-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client rejects server request when using "CA constraint" and "trust anchor" assertion certificate usage #992
Comments
What happens ?The identity class aims to abstract identity of a foreign peer. This identity is created from different way. Client checks current identity with expected one to answer to a server : see For expected X509 Identity, we create from CN value of So how to solve this : 1) Remove the identity check by an IP address checkThis is probably the simple way to fix the issue at first sight but with more consequence when look at it deeper. 2) Find a better way than using
|
About 1) I believe you cannot just check peer address -- you also need to check port. So connection mapping is combination of peer address:port <-> local address:port. I believe this is needed for supporting devices behind NAT that are in different ports (in NAT gw). |
When DTLS is active on connection it remembers its communication partner -- if there is a breakup in communication then we do not get CoAP messages at all in upper protocol layers -- thus we do not get called at all. If this is combined with port mapping shouldn't it solve the problem? |
From client point of view the picture is a bit cleaner as it has very few communication partners for CoAP seession. Often just one (or two when bootstrapping). So as long as we are sure that we can safely communicate we should be fine? |
About 2)
Also remember that Subject Alternative Names should be used in normal configurations and in theory one could have either IPv4 or IPv6 addresses also defined. I would recommend to try to avoid parsing Please note that we do have DNS and IP Address information available in |
We agree. That was I have in mind.
As long as we support only 1 server at the time it's OK. (BS server and DM server is never active at same time)
So if PSK is compromised (or just if owner wih PSK server is malicious), it can used its credentials and spoof the X509 ipaddress-port to send request like if it was the X509 server. The other issue with solution 1) is that even if this fix this bug the current Identity for X509 still does not make sense and so we stay with a bad design ... 🤔 |
About 2) the more I thought about it the less I can imagine it could work. |
I need to think more about it ...
|
#995 aims to fix the issue. |
Some more explanation about #995. To solve this problem, there was 4 different ideas : My understanding : So #995 is based on [3] which is maybe not so clean in term of separation of concern/layer abstraction but it should work because :
(I'm curious to see how we will deal with |
If fact this affects all certificate usage case where
Server Public Key
(0/?/4) resource does not contain the end entity certificate.Meaning it works only for Domain issued certificate(3) and Service certificate constraint (1) certificate usage.
For CA constraint (0) and trust anchor assertion (2) usage, servers will receive :
error 500 INTERNAL_SERVER_ERROR unknown server
for any request sent.(Issue discovered at #983 (comment))
The text was updated successfully, but these errors were encountered: