February 2022 - mbed-tls - lists.trustedfirmware.org

by kirilllatyshov99＠gmail.com

Good afternoon, I'm trying to implement TLS 1.2. for MMS using the library libiec61850. When a connection is established, the interaction is interrupted at the stage "Client Key Exchange". Also, when monitoring the interaction through wireshark, I see that an error is displayed at the "Certificate Request" stage. I use default certificates, the project is built through CMake on Windows and TLS 1.1. works flawlessly. In the file tls_mbedtls.c I changed only the values of the minimum and maximum versions to TLS 1.2. Thank you in advance for your response.

2 years, 9 months

1
0
0 0

Reminder: MBed TLS Technical Forum - Asia

by don.harbin＠linaro.org

Hi All, A gentle reminder that the Asia-Europe timezone-friendly MBest TLS Tech forum is next Monday. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Title: MBed TLS Technical Forum - Asia Trusted Firmware is inviting you to a scheduled Zoom meeting. Topic: MBed TLS Technical Forum - Asia Time: Nov 8, 2021 10:00 AM London Every 4 weeks on Mon, 20 occurrence(s) Nov 8, 2021 10:00 AM Dec 6, 2021 10:00 AM Jan 3, 2022 10:00 AM Jan 31, 2022 10:00 AM Feb 28, 2022 10:00 AM Mar 28, 2022 10:00 AM Apr 25, 2022 10:00 AM May 23, 2022 10:00 AM Jun 20, 2022 10:00 AM Jul 18, 2022 10:00 AM Aug 15, 2022 10:00 AM Sep 12, 2022 10:00 AM Oct 10, 2022 10:00 AM Nov 7, 2022 10:00 AM Dec 5, 2022 10:00 AM Jan 2, 2023 10:00 AM Jan 30, 2023 10:00 AM Feb 27, 2023 10:00 AM Mar 27, 2023 10:00 AM Apr 24, 2023 10:00 AM Please download and import the following iCalendar (.ics) files to your calendar system. Weekly: https://linaro-org.zoom.us/meeting/tJ0kc-GsqDktHNGa8CWl6wJ7je6CKD-5zgh8/ics… Join Zoom Meeting https://linaro-org.zoom.us/j/99948462765?pwd=SGlHYlF1Z2owUDNFWWppaGlSRDh5UT… Meeting ID: 999 4846 2765 Passcode: 196117 One tap mobile +12532158782,,99948462765# US (Tacoma) +13462487799,,99948462765# US (Houston) Dial by your location +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 669 900 9128 US (San Jose) +1 301 715 8592 US (Washington DC) +1 312 626 6799 US (Chicago) +1 646 558 8656 US (New York) 888 788 0099 US Toll-free 877 853 5247 US Toll-free Meeting ID: 999 4846 2765 Find your local number: https://linaro-org.zoom.us/u/anpWWkRdt When: Mon Feb 28, 2022 3am – 3:50am Mountain Standard Time - Phoenix Who: * Don Harbin - creator * psa-crypto(a)lists.trustedfirmware.org * mbed-tls(a)lists.trustedfirmware.org * nnac123(a)gmail.com * santosdanillo(a)gmail.com

2 years, 9 months

1
0
0 0

Re: ssl_server2 failed with mbedtls_ssl_handshake returned error -30976

by Dave Rodgman

Hi Dmitrij, (Please note, I've moved this question to the main Mbed TLS list as this is the right place for this kind of question). I've tested our example ssl_client2 against test.mosquitto.org, using a client certificate & key generated via https://test.mosquitto.org/ssl/index.php, and CA file from https://test.mosquitto.org/. This connects properly using the command line: ./ssl_client2 server_addr=test.mosquitto.org server_port=8884 ca_file=mosquitto.org.crt server_name=test.mosquitto.org crt_file=client.crt key_file=client.key Similarly, OpenSSL succeeds using the same certificates: openssl s_client -connect test.mosquitto.org:8884 -CAfile mosquitto.org.crt -servername test.mosquitto.org -cert client.crt -key client.key However, if I omit the client key (i.e. remove "-key client.key"), Mbed TLS fails in the manner you describe. It looks like you are not supplying the client key? Regards Dave Rodgman On 21/02/2022, 10:55, "Dmitrij Shabroff via Mbed-tls-announce via mbed-tls" <mbed-tls(a)lists.trustedfirmware.org> wrote: Good day Please answer my questions - there is very little literature on the topic. I do not know what to do. I have dealt with the message [2:40] issue. I did not enroll the user certificate using: if((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey))!= 0) and this certificate was not transmitted. Now I have taken it a step further, the certificate is successfully transferred and the server does not break the connection. I switched to TLS 1.3. ---------------------------------------------------------------------- But in your examples, I see the use of two certificates: mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) And also the key: ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng ); In my version, I only have a client certificate. I working with https://test.mosquitto.org/ Would you advise where to get the missing certificates and where to get the key for the mbedtls_pk_parse_key function? ---------------------------------------------------------------------- Now in both functions I use the same certificate and a PCA key from the example. I get a message: ..\Src\mbedTLS\library\ssl_msg.c:4645:got an alert message, type: [2:51] ..\Src\mbedTLS\library\ssl_msg.c:4653:is a fatal alert message (msg 51) ..\Src\mbedTLS\library\ssl_msg.c:3763:mbedtls_ssl_handle_message_type() returned -30592 (-0x7780) ..\Src\mbedTLS\library\ssl_msg.c:4771:mbedtls_ssl_read_record() returned -30592 (-0x7780) Sincerely, Shabrov Dmitry >Понедельник, 7 февраля 2022, 16:28 +03:00 от B Mahesh via Mbed-tls-announce via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>: > >Hi , > > > >*Problem description :* > > > >Trying to run example >https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c . > >Updated ssl_server2 port to listen on 7777 for incoming client request >,ssl_server2 >will be waiting for remote connection continuously. > >There was no client request for connection on this port, but still server >is getting some spurious connection request and goes for handshake and >fails with below error code. > > > >Error code: mbedtls_ssl_handshake returned error -30976 > > > > >*Steps to reproduce: =============* > > 1. start ssl_server2 program > 2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will > accept spurious connection request and goes for handshake and fails >with above > mentioned error code. > > > >*Expected behavior:* >ssl_server2 wait for remote connection infinitely and connect to valid >client request and perform handshake every time. > > >*Actual behavior:* >Occasionally ssl_server2 will accept spurious connection request and goes >for handshake and fails with below error code. > > > >Error code: >mbedtls_ssl_handshake returned error -30976 on ssl_server2 > > > >*Analysis:* > >As per below logs what we understand is ssl_server2 will accept spurious >connection request and goes for handshake and fails with error code >-30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO >on ssl_server2 side . > > > >Can you please help us to understand this behavior? > >What could be the reason for ssl_server2 to connect to a spurious >connection request?, as mentioned above there was no client request for >connection on this ssl_server2 port( 7777) . > >We have tried this on other SERVER_PORT as well . > > > >*Logs Snippet:* > >*==========* > > > >. Seeding the random number generator... ok > > . Loading the CA root certificate ... ok (0 skipped) > > . Loading the server cert. and key... ok > > . Bind on tcp://*:7777/ ... ok > > . Setting up the SSL/TLS structure... ok > > . Waiting for a remote connection ...ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > > . Waiting for a remote connection ... ok > > . Performing the SSL/TLS handshake... failed > > ! mbedtls_ssl_handshake returned -0x7900 > > > >Last error was: -30976 - SSL - Processing of the ClientHello handshake >message failed > > > >Regards >Mahesh >-- >Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org >-- >mbed-tls mailing list -- mbed-tls(a)lists.trustedfirmware.org >To unsubscribe send an email to mbed-tls-leave(a)lists.trustedfirmware.org -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org -- mbed-tls mailing list -- mbed-tls(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave(a)lists.trustedfirmware.org

2 years, 9 months

2
1
0 0

TLS PSK display X.509 verified

by Subramanian Gopi Krishnan

Hi, I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What is it? ./a.out ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] . Closing the connection... done ./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256 . Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the server cert. and key... ok . Bind on tcp://*:4433/ ... ok . Setting up the SSL/TLS structure... ok . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] [ Maximum fragment length is 16384 ] . Verifying peer X.509 certificate... ok < Read from client: 34 bytes read GET / HTTP/1.0 Extra-header: > Write to client: 144 bytes written in 1 fragments HTTP/1.0 200 OK Content-Type: text/html <h2>mbed TLS Test Server</h2> <p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p> . Closing the connection... done . Waiting for a remote connection ... Thanks, Gopi Krishnan

