Hello,
I'm running into an issue with using Mbed-TLS on an embedded device of ours and I'm curious if anyone would be able to point me in the right direction. If this is the wrong channel for general use questions, let me know and I'll search elsewhere. As a forewarning, I'm still getting my bearings around the nuts and bolts of Mbed-TLS and network security; apologies if I misstate something or jumble things up.
Our device uses Mbed-TLS 3.0.0; ideally I'd like to upgrade this to a newer …
[View More]version, but this version was included in a SDK package for our device and I'd like to get some basic functionality proven out first before trying to reintegrate a newer version into the rest of provided code. The current goal is to get our device to serve a web page over HTTPS with TLS.
What we currently see is that the initial hello client and server messages are exchanged without issue, but the connection is rejected after the server requests a certificate from the client. In some browsers, this opens a prompt where you can select a given certificate on the machine; in others, it skips this prompt and sends a response back with an empty certificate. In both instances, the server will return an error and deny the connection.
This seems like some sort of user configuration error, given your average web page served over HTTPS on the internet avoids making this request. The literature I've been able to find so far also seems to suggest this request is entirely optional. Is there some option I'm overlooking that makes the server skip asking the client for its certificate and lets connection continue on?
Michael Reutman
Senior Embedded Software Engineer
NovaTech Automation
261 Brodhead Rd.
Bethlehem, PA 18017
novatechautomation.com<http://www.novatechautomation.com/> | NovaTechLinkedIn<https://www.linkedin.com/company/565017>
NovaTech Automation is Net Zero committed. #KeepItCool<https://www.keepitcool.earth/>
Receipt of this email implies compliance with our terms and conditions<https://www.novatechautomation.com/email-terms-conditions>.
[View Less]
Hi,
I'm trying to parse this DER encoded certificate in hex format:
…
[View More]3082018230820128a003020102020900f3b305f55622cfdf300a06082a8648ce3d04030230003020170d3735303130313030303030305a180f34303936303130313030303030305a30003059301306072a8648ce3d020106082a8648ce3d0301070342000458f7e9581748ff9bdd933b655cc0e5552a1248f840658cc221dec2186b5a2fe4641b86ab7590a3422cdbb1000cf97662f27e5910d7569f22feed8829c8b52e0fa38188308185308182060a2b0601040183a25a01010101ff0471306f042508021221026b053094d1112bce799dc8026040ae6d4eb574157929f1598172061f753d9b1b04463044022040712707e97794c478d93989aaa28ae1f71c03af524a8a4bd2d98424948a782302207b61b7f074b696a25fb9e0059141a811cccc4cc28042d9301b9b2a4015e87470300a06082a8648ce3d04030203480030450220143ae4d86fdc8675d2480bb6912eca5e39165df7f572d836aa2f2d6acfab13f8022100831d1979a98f0c4a6fb5069ca374de92f1a1205c962a6d90ad3d7554cb7d9df4
This certificate is part of a simple test for this specification
https://github.com/libp2p/specs/blob/master/tls/tls.md
I'm using this https://github.com/status-im/nim-mbedtls Nim language
library wrapper for mbedtls. I don't know the mbedtls version exactly,
but the lib is based on this commit
https://github.com/Mbed-TLS/mbedtls/tree/09d23786f6fdcb4dfa88aad30c8767bd27….
In my code I use:
proc parseUnverified*(derInput: seq[byte]) =
var crt: mbedtls_x509_crt
mbedtls_x509_crt_init(addr crt)
var ret = mbedtls_x509_crt_parse_der(addr crt, unsafeAddr
derInput[0], derInput.len.uint)
if ret != 0:
raise newException(Exception, "Failed to parse certificate, error
code: " & $ret)
which is a straightforward version of the C code, but ti fails with:
Failed to parse certificate, error code: -9186 [Exception]
It seems the problem is because the certificate doesn't have the
Distinguished Name set. Does it make sense? If this is really the
cause of the problem, is there any workaround?
Regards.
[View Less]
Hi,
We were using old MBed TLS version 2.19.1 and existing trusted CA
certificates were working fine in that release. Recently we upgraded
to 3.6.0 and see that now certificate parsing is returning -ox262e
value from function mbedtls_x509_get_sig_alg cause of which handshake
is not even initiated.
Can you please let us know what can cause such an issue and remedy the same?
Regards,
Prakash
Hi Mbed TLS,
I am looking for some suggestions about make some (or all) Mbed TLS APIs non-secure callable APIs on armv8m.
The background is that I am going to have a secure firmware that provides encryption services by building part (or whole) of Mbed TLS into that firmware and make those original mbedtls_x APIs non-secure callable, so the existing non-secure firmware could link those non-secure callable APIs and use them.
Some of my thoughts:
(1) The easiest way to do it I can think of is …
[View More]just add the attribute "cmse_nonsecure_call" to those APIs' declaration (or use a macro to wrap the attribute for conditional build to not impact others don't want it), but I do not think this modification could be accepted by upstream 🙂.
(2) So my another thought is duplicate all header files and put them under another folder, assuming it is my-include folder, then I can do whatever I want to my-include folder, but there is also a problem I can think of: a merge/compare burden between include and my-include folder after I have updated Mbed TLS.
I really appreciate other suggestions!
Thanks,
William
[View Less]
Hi All,
A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum
is next Monday at 4:30pm UK time. Invite details can be found on the online
calendar here <https://www.trustedfirmware.org/meetings/>.
If you have any topics, please let Janos know. :)
Don
My mbedtls client has been working for 2 years. It did what I required and
has been stable.
However, I now need to force a new server to use my preferred cipher suite.
I found the helper function to force the cipher suite here:
https://github.com/Mbed-TLS/mbedtls/blob/de4d5b78558666d2e258d95e6c5875f9c7…
I added mbedtls_ssl_conf_preference_order(conf,
MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) to the end of the function to
force the server to choose my ciphersuite.
Prior to this change I …
[View More]called the mbedtls functions in this chronological
order:
mbedtls_ssl_init(&_ssl);
mbedtls_ssl_config_init(&_conf);
mbedtls_ctr_drbg_init(&_ctr_drbg);
mbedtls_entropy_init(&_entropy);
mbedtls_x509_crt_init(&_cacert);
mbedtls_pk_init(&_pkey);
mbedtls_ctr_drbg_seed
mbedtls_ssl_config_defaults
mbedtls_ssl_conf_rng
mbedtls_ssl_conf_authmode
mbedtls_x509_crt_parse_file
mbedtls_ssl_conf_ca_chain
mbedtls_ssl_setup
mbedtls_ssl_set_hostname
and then proceed to call:
mbedtls_ssl_set_bio
mbedtls_ssl_handshake
Now:
If I call mbedtls_ssl_conf_ciphersuites BEFORE mbedtls_ssl_config_defaults,
the ciphersuite list is ignored/seems to get overriden.
If I call mbedtls_ssl_conf_ciphersuites AFTER mbedtls_ssl_config_defaults,
my ciphersuite list changes are accepted and transmitted (I can see in
Wireshark). The server then responds agreeing to use my chosen cipher suite.
However, mbedtls_ssl_handshake returns with value -26112, which I have
looked up to be MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER.
Unfortunately I have no clue what is causing this.
Could somebody please advise how this should be done? I can see Client2
example but there are functions I have which are not in there. Client1
seems too simple for me but Client2 seems beyond what I require.
[View Less]
I am using MbedTLS client code based on this:
https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocket…
I am connecting to a server via it's URL. However, I would like to connect directly using an IP address returned from running the traceroute command on the URL.
So I replaced the URL with the IP address. However, MBedTLS fails on the handshake:
https://github.com/machinezone/IXWebSocket/blob/master/ixwebsocket/IXSocket…
I get the error:
"error in handshake : X509 - …
[View More]Certificate verification failed, e.g. CRL, CA or signature check failed"
If I revert back to URL, it works. The IP address does exist.
How can I connect using the IP address, instead of the URL?
[View Less]
Micron Confidential
Hi,
I find that mbed-tls already support LMS, could you please Point to some reference and starting from which version mbedTLS lib version supports LMS?
Best Regards,
Raunak
Get Outlook for iOS<https://aka.ms/o0ukef>
Micron Confidential
Micron Confidential
Dear MbedTLS,
Can you please help to provide some references for LMS stateful signatures schemes support in MbedTLS,
May be something like documentation and github repo link?
Unfortunately I am not able to find it online?
Thanks,
Raunak
Get Outlook for iOS<https://aka.ms/o0ukef>
Micron Confidential
________________________________
From: Shebu Varghese Kuriakose <Shebu.VargheseKuriakose(a)arm.com>
Sent: Tuesday, September 3, 2024 8:48 PM
To: Raunak Gupta &…
[View More]lt;raunakgupta(a)micron.com>; enquiries(a)trustedfirmware.org <enquiries(a)trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: [EXT] RE: Inquiry About PQC Cryptos in embedTLS Library
Micron Confidential
CAUTION: EXTERNAL EMAIL. Do not click links or open attachments unless you recognize the sender and were expecting this message.
Hi Raunak,
Mbed TLS today supports LMS stateful hash-based signature scheme. While supporting other PQC algorithms is in the Mbed TLS project roadmap, the team isn’t actively working on it. The focus for the team now is preparing for Mbed TLS 4.0.
Feel free to ask any further technical questions in the Mbed TLS public mailing list - mbed-tls(a)lists.trustedfirmware.org<mailto:mbed-tls@lists.trustedfirmware.org> (https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirm…)
Regards,
Shebu
Micron Confidential
From: 'Raunak Gupta' via TFenquiries <enquiries(a)trustedfirmware.org>
Sent: Tuesday, September 3, 2024 2:34 AM
To: enquiries(a)trustedfirmware.org
Subject: Inquiry About PQC Cryptos in embedTLS Library
Micron Confidential
Dear Trusted Firmware Team,
I hope this message finds you well. My name is Raunak, and I am a Security Engineer at Micron Technology.
I would like to inquire whether the embedTLS library has been updated to include Post-Quantum Cryptography (PQC) algorithms such as LMS, HSS, and XMSS.
Additionally, is the embedTLS team actively working on integrating these PQC algorithms?
Thank you for your assistance.
Best regards,
Raunak
Micron Confidential
To unsubscribe from this group and stop receiving emails from it, send an email to enquiries+unsubscribe(a)trustedfirmware.org<mailto:enquiries+unsubscribe@trustedfirmware.org>.
[View Less]
Dear Mbed TLS users,
We have released Mbed TLS versions 3.6.1 and 2.28.9. These releases provide bugfixes, security fixes and minor improvements.
The 3.6.1 release includes fixes for issues caused by enabling TLS 1.3 for TLS connections in the default configuration.
Full details are available in the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.9https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1
We recommend all users to consider whether they are …
[View More]impacted, and to upgrade appropriately.
Many thanks,
David Horstmann
Mbed TLS developer
[View Less]
