I'm afraid this goes beyond my knowledge of TCP/IP and LWIP. I see a lot of options in lwipopts.h, is there some kind of reference configuration that works (but perhaps uses too much memory for your application)? If you've modified some of the options, have you double-checked their consistency?

Have you tried a TCP application that sends packets of several hundred bytes? The stack might treat ICMP packets and TCP packets differently, so testing with ICMP isn't conclusive.

Unrelated to your problem: in the Mbed TLS configuration, you can probably reduce MBEDTLS_SSL_OUT_CONTENT_LEN and MBEDTLS_SSL_IN_CONTENT_LEN to save RAM. MBEDTLS_SSL_OUT_CONTENT_LEN usually needs to be only the size of the largest handshake message. MBEDTLS_SSL_IN_CONTENT_LEN needs to be as large as the messages your device receives: 16kB is necessary to be fully standard-compliant, but most devices don't send such large messages.

Best regards,

--
Gilles Peskine
Mbed TLS developer

On 01/10/2021 12:08, Duygu D. wrote:
Hello,
Thank you for your reply.
I am using stm32+lwip-altcp-mbedtls on my application.
lwip takes care of the IP part if I send the another IP based packet (like icmp) packet with different sizes. I didnt get IPv4 packet length error.
I only have this error when I used mbedtls. 
I did not fully understand the MSS configuration part. I don't know much about this, how should the configurations be?

I'll added my configuration file, lwipopt.h and config_user file in attachment. 



Gilles Peskine via mbed-tls <mbed-tls@lists.trustedfirmware.org>, 1 Eki 2021 Cum, 12:58 tarihinde şunu yazdı:
Hi Duygu,

As far as I understand, "IPv4 total length exceeds packet length"
indicates a bug or misconfiguration in the IP stack: it's sending an
invalid packet. I don't think Mbed TLS can solve or work around this
problem: TCP is a stream protocol, the higher level doesn't have any
control over how the stream is broken into packets.

If your TCP/IP stack lets you configure the MSS, a lower MSS may work.
It's still a workaround: as far as I know, the MSS is only supposed to
be a matter of performance, the IP layer under the hood should fragment
and reassemble packets as needed.

Best regards,

--
Gilles Peskine
Mbed TLS developer

On 01/10/2021 10:13, Duygu D. via mbed-tls wrote:
> Hello,
>
> I am using this example for the source of the my main purpose
> : https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob/f3943f7487a296a16ddff51885c9c8d0ca07562a/LambdaIOT/httpd/http_core.c
> <https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob/f3943f7487a296a16ddff51885c9c8d0ca07562a/LambdaIOT/httpd/http_core.c>
>
> This example using https but I'm trying to use this example on Modbus
> Server. 
>
> This is init function for the server tcp connections:
>
> BOOL
> xMBTCPPortInit( USHORT usTCPPort )
> {
>     struct altcp_pcb *pxPCBListenNew, *pxPCBListenOld;
>     BOOL            bOkay = (BOOL)FALSE;
>     USHORT          usPort;
>     extern struct altcp_tls_config* getTlsConfig(void);
>     tls_config = getTlsConfig();
>     mbedtls_ssl_conf_dbg(tls_config, my_debug, NULL);
>     mbedtls_debug_set_threshold(5);
>     if( usTCPPort == 0 )
>     {
>         usPort = MB_TCP_DEFAULT_PORT;
>     }
>     else
>     {
>         usPort = ( USHORT ) usTCPPort;
>     }
>     if( ( pxPCBListenNew = pxPCBListenOld = altcp_tls_new(
> tls_config,IPADDR_TYPE_ANY) ) == NULL )
>     {
>         /* Can't create TCP socket. */
>         bOkay = (BOOL)FALSE;
>     }
>     else 
>       if( altcp_bind( pxPCBListenNew, IP_ANY_TYPE, ( u16_t ) usPort )
> != ERR_OK )
>     {
>
>         /* Bind failed - Maybe illegal port value or in use. */
>         ( void )altcp_close( pxPCBListenOld );
>         bOkay = (BOOL)FALSE;
>     }
>     else if( ( pxPCBListenNew = altcp_listen( pxPCBListenNew ) ) == NULL )
>     {
>
>         ( void )altcp_close( pxPCBListenOld );
>         bOkay = (BOOL)FALSE;
>     }
>     else
>     {
>
> //         altcp_tls_new(pxPCBListenNew, IP_GET_TYPE(ip_addr))*/;
>         /* Register callback function for new clients. */
>         altcp_accept( pxPCBListenNew, prvxMBTCPPortAccept );
>
>         /* Everything okay. Set global variable. */
>         pxPCBListen = pxPCBListenNew;
>
> #ifdef MB_TCP_DEBUG
>         vMBPortLog( MB_LOG_DEBUG, "MBTCP-ACCEPT", "Protocol stack
> ready.\r\n" );
> #endif
> SerialPrint("MBTCTP-ACCEPT");
>     }
>
>     bOkay = (BOOL)TRUE;
>     return bOkay;
> }
>
> struct altcp_tls_config* getTlsConfig(void)
> {
> struct altcp_tls_config* conf;
> size_t privkey_len = strlen(privkey) + 1;
> size_t privkey_pass_len = strlen(privkey_pass) + 1;
> size_t cert_len = strlen(cert) + 1;
>
> conf = altcp_tls_create_config_server_privkey_cert((u8_t*)privkey,
> privkey_len, (u8_t*)privkey_pass, privkey_pass_len, (u8_t*)cert,
> cert_len);
>
> return conf;
> }
>
> And I am using basic python tls client example to show successful
> mbedtls handshake. 
> This is my client.py codes:
>
> import time
> from socket import create_connection
> from ssl import SSLContext, PROTOCOL_TLS_CLIENT
> import ssl
>
> hostname='example.org <http://example.org>' ip = '192.168.1.2' port = 502 context = SSLContext(PROTOCOL_TLS_CLIENT)
> context.options |= ssl.OP_NO_SSLv3
> context.options |= ssl.OP_NO_TLSv1
> context.options |= ssl.OP_NO_TLSv1_1
> context.load_verify_locations('cert.pem')
>
> with create_connection((ip, port)) as client:
>     with context.wrap_socket(client, server_hostname=hostname) as tls:
>         print(f'Using {tls.version()}\n')
>         tls.sendall(b'Hello world')
>
>         data = tls.recv(1024)
>         print(f'Server says: {data}')
>
> When I try to start communication I get below outputs on wireshark:
> image.png
>
> When the server send hello message I've this error on the line:
> image.png
>
> When I checked the low_level_output functions I get sending data bytes
> 150 byte but Ipv4 length shows us 576 byte, opt.h file set as default
> but if I changed TCP_MSS as a 250 byte so I can send 136 byte and Ipv4
> packet lenght shows me 136. But does not make sense.  I couldnt do
> successful handshaking. 
>
> My mbedtls debug outputs in this
> link https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz
> <https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz>  How cna I solve
> this problem ? What is the reason for the lenght problem ?
> Best Regards.
>
>
>
> --
> Embeded System Engineer 
>
>

--
mbed-tls mailing list
mbed-tls@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls


--
Embeded System Engineer