| Re: [leshan-dev] Need information to test X509 certificate authentication client and server |
Hi,
I see at least 1 issue : you are using port 5683 : -u localhost:5683, correct port for DTLS is 5684 but if you are using standard port, you can omit the port leshan-client-demo will take the right one for you.
I just test it on my own and it works for me.
When you create the certificate for client, last step :
openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.derYou should have this kind of question :
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:urn:gsma:imei:459241719596716 Email Address []:
-ccert <arg> The path to your client certificate file. The certificate Common Name (CN) should generaly be equal to the client endpoint name (see -n option).By the way to not forget to do reply-all to send you answer to the mailing list.
HTH
SimonLe 11/09/2020 à 12:15, Rahul Miryala a écrit :
Hi Simon,3. Ran the client like this java -jar leshan-client-demo.jar -cprik cprik.der -scert serverCertificate.der -ccert self_signed_cert.der -u localhost:5683 -n urn:gsma:imei:459241719596716I have tried as per your suggestion but the client is not getting connected to the server as COAP Version assertion failure.
Steps I have followed
1.downloaded latest jar files client and server
2. created the client certificate with following steps(-ccert -scert and -cprik)using (https://github.com/eclipse/leshan/wiki/Credential-files-format#x509---scroll)
openssl ecparam -out keys.pem -name prime256v1 -genkey openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der After running above commands I could see three files (cprik.der,self_signed_cert.der,keys.pem) As I understand -ccert is self_signed_cert.der and -cprik is cprik.der and -scert downloaded from http://localhost:8080/#/security and named it as serverCertificateFinally15:26:51.288 [UDP-Receiver-0.0.0.0/0.0.0.0:5683[0]] DEBUG org.eclipse.californium.elements.UDPConnector - UDPConnector (0.0.0.0:5683) received 105 bytes from /127.0.0.1:62506
I see this in server log
15:26:38.264 [CoapServer(main)#4] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Message has invalid version: 0
15:26:51.290 [CoapServer(main)#2] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Messa
in Client log
2020-09-11 15:43:28,602 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : FAILED (Handshake flight 1 failed! Stopped by timeout after 4 retransmissions!)
2020-09-11 15:43:28,604 INFO DefaultRegistrationEngine - Registration failed: Timeout.
Can you please confirm whether I am doing it correctly or not and help me in doing it correctly
ThanksRahul
On Tue, Sep 8, 2020 at 8:45 PM Simon Bernard <contact@xxxxxxxxxxxxxxx> wrote:
Hi,
AFIAK, there is not a list like this.
But If you want to write code, you could have a look to all integrations tests about x509 [1]. or look at demos sources code.
If you just want to make demos works, you should start from leshan-client-demo option :
================================[X509]==================================| By default Leshan demo use non secure connection. || To use X509, -ccert -cprik -scert options should be used together. || To get helps about files format and how to generate it, see : || See https://github.com/eclipse/leshan/wiki/Credential-files-format |-------------------------------------------------------------------------ccert <arg> The path to your client certificate file.The certificate Common Name (CN) should generaly be equal to the clientendpoint name (see -n option).The certificate should be in X509v3 format (DER encoding).-scert <arg> The path to your server certificate file.The certificate should be in X509v3 format (DER encoding).
So look at the recommanded page to create your certificate with a private key and you will have what you need for -cprik -ccert option. (warning : by default the certificate Common Name (CN) should be equal to the client)
For -scert you need to download it on security tab of server-demo. (see https://leshan.eclipseprojects.io/#/security)
Then you should configure the server to make it understand that your device will connect using x509. (By adding a new client security configuration with x509 certificate security mode)
By default DEMO server trust any certificate but in real world you need to sign device certificate with a certificate you will put in the server truststore.
HTH
Simon
[1] https://github.com/eclipse/leshan/blob/leshan-1.1.0/leshan-integration-tests/src/test/java/org/eclipse/leshan/integration/tests/SecurityTest.java#L566
Le 08/09/2020 à 16:20, Rahul Miryala a écrit :
Hi All,
I am trying to test X509 certificate based authentication using leshan client and server but I am really confused with steps to be followed to test it.
Can someone help in this? Is there any list of steps to be followed to test it correctly.
ThanksRahul
_______________________________________________ leshan-dev mailing list leshan-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev