| Re: [leshan-dev] Need information to test X509 certificate authentication client and server |
"what is sent" should be server certificate chain store in
keystore, see
https://github.com/eclipse/leshan/blob/leshan-1.1.0/leshan-server-demo/src/main/java/org/eclipse/leshan/server/demo/LeshanServerDemo.java#L403
"What is use to verify", is a custom CertificateVerifier
which support only "domain-issued
certificate" usage : see
https://github.com/eclipse/leshan/blob/leshan-1.1.0/leshan-client-cf/src/main/java/org/eclipse/leshan/client/californium/CaliforniumEndpointsManager.java#L130
(Looking at this code, I will change the error message to
distinguish both error case.)
Hi, I’m not sure, what exactly is send and what is used to verify the server certificate. Is it possible, that you open an github issue and attach a wireshark log of that failing handshake? And also the “serverCertificate.der” (maybe it's better your create new certificates for that test and attachments.). (You may follow the "capture wiki page" of californium github.com/eclipse/californium/wiki => IP-Capturing-How-To-Provide-The-Right-Information) Mit freundlichen Grüßen / Best regards Achim Kraus Bosch IoT Hub - Product Area IoT Platform (IOC/PAP-HU) Bosch.IO GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch.io Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling Von: leshan-dev-bounces@xxxxxxxxxxx <leshan-dev-bounces@xxxxxxxxxxx> Im Auftrag von Rahul Miryala Gesendet: Dienstag, 15. September 2020 11:01 An: Simon Bernard <contact@xxxxxxxxxxxxxxx> Cc: leshan developer discussions <leshan-dev@xxxxxxxxxxx> Betreff: Re: [leshan-dev] Need information to test X509 certificate authentication client and server Hi Simon, I am trying to validate X.509 authentication using a leshan client and demo server with java keystore(i know its about to deprecate) but I am trying to understand how it works. Steps I have followed: • Demo Server accepts JKS file( for generating this I have used generateKeystore.sh which is presented in integration test) and started the server with ksp kst ksa ksap • And the Client doesn't have an option of accepting key store so I have used credentials.sh wiki page how i have generated previously • I have started client using the command • java -jar leshan-client-demo-with-dependencies.jar -cprik cprik.der -ccert self_signed_cert.der -scert serverCertificate.der -u localhost:5684 -n urn:gsma:imei:459241719596716 But the handshake is getting failed Client log 2020-09-15 14:07:46,323 WARN RegistrationEngine - Unable to send register request : Certificate chain could not be validated 2020-09-15 14:07:46,325 INFO RegistrationEngine - Try to register to coaps://localhost:5684 again in 600s... 2020-09-15 14:17:46,327 INFO RegistrationEngine - Trying to register to coaps://localhost:5684 ... 2020-09-15 14:18:46,097 WARN RegistrationEngine - Unable to send register request : handshake flight 3 failed! 2020-09-15 14:18:46,099 INFO RegistrationEngine - Try to register to coaps://localhost:5684 again in 600s... Server Log 4:02:36.654 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.dtls.DTLSSession - Updated receive window with sequence number [1]: new upper boundary [1], new bit vector [10] 14:02:36.655 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Processing CLIENT_HELLO from peer [/https://eur03.safelinks.protection.outlook.com/?url="">] 14:02:36.655 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Discarding duplicate CLIENT_HELLO message [epoch=0] from peer [/https://eur03.safelinks.protection.outlook.com/?url="">]! 14:02:36.656 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Processing CLIENT_HELLO from peer [/https://eur03.safelinks.protection.outlook.com/?url="">] 14:02:36.656 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Discarding duplicate CLIENT_HELLO message [epoch=0] from peer [/https://eur03.safelinks.protection.outlook.com/?url="">]! 14:02:36.656 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Processing CLIENT_HELLO from peer [/https://eur03.safelinks.protection.outlook.com/?url="">] 14:02:36.656 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Discarding duplicate CLIENT_HELLO message [epoch=0] from peer [/https://eur03.safelinks.protection.outlook.com/?url="">]! 14:02:36.657 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Processing CLIENT_HELLO from peer [/https://eur03.safelinks.protection.outlook.com/?url="">] 14:02:36.657 [DTLS-Connection-Handler-20] DEBUG org.eclipse.californium.scandium.DTLSConnector - Discarding duplicate CLIENT_HELLO message [epoch=0] from peer [/https://eur03.safelinks.protection.outlook.com/?url="">]! 