Hello,
I am using this example for the source of the my main purpose : https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob...
This example using https but I'm trying to use this example on Modbus Server.
This is init function for the server tcp connections:
BOOL xMBTCPPortInit( USHORT usTCPPort ) { struct altcp_pcb *pxPCBListenNew, *pxPCBListenOld; BOOL bOkay = (BOOL)FALSE; USHORT usPort; extern struct altcp_tls_config* getTlsConfig(void); tls_config = getTlsConfig(); mbedtls_ssl_conf_dbg(tls_config, my_debug, NULL); mbedtls_debug_set_threshold(5); if( usTCPPort == 0 ) { usPort = MB_TCP_DEFAULT_PORT; } else { usPort = ( USHORT ) usTCPPort; } if( ( pxPCBListenNew = pxPCBListenOld = altcp_tls_new( tls_config,IPADDR_TYPE_ANY) ) == NULL ) { /* Can't create TCP socket. */ bOkay = (BOOL)FALSE; } else if( altcp_bind( pxPCBListenNew, IP_ANY_TYPE, ( u16_t ) usPort ) != ERR_OK ) {
/* Bind failed - Maybe illegal port value or in use. */ ( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else if( ( pxPCBListenNew = altcp_listen( pxPCBListenNew ) ) == NULL ) {
( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else {
// altcp_tls_new(pxPCBListenNew, IP_GET_TYPE(ip_addr))*/; /* Register callback function for new clients. */ altcp_accept( pxPCBListenNew, prvxMBTCPPortAccept );
/* Everything okay. Set global variable. */ pxPCBListen = pxPCBListenNew;
#ifdef MB_TCP_DEBUG vMBPortLog( MB_LOG_DEBUG, "MBTCP-ACCEPT", "Protocol stack ready.\r\n" ); #endif SerialPrint("MBTCTP-ACCEPT"); }
bOkay = (BOOL)TRUE; return bOkay; }
struct altcp_tls_config* getTlsConfig(void) { struct altcp_tls_config* conf; size_t privkey_len = strlen(privkey) + 1; size_t privkey_pass_len = strlen(privkey_pass) + 1; size_t cert_len = strlen(cert) + 1;
conf = altcp_tls_create_config_server_privkey_cert((u8_t*)privkey, privkey_len, (u8_t*)privkey_pass, privkey_pass_len, (u8_t*)cert, cert_len);
return conf; }
And I am using basic python tls client example to show successful mbedtls handshake. This is my client.py codes:
import time from socket import create_connection from ssl import SSLContext, PROTOCOL_TLS_CLIENT import ssl
hostname='example.org' ip = '192.168.1.2' port = 502 context = SSLContext(PROTOCOL_TLS_CLIENT) context.options |= ssl.OP_NO_SSLv3 context.options |= ssl.OP_NO_TLSv1 context.options |= ssl.OP_NO_TLSv1_1 context.load_verify_locations('cert.pem')
with create_connection((ip, port)) as client: with context.wrap_socket(client, server_hostname=hostname) as tls: print(f'Using {tls.version()}\n') tls.sendall(b'Hello world')
data = tls.recv(1024) print(f'Server says: {data}')
When I try to start communication I get below outputs on wireshark: [image: image.png]
When the server send hello message I've this error on the line: [image: image.png]
When I checked the low_level_output functions I get sending data bytes 150 byte but Ipv4 length shows us 576 byte, opt.h file set as default but if I changed TCP_MSS as a 250 byte so I can send 136 byte and Ipv4 packet lenght shows me 136. But does not make sense. I couldnt do successful handshaking.
My mbedtls debug outputs in this link https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz How cna I solve this problem ? What is the reason for the lenght problem ? Best Regards.
Hi Duygu,
As far as I understand, "IPv4 total length exceeds packet length" indicates a bug or misconfiguration in the IP stack: it's sending an invalid packet. I don't think Mbed TLS can solve or work around this problem: TCP is a stream protocol, the higher level doesn't have any control over how the stream is broken into packets.
If your TCP/IP stack lets you configure the MSS, a lower MSS may work. It's still a workaround: as far as I know, the MSS is only supposed to be a matter of performance, the IP layer under the hood should fragment and reassemble packets as needed.
Best regards,
Hello, Thank you for your reply. I am using stm32+lwip-altcp-mbedtls on my application. lwip takes care of the IP part if I send the another IP based packet (like icmp) packet with different sizes. I didnt get IPv4 packet length error. I only have this error when I used mbedtls. I did not fully understand the MSS configuration part. I don't know much about this, how should the configurations be?