2 years, 9 months

2
1
0 0

Re: TLS PSK display X.509 verified

by Hannes Tschofenig

Hi Gopi, When you say "I modified TLS client to have only PSK and removed all private key and certificate related code." did you set the C processor directives in the include/mbedtls/mbedtls_config.h file? To me it seems that you didn't do this and hence you still use the default configuration settings, which means that all PKI-related code is compiled into your binary. Ciao Hannes From: Subramanian Gopi Krishnan via mbed-tls <mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org>> Sent: Tuesday, February 22, 2022 12:15 PM To: mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] TLS PSK display X.509 verified Hi, I am evaluating TLS PSK capability on mbedlts-2.16.12 by running following command. I modified TLS client to have only PSK and removed all private key and certificate related code. However, the servier indicated x.509 verification ok. What is it? ./a.out ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] . Closing the connection... done ./ssl_server2 psk="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" psk_list="Client_identity","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256 . Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the server cert. and key... ok . Bind on tcp://*:4433/ ... ok . Setting up the SSL/TLS structure... ok . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-PSK-WITH-AES-128-GCM-SHA256 ] [ Record expansion is 29 ] [ Maximum fragment length is 16384 ] . Verifying peer X.509 certificate... ok < Read from client: 34 bytes read GET / HTTP/1.0 Extra-header: > Write to client: 144 bytes written in 1 fragments HTTP/1.0 200 OK Content-Type: text/html <h2>mbed TLS Test Server</h2> <p>Successful connection using: TLS-PSK-WITH-AES-128-GCM-SHA256</p> . Closing the connection... done . Waiting for a remote connection ... Thanks, Gopi Krishnan

2 years, 9 months

1
0
0 0

[Mbed-tls-announce] ssl_server2 failed with mbedtls_ssl_handshake returned error -30976

by B Mahesh via Mbed-tls-announce

Hi , *Problem description :* Trying to run example https://github.com/ARMmbed/mbedtls/blob/master/programs/ssl/ssl_server2.c . Updated ssl_server2 port to listen on 7777 for incoming client request ,ssl_server2 will be waiting for remote connection continuously. There was no client request for connection on this port, but still server is getting some spurious connection request and goes for handshake and fails with below error code. Error code: mbedtls_ssl_handshake returned error -30976 *Steps to reproduce: =============* 1. start ssl_server2 program 2. Monitor for ssl_server2 connection waiting , observe ssl_server2 will accept spurious connection request and goes for handshake and fails with above mentioned error code. *Expected behavior:* ssl_server2 wait for remote connection infinitely and connect to valid client request and perform handshake every time. *Actual behavior:* Occasionally ssl_server2 will accept spurious connection request and goes for handshake and fails with below error code. Error code: mbedtls_ssl_handshake returned error -30976 on ssl_server2 *Analysis:* As per below logs what we understand is ssl_server2 will accept spurious connection request and goes for handshake and fails with error code -30796 ,MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO on ssl_server2 side . Can you please help us to understand this behavior? What could be the reason for ssl_server2 to connect to a spurious connection request?, as mentioned above there was no client request for connection on this ssl_server2 port( 7777) . We have tried this on other SERVER_PORT as well . *Logs Snippet:* *==========* . Seeding the random number generator... ok . Loading the CA root certificate ... ok (0 skipped) . Loading the server cert. and key... ok . Bind on tcp://*:7777/ ... ok . Setting up the SSL/TLS structure... ok . Waiting for a remote connection ...ok . Performing the SSL/TLS handshake... failed ! mbedtls_ssl_handshake returned -0x7900 Last error was: -30976 - SSL - Processing of the ClientHello handshake message failed . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... failed ! mbedtls_ssl_handshake returned -0x7900 Last error was: -30976 - SSL - Processing of the ClientHello handshake message failed . Waiting for a remote connection ... ok . Performing the SSL/TLS handshake... failed ! mbedtls_ssl_handshake returned -0x7900 Last error was: -30976 - SSL - Processing of the ClientHello handshake message failed Regards Mahesh -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org

2 years, 9 months

2
2
0 0

MBEDTLS_ERR_CIPHER_ALLOC_FAILED on Embedded Platform

by Subramanian Gopi Krishnan

Hi, I have ported mbedtls library on am embedded platform developed to encrypt / decrypt messages using AES GCM 256 key. After several hours of running, we are experiencing error MBEDTLS_ERR_CIPHER_ALLOC_FAILED 0x6180 and malloc functions fails as the heap seems to be piled-up. How could I is using correct free function and the actual allocated memory is freed? Thanks, Gopi Krishnan

2 years, 9 months

2
1
0 0

Tentative: MBed TLS Technical Forum

by Gergely Pintér

2 years, 9 months

1
0
0 0

Future crypto library features

by Hulshof, Robert

All, Not sure if this is the right audience (If it is not let me know if there is a better place to ask the following question) We have been looking at future security requirements for CPE devices, and we think that we need the following functionality that is currently not really available in the current crypto libraries. - Support for Quantum computing secure algorithms (Post Quantum of PQ algorithms) - Support for Hybrid keys ( PQ plus Classic algorithm), preferable in any configuration. - Modularized public key crypto algorithms implementation, to simplify adding new algorithms - Updating public key architecture to simplify off-loading private key operations to a Trusted Execution environment or other security HW. We initially looked at openssl, but found the openssl difficult to work with, so we decided to look at Mbedtls, which has a more lightweight design. We modified the mbedtls 'pkey' code to make it more modularized (building on the pkwrap design), and added to support for Hybrid keys, which was relatively easy to do. Updating the TLS library to support hybrid keys has however been a big challenge. The TLS code is very interwoven with the 'pkey' code, and seems to have almost unique implementation for each type of key, making it difficult to follow and modify. Adding support for other (PQ) algorithms within that design will be challenge. Before spending too much time on this we would like to know if there is an interest in the MBEDTLS community for a redesign of the code to support hybrid keys, PQ algorithms and modularized public key architecture. Thanks, Robert E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.

2 years, 9 months

2
1
0 0

MBed TLS Technical Forum - reminder

by don.harbin＠linaro.org

Hi All, A gentle reminder that the US-Europe timezone-friendly MBest TLS Tech forum is next Monday. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Title: MBed TLS Technical Forum Trusted Firmware is inviting you to a scheduled Zoom meeting. Topic: MBed TLS Technical Forum Time: Oct 25, 2021 04:30 PM London Every 4 weeks on Mon, 20 occurrence(s) Oct 25, 2021 04:30 PM Nov 22, 2021 04:30 PM Dec 20, 2021 04:30 PM Jan 17, 2022 04:30 PM Feb 14, 2022 04:30 PM Mar 14, 2022 04:30 PM Apr 11, 2022 04:30 PM May 9, 2022 04:30 PM Jun 6, 2022 04:30 PM Jul 4, 2022 04:30 PM Aug 1, 2022 04:30 PM Aug 29, 2022 04:30 PM Sep 26, 2022 04:30 PM Oct 24, 2022 04:30 PM Nov 21, 2022 04:30 PM Dec 19, 2022 04:30 PM Jan 16, 2023 04:30 PM Feb 13, 2023 04:30 PM Mar 13, 2023 04:30 PM Apr 10, 2023 04:30 PM Please download and import the following iCalendar (.ics) files to your calendar system. Weekly: https://linaro-org.zoom.us/meeting/tJEkceuurT4sGdaksikbUn6FARB9Kuk3ac2o/ics… Join Zoom Meeting https://linaro-org.zoom.us/j/95962635632?pwd=STFkQVltejAzRDJ6NmoxZjhmZC9RUT… Meeting ID: 959 6263 5632 Passcode: 018366 One tap mobile +13462487799,,95962635632# US (Houston) +16699009128,,95962635632# US (San Jose) Dial by your location +1 346 248 7799 US (Houston) +1 669 900 9128 US (San Jose) +1 253 215 8782 US (Tacoma) +1 312 626 6799 US (Chicago) +1 646 558 8656 US (New York) +1 301 715 8592 US (Washington DC) 877 853 5247 US Toll-free 888 788 0099 US Toll-free Meeting ID: 959 6263 5632 Find your local number: https://linaro-org.zoom.us/u/aewUpnQu5y When: Mon Feb 14, 2022 9:30am – 10:30am Mountain Standard Time - Phoenix Who: * Don Harbin - creator * psa-crypto(a)lists.trustedfirmware.org * mbed-tls(a)lists.trustedfirmware.org * nnac123(a)gmail.com

2 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

mbed-tls February 2022