriteArrayList<>();? |
Not generally, just too much for a "day before 3.0.0-RC2" :-). Your questions helps to find, what is required to be documented. But it makes me also feel, that to document things, but there are not read, doesn't help either. That may be also a sign, that the gap in experience and knowledge is larger as assumed. The host you run Californium is for me mainly defined by it's "embedding" in your network setup. That means:
And if you want to reach it from the "public internet", it even means, is your host reachable by such a public ip-address (which is different to the usage of a local one). For the first:
For many company networks, UDP is unfortunately disable and so that could not work at all. For many home PCs, their network is very often build by a dsl-router. That comes with a "local-network". Your PC reaches the public internet mostly via a NAT (integrated in the router). That enables the PC to initiate a transfer (acting as client) but not to wait/accept an incoming transfer. That would require to configure a port-forwarding on your dsl-router. If it's a cloud-machine, then it requires a lot from that hoster and the selected product. Some require to configure and enable the udp traffic explicitly, on others that's the default. On which network interface it's best to start your plugtest-server depends now mainly on your setup. Does one of the above match yours? |
My host gets an IP address automatically assigned by Dynamic Host Configuration Protocol (DHCP). So i think my host gets an IP address in random meaning it is not stable. waht do you think?
yeah, it's the company network and here are the characteristics of the ethernet: Verbindungslokale IPv6-Adresse: fe80::843c:6be9:66ce:ebfe%7 Here is a sample of the traffic in our company network: |
That's mostly a local address. You can't reach it from a public internet. If there is no tunnel, then you must ask your network admin as well. Coap usually uses port 5683/udp and 5684/udp(dtls) and your network admin must then provide you a public address and must configure a forwarding. Usually, that's not possible because of general security compliance rules. So, if the host you're using, is not reachable (by tunnel or public address), a different approach uses a "machine" in the cloud. But also that depends on your companies compliance rules. if you do it privately, many cloud providers have offers, which includes a free starter. Even with that approach, you need to check, if your companies network will allow outgoing ssh to that cloud-server (or you need to do it at the weekend from home :-) ). |
My setup is a nRF9160 DK from Nordic Semiconductor with which i am tying to connect to the californium server with an eSim card from iBasis and my laptop from my company running the californium server. if i understand for me to be able to interact (request/response) with californium server, i need a public address instead of a local address. And what is when i use a Wi-Fi with these characteristics: SSID: FRITZ!Box 7530 Loft 2.4 GHz |
|
If that would work, then everyone in your company may be able to start and operate a server. I guess this is not intended. And you don't need to ask me, it's your network administrator who knows the answer. |
|
Hello @boaks , i tried again and i traced the iteractions, here is what i got. What do you think? trace-2021-10-28T12-32-41.786Z.zip From my code i get the error 116 meaning connection timeout. Any idea on how i can handle this error: 2021-10-28T12_52_45.746Z-log.zip Thanks in advance |
|
About the trace (wireshark capture). That is "Client_identit" in UTF-8. I'm not sure, where you have your PSK credentials in order to be used with the Californium's sandbox, but one of the "interoperability test identities" is: so, maybe, if you add the missing "y" at the end, you may have a chance. |
|
Just for my information: |
Good morning @boaks Sorry for the late response I editted it myself. Here is what i get this time: trace-2021-10-28T13-58-22.731Z.zip Actually my goal is to be able to send periodic payloads to the server, when the connection and DTLS Handshake have been made. And that in PSM, the connection between client and server should still exist. |
|
Congratulations! The DTLS handshake is now successful. The CoAP request: looks for the sandbox also well, you can't PUT a new resource "secure" on the californium's sandbox.
I know your ticket at Nordic, I'm the Achim kraus, which recommend to be patient and wait, until device support DTLS Connection ID. So for now |
Without you, i won't have made it and for that i want to thank you.
Just out of curiosity, do you any programm you use to decrypted the responses from server?
ok i see thanks.
Waouh great. I read my ticket again, but to sure i understood. DTLS libraries from zephyr already supports that and i just have to wait that californium server that? In the meantime i will have to do a DTLS session resumption (make a new connection to server) and since I need my clients to be always reachable by the server at all times, I'll need to keep sending packets to prevent the NAT timeout unfortunately. Meaning my device will never sleep? |
You can do that in wireshark, if you know the "secret". I will update the "IP capture wiki" for that :-).
