Hi,
The packet size limitations can be accommodated by using the Maximum Fragment Length extension (https://tools.ietf.org/html/rfc6066#section-4, enabled by MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
in Mbed TLS). In Mbed TLS this is only implemented for application data and DTLS handshake messages so far, and therefore you will need to use DTLS. Also the negotiation is driven by the client and it needs to be enabled both on the server and on the client.
(See the documentation of mbedtls_ssl_conf_max_frag_len() for more details.)
I hope that helps,
Janos
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of "Fatima, Fariya via mbed-tls" <mbed-tls(a)lists.trustedfirmware.org>
Reply to: "Fatima, Fariya" <Fariya.Fatima(a)Carrier.com>
Date: Tuesday, 23 June 2020 at 11:47
To: "mbed-tls(a)lists.trustedfirmware.org" <mbed-tls(a)lists.trustedfirmware.org>
Subject: Re: [mbed-tls] BLE and Mbed TLS
Hi,
Can anyone help if mbedTLS TLS/DTLS code would work on top of BLE (specifically SPP). I am not sure if the packet size limitation on SPP would make TLS work.. any pointers anyone? Would be really helpful.
Regards,
Fariya
From: Fatima, Fariya
Sent: Monday, June 15, 2020 9:21 AM
To: 'mbed-tls(a)lists.trustedfirmware.org' <mbed-tls(a)lists.trustedfirmware.org>
Subject: BLE and Mbed TLS
Hi,
I wanted to use TLS over BLE application. When I googled, I figured out that MbedTLS can work on BLE. If someone can share a sample application where-in MbedTLS APIs are used as part of a BT/BLE application, it will be of great help.
Regards,
Fariya
Hi,
Can anyone help if mbedTLS TLS/DTLS code would work on top of BLE (specifically SPP). I am not sure if the packet size limitation on SPP would make TLS work.. any pointers anyone? Would be really helpful.
Regards,
Fariya
From: Fatima, Fariya
Sent: Monday, June 15, 2020 9:21 AM
To: 'mbed-tls(a)lists.trustedfirmware.org' <mbed-tls(a)lists.trustedfirmware.org>
Subject: BLE and Mbed TLS
Hi,
I wanted to use TLS over BLE application. When I googled, I figured out that MbedTLS can work on BLE. If someone can share a sample application where-in MbedTLS APIs are used as part of a BT/BLE application, it will be of great help.
Regards,
Fariya
Hi Oleksandr,
I understand you want to validate your implementation against the test vectors in the cited reference. It's obvious, but just in case my reply is read out of context some day, I want to emphasize: what I'm recommending below is for testing purposes only, importing a private key from a public reference must never be done in production.
In your situation the simplest way to proceed is probably to directly import the private and public key from the test vector to your ECDH context.
For example (assuming the data in the reference is big-endian, and omitting error checking for brevity):
static unsigned char private_a[32] = { 0x3f, 0x49, /* ... from the reference */ };
static unsigned char public_a[65] = {
0x04, /* this special value marks the start of an uncompressed public key */
0x20, 0xb0, /* ... (public A(x) from the reference) */
0xdc, 0x80, /* ... (public B(x) from the reference) */
};
static mbedtls_ecdh_context ctx_a;
mbedtls_ecdh_init(&ctx_a);
/* load the private/public key pair
* this replaces mbedtls_ecdh_gen_public() */
mbedtls_mpi_read_binary( &ctx_a->d, private_a, sizeof( private_a ) ); /* should check errors! */
mbedtls_ecp_point_read_binary( &ctx_a->Q, public_a, sizeof( public_a ) ); /* should check errors! */
Doing the same with ctx_b and then exchanging public keys and computing the shared secret as usual, you should obtain values that match the reference.
Again, this is only for validating against known test vectors. Importing a private key from a public reference must never be done in production.
Hope that helps,
Manuel.
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Oleksandr Nychyporuk via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: 22 June 2020 15:33
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] ECDH set custom private key
Hi,
I wanna configure the ECDH algorithm to repeat the following keys:
[image.png]
I was able to configure the algorithm, generate private and public keys on both: client and server sides. And it works as expected. The secret keys are equal on both sides.
But I did not manage to calculate the secret key that is on the picture. I do not know how to set these private keys. Could someone help me to do that?
Thanks,
I'm usiing:
#define MBEDTLS_VERSION_NUMBER 0x020D0100
#define MBEDTLS_VERSION_STRING "2.13.1"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.13.1"
According to RFC5246:
If no suitable certificate is available,
the client MUST send a certificate message containing no
certificates. That is, the certificate_list structure has a
length of zero.
How do I do this with mbedTLS? The example code I have has certificates in it and calls mbedtls_x509_crt_parse(), which wants a list of certificates and will reject a zero-length list.