14:02:36.660 [DTLS-Receiver-0-0.0.0.0/https://eur03.safelinks.protection.outlook.com/?url="">] DEBUG org.eclipse.californium.scandium.DTLSConnector - Received 1 DTLS records from /https://eur03.safelinks.protection.outlook.com/?url=""> using a 16490 byte datagram buffer 14:02:36.733 [DTLS-Connection-Handler-5] DEBUG org.eclipse.californium.scandium.dtls.InMemoryConnectionStore - connection: remove dtls-con: CID=D90D63, /https://eur03.safelinks.protection.outlook.com/?url="">, ongoing handshake BC9FB047D661 (size 0) 14:02:36.733 [DTLS-Connection-Handler-5] DEBUG org.eclipse.californium.scandium.dtls.ServerHandshaker - handshake failed dtls-con: CID=D90D63 org.eclipse.californium.scandium.dtls.HandshakeException: Received 'fatal alert' at org.eclipse.californium.scandium.DTLSConnector.processAlertRecord(DTLSConnector.java:1436) at org.eclipse.californium.scandium.DTLSConnector.processRecord(DTLSConnector.java:1223) at org.eclipse.californium.scandium.DTLSConnector$11.run(DTLSConnector.java:1126) at org.eclipse.californium.elements.util.SerialExecutor$1.run(SerialExecutor.java:276) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) I could not understand what went wrong here.Can you help me in validating this properly using the JKS. Thanks Rahul On Mon, Sep 14, 2020 at 10:35 AM Rahul Miryala <mailto:miryala.rahul@xxxxxxxxx> wrote: Hi Simon, It worked like a champ..Thank so much for your help!! Thanks Rahul On Fri, Sep 11, 2020 at 9:17 PM Simon Bernard <mailto:contact@xxxxxxxxxxxxxxx> wrote: Hi, This is because at server side you should explain that device : urn:gsma:imei:459241719596716 will connect to server using x509. In security tab, add a new client security configuration with x509 certificate security mode (as I explained in my first mail). And another problem I am facing is with the leshan-1.0.0-M13 version. When I run the demo client I don't see any DTLS handshake messages.Please have a look at the following logs. Those logs was added later, why do you want to use an old version of Leshan ? I really don't advice you to do that. Simon Le 11/09/2020 à 16:30, Rahul Miryala a écrit : Hi Simon, Thank you so much for your timely reply. I was already using the endpoint name as CN. However you have correctly pointed out the port 5684 and thanks for it. But now when I try to run the client I see the DTLS handshake is successful but the registration is shown as FORBIDDEN. Please help. 2020-09-11 19:47:38,471 INFO LeshanClient - Leshan client[endpoint:urn:gsma:imei:459241719596716] started. 2020-09-11 19:47:38,472 INFO DefaultRegistrationEngine - Trying to register to coaps://localhost:5684 ... 2020-09-11 19:47:38,568 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : STARTED ... 2020-09-11 19:47:38,784 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : SUCCEED 2020-09-11 19:47:38,839 INFO DefaultRegistrationEngine - Registration failed: FORBIDDEN . 2020-09-11 19:47:38,842 INFO DefaultRegistrationEngine - Try to register to coaps://localhost:5684 again in 600s... 2020-09-11 19:47:52,596 INFO LeshanClient - Destroying Leshan client ... 2020-09-11 19:47:52,604 INFO LeshanClient - Leshan client destroyed. And another problem I am facing is with the leshan-1.0.0-M13 version. When I run the demo client I don't see any DTLS handshake messages.Please have a look at the following logs. java -jar leshan-client-demo-1.0.0-M13-jar-with-dependencies.jar -cprik cprik.der -ccert self_signed_cert.der -scert serverCertificate.der -u localhost:5684 -n urn:gsma:imei:459241719596716 ....... ....... 2020-09-11 19:55:29,970 INFO LeshanClientDemo - Press 'w','a','s','d' to change reported Location (-19.0,-27.0). 2020-09-11 19:55:29,970 INFO LeshanClient - Starting Leshan client ... 2020-09-11 19:55:33,905 INFO CaliforniumEndpointsManager - New endpoint created for server coaps://localhost:5684 at coaps://https://eur03.safelinks.protection.outlook.com/?url=""> 2020-09-11 19:55:33,907 INFO LeshanClient - Leshan client[endpoint:urn:gsma:imei:459241719596716] started. 2020-09-11 19:55:33,908 INFO RegistrationEngine - Trying to register to coaps://localhost:5684 ... 2020-09-11 19:55:34,208 ERROR RegistrationEngine - Registration failed: FORBIDDEN . 2020-09-11 19:55:34,210 INFO RegistrationEngine - Try to register to coaps://localhost:5684 again in Can you please help me in resolving this. Thanks Rahul On Fri, Sep 11, 2020 at 6:25 PM Simon Bernard <mailto:contact@xxxxxxxxxxxxxxx> wrote: Hi, I see at least 1 issue : you are using port 5683 : -u localhost:5683, correct port for DTLS is 5684 but if you are using standard port, you can omit the port leshan-client-demo will take the right one for you. I just test it on my own and it works for me. When you create the certificate for client, last step : openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der You should have this kind of question : You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: urn:gsma:imei:459241719596716 Email Address []: For common name did you set your