New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: lwm2m: Add support for X509 certificates #59019
net: lwm2m: Add support for X509 certificates #59019
Conversation
162c576
to
12796b5
Compare
|
||
switch (lwm2m_security_mode(ctx)) { | ||
case LWM2M_SECURITY_PSK: | ||
ret = zsock_setsockopt(ctx->sock_fd, SOL_TLS, TLS_CIPHERSUITE_LIST, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to narrow the list of cipher suites to use, instead of letting mbedTLS to choose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because when all PSK and certificate compatible cipher suites were enabled, MbedTLS tried to offer all to Client HELLO causing the handshake to always start with certificate mode.
I had to limit that in runtime to force it to PSK mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, I thought mbed TLS would be smart enough not to offer certificate-based suites if there's no cerfiticate registered for the context. Ok then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see that there is difference on how MbedTLS works on Zephyr, and how nRF9160 modem works.
Looks like TLS storage content is not checked before the negotiation starts, or at least that is what I assume.
But on Nordic modem, what ciphers are offered, seem to depend on the content of the security tag.
Therefore only portable choice seem to be to select the offered cipher-suites by hand.
@@ -0,0 +1,42 @@ | |||
CONFIG_LWM2M_DTLS_SUPPORT=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this overlay also enforce bootstrap? We're not feeding any certificates from the application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessary.. I was testing this manually by feeding the certificates from command line.
lwm2m write 0/0/3 -s "-----BEGIN CERTIFICATE-----\x0aMIIBazCCAR...
lwm2m write 0/0/5 -s "-----BEGIN EC PRIVATE KEY-----\x0aMHcCAQE...
lwm2m write 0/0/4 -s "-----BEGIN CERTIFICATE-----\x0aMIICBzCCAa...
lwm2m write 0/0/2 -u8 2
lwm2m start secure_client
I prefer to write separate documentation as there are now 3 different security modes supported. But I would like to do that on another commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, an update in the documentation would be much appreciated. I'm ok with doing this separately.
0e6f469
to
aa4cfdb
Compare
Add support for using X509 certificates. Default settings use ECDSA certificates with SHA256 hash. When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and struct lwm2m_ctx->set_socketoptions() Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
aa4cfdb
to
60ccb9b
Compare
Added a section into documentation regarding various LwM2M security modes. |
Add documentation regarding various LwM2M security modes. Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no>
4ef96dc
to
4ad9f3c
Compare
Applied Pekka's documentation suggestions. |
Add support for using X509 certificates. Default settings use ECDSA certificates with SHA256 hash. When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and struct lwm2m_ctx->set_socketoptions() Original PR zephyrproject-rtos/zephyr#59019 Signed-off-by: Seppo Takalo <seppo.takalo@nordicsemi.no> (cherry picked from commit 60ccb9b9e80cc898beeadb50d39d20459fd564c9)
Merging this introduced a CI failure with a test that has been introduced later. |
Add support for using X509 certificates.
Default settings use ECDSA certificates with SHA256 hash.
When different settings are required clients should overwrite struct lwm2m_ctx->load_credentials() and
struct lwm2m_ctx->set_socketoptions()