I'll added my configuration file, lwipopt.h and config_user file in attachment.
Gilles Peskine via mbed-tls mbed-tls@lists.trustedfirmware.org, 1 Eki 2021 Cum, 12:58 tarihinde şunu yazdı:
Hi Duygu,
As far as I understand, "IPv4 total length exceeds packet length" indicates a bug or misconfiguration in the IP stack: it's sending an invalid packet. I don't think Mbed TLS can solve or work around this problem: TCP is a stream protocol, the higher level doesn't have any control over how the stream is broken into packets.
If your TCP/IP stack lets you configure the MSS, a lower MSS may work. It's still a workaround: as far as I know, the MSS is only supposed to be a matter of performance, the IP layer under the hood should fragment and reassemble packets as needed.
Best regards,
-- Gilles Peskine Mbed TLS developer
On 01/10/2021 10:13, Duygu D. via mbed-tls wrote:
Hello,
I am using this example for the source of the my main purpose :
https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob...
<
https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob...
This example using https but I'm trying to use this example on Modbus Server.
This is init function for the server tcp connections:
BOOL xMBTCPPortInit( USHORT usTCPPort ) { struct altcp_pcb *pxPCBListenNew, *pxPCBListenOld; BOOL bOkay = (BOOL)FALSE; USHORT usPort; extern struct altcp_tls_config* getTlsConfig(void); tls_config = getTlsConfig(); mbedtls_ssl_conf_dbg(tls_config, my_debug, NULL); mbedtls_debug_set_threshold(5); if( usTCPPort == 0 ) { usPort = MB_TCP_DEFAULT_PORT; } else { usPort = ( USHORT ) usTCPPort; } if( ( pxPCBListenNew = pxPCBListenOld = altcp_tls_new( tls_config,IPADDR_TYPE_ANY) ) == NULL ) { /* Can't create TCP socket. */ bOkay = (BOOL)FALSE; } else if( altcp_bind( pxPCBListenNew, IP_ANY_TYPE, ( u16_t ) usPort ) != ERR_OK ) {
/* Bind failed - Maybe illegal port value or in use. */ ( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else if( ( pxPCBListenNew = altcp_listen( pxPCBListenNew ) ) == NULL)
{ ( void )altcp_close( pxPCBListenOld ); bOkay = (BOOL)FALSE; } else {// altcp_tls_new(pxPCBListenNew, IP_GET_TYPE(ip_addr))*/; /* Register callback function for new clients. */ altcp_accept( pxPCBListenNew, prvxMBTCPPortAccept );
/* Everything okay. Set global variable. */ pxPCBListen = pxPCBListenNew;#ifdef MB_TCP_DEBUG vMBPortLog( MB_LOG_DEBUG, "MBTCP-ACCEPT", "Protocol stack ready.\r\n" ); #endif SerialPrint("MBTCTP-ACCEPT"); }
bOkay = (BOOL)TRUE; return bOkay;}
struct altcp_tls_config* getTlsConfig(void) { struct altcp_tls_config* conf; size_t privkey_len = strlen(privkey) + 1; size_t privkey_pass_len = strlen(privkey_pass) + 1; size_t cert_len = strlen(cert) + 1;
conf = altcp_tls_create_config_server_privkey_cert((u8_t*)privkey, privkey_len, (u8_t*)privkey_pass, privkey_pass_len, (u8_t*)cert, cert_len);
return conf; }
And I am using basic python tls client example to show successful mbedtls handshake. This is my client.py codes:
import time from socket import create_connection from ssl import SSLContext, PROTOCOL_TLS_CLIENT import ssl
hostname='example.org http://example.org' ip = '192.168.1.2' port =
502 context = SSLContext(PROTOCOL_TLS_CLIENT)
context.options |= ssl.OP_NO_SSLv3 context.options |= ssl.OP_NO_TLSv1 context.options |= ssl.OP_NO_TLSv1_1 context.load_verify_locations('cert.pem')
with create_connection((ip, port)) as client: with context.wrap_socket(client, server_hostname=hostname) as tls: print(f'Using {tls.version()}\n') tls.sendall(b'Hello world')
data = tls.recv(1024) print(f'Server says: {data}')When I try to start communication I get below outputs on wireshark: image.png
When the server send hello message I've this error on the line: image.png
When I checked the low_level_output functions I get sending data bytes 150 byte but Ipv4 length shows us 576 byte, opt.h file set as default but if I changed TCP_MSS as a 250 byte so I can send 136 byte and Ipv4 packet lenght shows me 136. But does not make sense. I couldnt do successful handshaking.