device endpoint name ? as said in : -ccert <arg> The path to your client certificate file. The certificate Common Name (CN) should generaly be equal to the client endpoint name (see -n option). By the way to not forget to do reply-all to send you answer to the mailing list. HTH Simon Le 11/09/2020 à 12:15, Rahul Miryala a écrit : Hi Simon, I have tried as per your suggestion but the client is not getting connected to the server as COAP Version assertion failure. Steps I have followed 1.downloaded latest jar files client and server 2. created the client certificate with following steps(-ccert -scert and -cprik)using (https://eur03.safelinks.protection.outlook.com/?url="">) openssl ecparam -out keys.pem -name prime256v1 -genkey openssl pkcs8 -topk8 -inform PEM -outform DER -in keys.pem -out cprik.der -nocrypt openssl req -x509 -new -key keys.pem -sha256 -days 36500 -outform DER -out self_signed_cert.der After running above commands I could see three files (cprik.der,self_signed_cert.der,keys.pem) As I understand -ccert is self_signed_cert.der and -cprik is cprik.der and -scert downloaded from https://eur03.safelinks.protection.outlook.com/?url=""> and named it as serverCertificate 3. Ran the client like this java -jar leshan-client-demo.jar -cprik cprik.der -scert serverCertificate.der -ccert self_signed_cert.der -u localhost:5683 -n urn:gsma:imei:459241719596716 Finally I see this in server log 15:26:38.264 [CoapServer(main)#4] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Message has invalid version: 0 15:26:51.288 [UDP-Receiver-0.0.0.0/0.0.0.0:5683[0]] DEBUG org.eclipse.californium.elements.UDPConnector - UDPConnector (https://eur03.safelinks.protection.outlook.com/?url="">) received 105 bytes from /https://eur03.safelinks.protection.outlook.com/?url=""> 15:26:51.290 [CoapServer(main)#2] DEBUG org.eclipse.californium.core.network.CoapEndpoint - [LWM2M Server-coap://] discarding malformed message from [UDP(127.0.0.1:62506)]: Messa in Client log 2020-09-11 15:43:28,602 INFO LeshanClientDemo - DTLS Full Handshake initiated by client : FAILED (Handshake flight 1 failed! Stopped by timeout after 4 retransmissions!) 2020-09-11 15:43:28,604 INFO DefaultRegistrationEngine - Registration failed: Timeout. Can you please confirm whether I am doing it correctly or not and help me in doing it correctly Thanks Rahul On Tue, Sep 8, 2020 at 8:45 PM Simon Bernard <mailto:contact@xxxxxxxxxxxxxxx> wrote: Hi, AFIAK, there is not a list like this. But If you want to write code, you could have a look to all integrations tests about x509 [1]. or look at demos sources code. If you just want to make demos works, you should start from leshan-client-demo option : ================================[X509]================================== | By default Leshan demo use non secure connection. | | To use X509, -ccert -cprik -scert options should be used together. | | To get helps about files format and how to generate it, see : | | See https://eur03.safelinks.protection.outlook.com/?url=""> | ------------------------------------------------------------------------ -ccert <arg> The path to your client certificate file. The certificate Common Name (CN) should generaly be equal to the client endpoint name (see -n option). The certificate should be in X509v3 format (DER encoding). -scert <arg> The path to your server certificate file. The certificate should be in X509v3 format (DER encoding). So look at the recommanded page to create your certificate with a private key and you will have what you need for -cprik -ccert option. (warning : by default the certificate Common Name (CN) should be equal to the client) For -scert you need to download it on security tab of server-demo. (see https://eur03.safelinks.protection.outlook.com/?url="">) Then you should configure the server to make it understand that your device will connect using x509. (By adding a new client security configuration with x509 certificate security mode) By default DEMO server trust any certificate but in real world you need to sign device certificate with a certificate you will put in the server truststore. HTH Simon [1] https://eur03.safelinks.protection.outlook.com/?url=""> Le 08/09/2020 à 16:20, Rahul Miryala a écrit : Hi All, I am trying to test X509 certificate based authentication using leshan client and server but I am really confused with steps to be followed to test it. Can someone help in this? Is there any list of steps to be followed to test it correctly. Thanks Rahul _______________________________________________ leshan-dev mailing list mailto:leshan-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://eur03.safelinks.protection.outlook.com/?url=""> _______________________________________________ leshan-dev mailing list leshan-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/leshan-dev