Jeff Thompson | Senior Electrical Engineer-Firmware
+1 704 752 6513 x1394
www.invue.com
[cid:image001.gif@01D64864.692FAD30]
Attaching the keys from the picture:
*7.1.2.1 P-256 Data Set 1*
*Private A*: 3f49f6d4 a3c55f38 74c9b3e3 d2103f50 4aff607b eb40b799 5899b8a6
cd3c1abd
*Private B*: 55188b3d 32f6bb9a 900afcfb eed4e72a 59cb9ac2 f19d7cfb 6b4fdd49
f47fc5fd
*Public A(x):* 20b003d2 f297be2c 5e2c83a7 e9f9a5b9 eff49111 acf4fddb
cc030148 0e359de6
*Public A(y)*: dc809c49 652aeb6d 63329abf 5a52155c 766345c2 8fed3024
741c8ed0 1589d28b
*Public B(x)*: 1ea1f0f0 1faf1d96 09592284 f19e4c00 47b58afd 8615a69f
559077b2 2faaa190
*Public B(y)*: 4c55f33e 429dad37 7356703a 9ab85160 472d1130 e28e3676
5f89aff9 15b1214a
*DHKey*: ec0234a3 57c8ad05 341010a6 0a397d9b 99796b13 b4f866f1 868d34f3
73bfa698
пн, 22 черв. 2020 о 16:33 <mbed-tls-request(a)lists.trustedfirmware.org> пише:
> Send mbed-tls mailing list submissions to
> mbed-tls(a)lists.trustedfirmware.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
> or, via email, send a message with subject or body 'help' to
> mbed-tls-request(a)lists.trustedfirmware.org
>
> You can reach the person managing the list at
> mbed-tls-owner(a)lists.trustedfirmware.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of mbed-tls digest..."
>
>
> Today's Topics:
>
> 1. ECDH set custom private key (Oleksandr Nychyporuk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 22 Jun 2020 16:33:15 +0300
> From: Oleksandr Nychyporuk <olexandr.nychyporuk(a)gmail.com>
> To: mbed-tls(a)lists.trustedfirmware.org
> Subject: [mbed-tls] ECDH set custom private key
> Message-ID:
> <CAAjyQQ4kQ8J-iVSV_yputKD83G9Aj65fYEWJ=
> ObPTeptXogghw(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I wanna configure the ECDH algorithm to repeat the following keys:
> [image: image.png]
>
> I was able to configure the algorithm, generate private and public keys on
> both: client and server sides. And it works as expected. The secret keys
> are equal on both sides.
> But I did not manage to calculate the secret key that is on the picture. I
> do not know how to set these private keys. Could someone help me to do
> that?
>
> Thanks,
>
Hi,
I wanna configure the ECDH algorithm to repeat the following keys:
[image: image.png]
I was able to configure the algorithm, generate private and public keys on
both: client and server sides. And it works as expected. The secret keys
are equal on both sides.
But I did not manage to calculate the secret key that is on the picture. I
do not know how to set these private keys. Could someone help me to do that?
Thanks,
Hello,
I am trying to incorporate Mutual Authentication TLS in my hardware. For testing the mutual authentication in TLS, I setup a demo service which would request a client certificate in the TLS handshake. I used MS Edge, Google Chrome to test whether the service requests a client certificate during the TLS 1.2 handshake. When I ping the website, I do receive a request for a client certificate as shown in the image below. On selecting a certificate, I am able to access the website.
Link to the demo service: https://serviceforsomsecurity.azurewebsites.net/
[A screenshot of a cell phone Description automatically generated]
The above validates that the service requires the client to provide the client certificate during the TLS handshake.
Now, when I test this with the sample mbedTLS ssl_client2.c program: https://github.com/ARMmbed/mbedtls/blob/development/programs/ssl/ssl_client…, the client does not send a certificate at all.
The following are the steps that I carry out to test the TLS connection with my service with the sample mbedTLS ssl_client2.exe :
1. Open the mbedTLS.sln and build the ssl_client2 project. This creates a ssl_client2.exe under the Debug folder.
2. ssl_client2.exe server_name=serviceforsomsecurity.azurewebsites.net server_port=443 debug_level=3 auth_mode=required reconnect=1 crt_file=cert.pem key_file=key.pem ca_file=Digicert.cer force_version=tls1_2
The above command to test whether the client sends the client certificate during handshake. Here's the log:
[A screenshot of a computer Description automatically generated]
As you can see, in 3025 client receives: got no certificate request and then followed by server hello done at 3157. And then at 2080 & 2094, client skips writing certificate; during this handshake.
3. Then I tried including renegotiation flag:
ssl_client2.exe server_name=serviceforsomsecurity.azurewebsites.net server_port=443 debug_level=3 auth_mode=required reconnect=1 crt_file=cert.pem key_file=key.pem ca_file=Digicert.cer force_version=tls1_2 renegotiate=1
Even in this case, the client does not get the certificate and abruptly ends during renegotiation due to timeout.
I have included both the log files below for complete handshake review. [ssl_client_without_renegotiation.txt and ssl_client_with_renegotiation.txt]
Can you please let me know how to debug this client certificate problem? It will be really a great help!
Million thanks in advance.
Regards,
Abhilash
Hello Sir/Madam,
I work in Espressif Systems. I am currently working on providing an alternate hardware RSA sign implementation for mbedtls software sign for Espressif's new chip ESP32S2. I have gone through mbedTLS API in detail but I dont see any option where I can only replace mbedTLS software sign function with our hardware sign function .
I have gone through the issue https://tls.mbed.org/discussions/generic/using-an-external-rsa-private-key I have seen that there is a function named `mbedtls_pk_setup_rsa_alt` where we only register private key related function to the ALT_CTX which mbedtls uses to perform RSA sign. but this is not supported for TLS connections.
I have seen that there is MBEDTLS_RSA_ALT option in mbedTLS where we can provide alternate function to many of mbedTLS API, but we do not want to change any of the other functions, just provide alternate implementation of hardware sign. If we go with this way, there will be lot of duplicate code which will be needed to be maintained.
can mbedTLS provide option to use mbedtls_rsa_alt context in its file `pkparse.c` so as to allow rsa sign using an extrnal private key.
Thanks and Regards,
Aditya
P.S. - I raised the same issue yesterday, my issue was rejected stating I have not subscribed to the mailing-list. But I had already done that. I tried to subscribe again and it also said you are already subscribed.