Vice versa :-). Californium is ready and compliant to the upcoming RFC9146. The client's libraries are require to be updated. See/watch zephyr - cid and mbedtls. What's required as next steps:
|
Even with DTLS CID, if your device must stay reachable by the server, it will never sleep! DTLS CID only helps to make the device sleeping, if always the device initiates the communication after such a sleep. That's not bound to DTLS (nor CoAP), that's about IP and what your mobile provider is offering you. To save energy, the most is saved with PSM. And with that, always the clients starts to send data. With eDRX, you may save also energy, not that much compared to PSM, but your device is "somehow" reachable. But eDRX may be not overall available. Similar as with your "companies network issue", where only your network administrator knows, what to do, for "mobile NB-IoT" only your (SIM) provider knows what to do. So you must try to get that information from there. |
|
Hello @boaks i am using the resource "create" from Plugtestserver to send a JSON payload "{"command":"periodic","type":"8","number":"33"}" using the PUT-method from CoAP, but the server response is "Bad request": trace-2021-10-29T11-50-24.530Z.zip Despite the fact that Json is one of the context format from CoAP. Can you please tell me, what i am doing wrong? May be is my annotation wrong or can i send a JSON Payload in the first place? Thanks in advance |
So, time to start to read :-). |
|
Before you start to wonder, the sandbox's ban file contains: Though it's coaps, it may be your device. If you send malicious messages, Californium will ban your device's ip-address for a while. That's also a good reason to run a coap-server on your own. CoAP options are "well defined", I'm not sure, what your client library offers as API. Some API cares for you to comply to RFC7252 5.10, others offering a raw access and your code must obey the definitions. For content-format, its: |
|
Hello @boaks , Thank you very much for the informations. I sent a Json Payload without having to do a DTLS handshake, meaning i used normal UDP. Here is what i got: For me i think the server responded properly. What do you think please? In the meantime i have the following issues:
Thanks in advance |
The payload you send is "{\n\t" 3 (bytes), I guess that's wrong
I guess, the device tries out a couple of bands, may be even not only CAT-NB also CAT-M1. The solution should come from the modem manufacturer. (I use also the nrf9160 and with my sim-card and selecting CAT_NB and the proper band of my provider, it takes about 2-3s, in some cases up to 60s.)
I don't know, what you exactly mean. Usually UDP doesn't "connect", it just send udp-messages. With dtls, these messages must be encrypted/decrypted using session/association's keys. Though this is normally referred by the ip-address/port, it only works, if your device keeps them. But AFAIK, with iBasis, that is not supported. So, back to my answer in the nordic forum: you have to wait for DTLS CID. With that, the dtls keys are referred by that cid and so static ip-address is not longer required. |
am creating my JSON Payload with the following function: cJSON * createJsonFromParams(void) return root; } The main function : Do you think it is the appropriate way of forming my JSON Payload?or will this be suitable for the server? And i really want to thank you again for helping me and for you precious time . |
|
I'm not cJSON specialist, but I guess But, when you set it as payload, the length is accidentally truncated to 3. |
Though, it's unclear, what you want to send as JSON, I can't say to much. In the last trace the content-format option seems to be well, but the payload only contains 3 bytes and was no valid JSON. Though Californium doesn't care on it's own, if the payload is valid JSON, it respond with created. |
|
Hello @boaks, it's me again. Sorry for disturbing. I can't reach the californium server over NB-IoT. Here is what i got: ERROR: getaddrinfo fehlgeschlagen -11: which stands for No more processes. what does that means for me? any idea? NB: with LTE-M everything works perfectly |
|
That's more a question for the modem's manufacturer. |
|
The only, not that brilliant work-around may be, not to use "californium.eclipseprojects.io" and instead the literal-ip-address "35.185.40.182". Or to wait a little, and retry the getaddrinfo say 5s later. |
Ok thanks for your suggestion. It worked |
|
Hi @boaks, i want to thank you once again for all your help. Because of you i really made progress and i am very grateful for that. I was able to send a same payload every 30s and the Server responded appropriately. But all of a sudden when i send the server didn't respond. Is there any reason for that or is normal? Here a a wireshark trace: Thanks in advance. |
|
I can't see any reason in the capture.
I would recommend, you start with using CON and see, if that works. |
|
Could this issue be closed? If you have further questions, please open a new issue. |
|
for sure, sorry for the late response |
Hi,
Actually i am having problems with DTLS connection and my aim is to be able to encrypt all data with a Pre Shared Key (PSK) before sending it to the californium server.
Any idea on how i may do that. I am very new in this area.
Best regards,
Cedric
The text was updated successfully, but these errors were encountered: