net: lwm2m: Add support for X509 certificates #59019
Conversation
SeppoTakalo
force-pushed
the
lwm2m_dtls_x509
branch
from
162c576
to
12796b5
Compare
|
|
||
| switch (lwm2m_security_mode(ctx)) { | ||
| case LWM2M_SECURITY_PSK: | ||
| ret = zsock_setsockopt(ctx->sock_fd, SOL_TLS, TLS_CIPHERSUITE_LIST, |
There was a problem hiding this comment.
Why do we need to narrow the list of cipher suites to use, instead of letting mbedTLS to choose?
There was a problem hiding this comment.
Because when all PSK and certificate compatible cipher suites were enabled, MbedTLS tried to offer all to Client HELLO causing the handshake to always start with certificate mode.
I had to limit that in runtime to force it to PSK mode.
There was a problem hiding this comment.
Interesting, I thought mbed TLS would be smart enough not to offer certificate-based suites if there's no cerfiticate registered for the context. Ok then.
There was a problem hiding this comment.
I can see that there is difference on how MbedTLS works on Zephyr, and how nRF9160 modem works.
Looks like TLS storage content is not checked before the negotiation starts, or at least that is what I assume.
But on Nordic modem, what ciphers are offered, seem to depend on the content of the security tag.
Therefore only portable choice seem to be to select the offered cipher-suites by hand.
| @@ -0,0 +1,42 @@ | |||
| CONFIG_LWM2M_DTLS_SUPPORT=y | |||
There was a problem hiding this comment.
Shouldn't this overlay also enforce bootstrap? We're not feeding any certificates from the application.
There was a problem hiding this comment.
Not necessary.. I was testing this manually by feeding the certificates from command line.
lwm2m write 0/0/3 -s "-----BEGIN CERTIFICATE-----\x0aMIIBazCCAR...
lwm2m write 0/0/5 -s "-----BEGIN EC PRIVATE KEY-----\x0aMHcCAQE...
lwm2m write 0/0/4 -s "-----BEGIN CERTIFICATE-----\x0aMIICBzCCAa...
lwm2m write 0/0/2 -u8 2
lwm2m start secure_client
I prefer to write separate documentation as there are now 3 different security modes supported. But I would like to do that on another commit.
There was a problem hiding this comment.
Yes, an update in the documentation would be much appreciated. I'm ok with doing this separately.
SeppoTakalo
force-pushed
the
lwm2m_dtls_x509
branch
2 times, most recently
from
0e6f469
to
aa4cfdb
Compare
Add support for using X509 certificates. Default settings use ECDSA certificates with SHA256 hash. When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and struct lwm2m_ctx->set_socketoptions() Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
SeppoTakalo
force-pushed
the
lwm2m_dtls_x509
branch
from
aa4cfdb
to
60ccb9b
Compare
|
Added a section into documentation regarding various LwM2M security modes. |
Add documentation regarding various LwM2M security modes. Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
SeppoTakalo
force-pushed
the
lwm2m_dtls_x509
branch
from
4ef96dc
to
4ad9f3c
Compare
|
Applied Pekka's documentation suggestions. |
Add support for using X509 certificates. Default settings use ECDSA certificates with SHA256 hash. When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and struct lwm2m_ctx->set_socketoptions() Original PR zephyrproject-rtos/zephyr#59019 Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no> (cherry picked from commit 60ccb9b9e80cc898beeadb50d39d20459fd564c9)
|
Merging this introduced a CI failure with a test that has been introduced later. |
Add support for using X509 certificates.
Default settings use ECDSA certificates with SHA256 hash.
When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and
struct lwm2m_ctx->set_socketoptions()