My mbedtls debug outputs in this link https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz How cna I solve this problem ? What is the reason for the lenght problem ? Best Regards.
-- Embeded System Engineer
-- mbed-tls mailing list mbed-tls@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
I'm afraid this goes beyond my knowledge of TCP/IP and LWIP. I see a lot of options in lwipopts.h, is there some kind of reference configuration that works (but perhaps uses too much memory for your application)? If you've modified some of the options, have you double-checked their consistency?
Have you tried a TCP application that sends packets of several hundred bytes? The stack might treat ICMP packets and TCP packets differently, so testing with ICMP isn't conclusive.
Unrelated to your problem: in the Mbed TLS configuration, you can probably reduce MBEDTLS_SSL_OUT_CONTENT_LEN and MBEDTLS_SSL_IN_CONTENT_LEN to save RAM. MBEDTLS_SSL_OUT_CONTENT_LEN usually needs to be only the size of the largest handshake message. MBEDTLS_SSL_IN_CONTENT_LEN needs to be as large as the messages your device receives: 16kB is necessary to be fully standard-compliant, but most devices don't send such large messages.
Best regards,
If your received message is greater than your allocated receive buffer, setting: #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH will allow reception of truncated messages. Dave
On 10/1/21, Gilles Peskine via mbed-tls mbed-tls@lists.trustedfirmware.org wrote:
I'm afraid this goes beyond my knowledge of TCP/IP and LWIP. I see a lot of options in lwipopts.h, is there some kind of reference configuration that works (but perhaps uses too much memory for your application)? If you've modified some of the options, have you double-checked their consistency?
Have you tried a TCP application that sends packets of several hundred bytes? The stack might treat ICMP packets and TCP packets differently, so testing with ICMP isn't conclusive.
Unrelated to your problem: in the Mbed TLS configuration, you can probably reduce MBEDTLS_SSL_OUT_CONTENT_LEN and MBEDTLS_SSL_IN_CONTENT_LEN to save RAM. MBEDTLS_SSL_OUT_CONTENT_LEN usually needs to be only the size of the largest handshake message. MBEDTLS_SSL_IN_CONTENT_LEN needs to be as large as the messages your device receives: 16kB is necessary to be fully standard-compliant, but most devices don't send such large messages.
Best regards,
-- Gilles Peskine Mbed TLS developer
On 01/10/2021 12:08, Duygu D. wrote:
Hello, Thank you for your reply. I am using stm32+lwip-altcp-mbedtls on my application. lwip takes care of the IP part if I send the another IP based packet (like icmp) packet with different sizes. I didnt get IPv4 packet length error. I only have this error when I used mbedtls. I did not fully understand the MSS configuration part. I don't know much about this, how should the configurations be?
I'll added my configuration file, lwipopt.h and config_user file in attachment.
Gilles Peskine via mbed-tls <mbed-tls@lists.trustedfirmware.org mailto:mbed-tls@lists.trustedfirmware.org>, 1 Eki 2021 Cum, 12:58 tarihinde şunu yazdı:
Hi Duygu, As far as I understand, "IPv4 total length exceeds packet length" indicates a bug or misconfiguration in the IP stack: it's sending an invalid packet. I don't think Mbed TLS can solve or work around this problem: TCP is a stream protocol, the higher level doesn't have any control over how the stream is broken into packets. If your TCP/IP stack lets you configure the MSS, a lower MSS maywork. It's still a workaround: as far as I know, the MSS is only supposed to be a matter of performance, the IP layer under the hood should fragment and reassemble packets as needed.
Best regards, -- Gilles Peskine Mbed TLS developer On 01/10/2021 10:13, Duygu D. via mbed-tls wrote: > Hello, > > I am using this example for the source of the my main purpose >: https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob...
