Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DTLS Client Certificate Chain not sent #897

Closed
schirrmacher opened this issue Sep 29, 2020 · 6 comments
Closed

DTLS Client Certificate Chain not sent #897

schirrmacher opened this issue Sep 29, 2020 · 6 comments
Labels
question Any question about leshan

Comments

@schirrmacher
Copy link

schirrmacher commented Sep 29, 2020
edited
Loading

Currently we are implementing client/server DTLS communication with Leshan for an IoT project. Unfortunately, the handshake fails because the Leshan client just sends a single certificate to the Leshan Server (recorded with Wireshark) instead of the whole chain (Root CA -> Intermediate CA -> Client Cert):

13:44:43.387 [DTLS-Retransmit-Task-1] DEBUG org.eclipse.californium.scandium.dtls.CertificateMessage - created CERTIFICATE message with certificate chain [length: 1]

The server's certificate message contains the expected chain, so there is no problem with the LeshanServerBuilder.

We definitely set the chain in the DTLS client config:

private val builder: LeshanClientBuilder = LeshanClientBuilder("1122334455667788990")
val leshanClient: LeshanClient
// ...

val dtlsConfig = DtlsConnectorConfig.Builder()
dtlsConfig.setIdentity(
            clientPrivateKey,
            arrayOf(
                clientCert,
                intermediateCAcert,
                rootCAcert
            )
)
builder.setDtlsConfig(dtlsConfig)

// ...
leshanClient = builder.build()
leshanClient.start()

In the createEndpoint(ServerInfo serverInfo) method of CaliforniumEndpointsManager I noticed the following:

newBuilder.setIdentity(serverInfo.privateKey, new Certificate[] { serverInfo.clientCertificate }); is called.
This call overwrites the chain of certificates. So a single certificate (the client certificate) is written to the DTLS config, instead of the whole certificate chain. After that createSecuredEndpoint is called with an invalid certificate chain based on the DTLS config builder, called newBuilder.

Is this a bug or should I check other parameters of my LeshanClient?
@sbernard31
Copy link
Contributor

@schirrmacher, I was thinking about this, any reason why you close it ?

@sbernard31
Copy link
Contributor

@schirrmacher you raised a well-known issue, I will try to get answer from OMA : OpenMobileAlliance/OMA_LwM2M_for_Developers#502

@schirrmacher schirrmacher reopened this Sep 30, 2020
@schirrmacher
Copy link
Author

schirrmacher commented Sep 30, 2020
edited
Loading

Sorry for closing the issue, I wanted to get a deeper understanding of the problem before discussing further. Thanks for raising the issue. It seems that the specification is missing the details. Luckily the server is sending the whole chain:
Screenshot 2020-09-30 at 08 33 34

@sbernard31
Copy link
Contributor

Only the client certificate chain is not clear in LWM2M specification.
For server, I don't see any issue. 🙂

@sbernard31 sbernard31 added the question Any question about leshan label Sep 30, 2020
@dachaac
Copy link
Contributor

dachaac commented Oct 5, 2020

I have changes for client to send chain (PR #896) but storage seems to be something that is not optimal.

@sbernard31
Copy link
Contributor

Following OpenMobileAlliance/OMA_LwM2M_for_Developers#502 (comment), the lwm2m specification clarify that client certificate chain is limited to only 1 certificate.
At least this is my understanding. 😕

I close this issue, but it could be related in a way to #1135..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Any question about leshan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sbernard31 @schirrmacher @dachaac