<https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob...
https://github.com/straight-coding/LPC407x-NoOS-LWIP-MBEDTLS-HTTPD-KEIL/blob/f3943f7487a296a16ddff51885c9c8d0ca07562a/LambdaIOT/httpd/http_core.c> > > This example using https but I'm trying to use this example on Modbus > Server. > > This is init function for the server tcp connections: > > BOOL > xMBTCPPortInit( USHORT usTCPPort ) > { > struct altcp_pcb *pxPCBListenNew, *pxPCBListenOld; > BOOL bOkay = (BOOL)FALSE; > USHORT usPort; > extern struct altcp_tls_config* getTlsConfig(void); > tls_config = getTlsConfig(); > mbedtls_ssl_conf_dbg(tls_config, my_debug, NULL); > mbedtls_debug_set_threshold(5); > if( usTCPPort == 0 ) > { > usPort = MB_TCP_DEFAULT_PORT; > } > else > { > usPort = ( USHORT ) usTCPPort; > } > if( ( pxPCBListenNew = pxPCBListenOld = altcp_tls_new( > tls_config,IPADDR_TYPE_ANY) ) == NULL ) > { > /* Can't create TCP socket. */ > bOkay = (BOOL)FALSE; > } > else > if( altcp_bind( pxPCBListenNew, IP_ANY_TYPE, ( u16_t ) usPort ) > != ERR_OK ) > { > > /* Bind failed - Maybe illegal port value or in use. */ > ( void )altcp_close( pxPCBListenOld ); > bOkay = (BOOL)FALSE; > } > else if( ( pxPCBListenNew = altcp_listen( pxPCBListenNew ) ) == NULL ) > { > > ( void )altcp_close( pxPCBListenOld ); > bOkay = (BOOL)FALSE; > } > else > { > > // altcp_tls_new(pxPCBListenNew, IP_GET_TYPE(ip_addr))*/; > /* Register callback function for new clients. */ > altcp_accept( pxPCBListenNew, prvxMBTCPPortAccept ); > > /* Everything okay. Set global variable. */ > pxPCBListen = pxPCBListenNew; > > #ifdef MB_TCP_DEBUG > vMBPortLog( MB_LOG_DEBUG, "MBTCP-ACCEPT", "Protocol stack > ready.\r\n" ); > #endif > SerialPrint("MBTCTP-ACCEPT"); > } > > bOkay = (BOOL)TRUE; > return bOkay; > } > > struct altcp_tls_config* getTlsConfig(void) > { > struct altcp_tls_config* conf; > size_t privkey_len = strlen(privkey) + 1; > size_t privkey_pass_len = strlen(privkey_pass) + 1; > size_t cert_len = strlen(cert) + 1; > > conf = altcp_tls_create_config_server_privkey_cert((u8_t*)privkey, > privkey_len, (u8_t*)privkey_pass, privkey_pass_len, (u8_t*)cert, > cert_len); > > return conf; > } > > And I am using basic python tls client example to show successful > mbedtls handshake. > This is my client.py codes: > > import time > from socket import create_connection > from ssl import SSLContext, PROTOCOL_TLS_CLIENT > import ssl > > hostname='example.org http://example.org <http://example.org http://example.org>' ip = '192.168.1.2' port = 502 context = SSLContext(PROTOCOL_TLS_CLIENT) > context.options |= ssl.OP_NO_SSLv3 > context.options |= ssl.OP_NO_TLSv1 > context.options |= ssl.OP_NO_TLSv1_1 > context.load_verify_locations('cert.pem') > > with create_connection((ip, port)) as client: > with context.wrap_socket(client, server_hostname=hostname) as tls: > print(f'Using {tls.version()}\n') > tls.sendall(b'Hello world') > > data = tls.recv(1024) > print(f'Server says: {data}') > > When I try to start communication I get below outputs on wireshark: > image.png > > When the server send hello message I've this error on the line: > image.png > > When I checked the low_level_output functions I get sending data bytes > 150 byte but Ipv4 length shows us 576 byte, opt.h file set as default > but if I changed TCP_MSS as a 250 byte so I can send 136 byte and Ipv4 > packet lenght shows me 136. But does not make sense. I couldnt do > successful handshaking. > > My mbedtls debug outputs in this > link https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz > <https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz https://paste.ofcode.org/PP3zFmrLcKqPdRMT3LzETz> How cna I solve > this problem ? What is the reason for the lenght problem ? > Best Regards. > > > > -- > Embeded System Engineer > >
-- mbed-tls mailing list mbed-tls@lists.trustedfirmware.org <mailto:mbed-tls@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls <https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls>-- Embeded System Engineer
mbed-tls@lists.trustedfirmware.org
-
Dave Plater -
Duygu D. -
Gilles Peskine