Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Titan » Certificate issues while accepting incoming connection(TITAN OpenSSL Abstract_Socket)
Certificate issues while accepting incoming connection [message #1844757] Fri, 24 September 2021 07:07 Go to next message
Yann Garcia is currently offline Yann GarciaFriend
Messages: 145
Registered: June 2016
Senior Member
Good morning,

I have a TTCN-3 port used for incoming notification messages over TCP/TLS.
The mapping of this port is working fine.
Unfortunately, while accepting an incoming connection, I have this error message:
Dynamic test case error: Abstract socket: ssl_certificate_chain_file is not defined in the configuration file


I created my own bundle of certificates, with a self signed root certificate, and I got the following error during TLS negotiations:
MTC@FSCOM-DEV: Abstract socket: Accept SSL connection request
MTC@FSCOM-DEV: Abstract socket: SSL operation result:
MTC@FSCOM-DEV: Abstract socket: SSL_ERROR_SSL
MTC@FSCOM-DEV: Abstract socket: SSL error queue content:
MTC@FSCOM-DEV: Abstract socket:   Library:  SSL routines
MTC@FSCOM-DEV: Abstract socket:   Function: tls_post_process_client_hello
MTC@FSCOM-DEV: Abstract socket:   Reason:   no shared cipher
MTC@FSCOM-DEV: Abstract socket: warning: Connection from client 8 is refused
MTC@FSCOM-DEV: Abstract socket: leaving SSL_Socket::add_user_data()

Note that I provided root certificate, a certificate signed by my root certificate and my certificate private key using Abstract socket methods:
    parameter_set(ssl_trustedCAlist_file_name(), "../certificates/out/certs/CA_dsa.cert.pem"); 
    parameter_set(ssl_private_key_file_name(), "../certificates/out/privates/e5e11abad8003766e4a7b721afb175a189b5f4cc7046af9b0d8eaebb86f28c40_server_dsa.key.pem");
    parameter_set(ssl_certificate_file_name(), "../certificates/out/certs/e5e11abad8003766e4a7b721afb175a189b5f4cc7046af9b0d8eaebb86f28c40_server_dsa.cert.pem");
 


I have no idea how to fix it. Please can you provide my some hints?

Many thanks in advance,

BR\ Yann
Re: Certificate issues while accepting incoming connection [message #1844758 is a reply to message #1844757] Fri, 24 September 2021 07:47 Go to previous messageGo to next message
Gábor Szalai is currently offline Gábor SzalaiFriend
Messages: 134
Registered: December 2015
Senior Member
Are you using own test port code on the top of AbstractSocket?

Which version of the OpenSSL do you use?

The "Reason: no shared cipher" means that the two side can't agree on ciphers.
Maybe the remote side uses only DH ciphers and the OpenSSL doesn't load them automatically. The AbstractSocket is not prepared to load them.
Re: Certificate issues while accepting incoming connection [message #1844759 is a reply to message #1844758] Fri, 24 September 2021 07:48 Go to previous messageGo to next message
Gábor Szalai is currently offline Gábor SzalaiFriend
Messages: 134
Registered: December 2015
Senior Member
I'll create a new revision of it to enable the DH ciphers.
Re: Certificate issues while accepting incoming connection [message #1844762 is a reply to message #1844759] Fri, 24 September 2021 08:02 Go to previous messageGo to next message
Yann Garcia is currently offline Yann GarciaFriend
Messages: 145
Registered: June 2016
Senior Member
Hello Gábor,

I'm using this version of OpenSSL:
OpenSSL 1.1.1  11 Sep 2018 (Library: OpenSSL 1.1.1g  21 Apr 2020)


I also created a tcp_layer class when derive from SSL_Socket:
class tcp_layer : public layer, public SSL_Socket, public PORT


Thanks a lot,

NR\Yann
Re: Certificate issues while accepting incoming connection [message #1844818 is a reply to message #1844757] Mon, 27 September 2021 07:25 Go to previous messageGo to next message
Olaf Bergengruen is currently offline Olaf BergengruenFriend
Messages: 127
Registered: November 2018
Senior Member
Hi Yann,

In our MCPTT test system we use many TLS connections using the abstract-socket infrastructure, and it works fine.

Attached the simple test system I used to experiment.
The idea is to run a server "testcase" in one machine, the client "test case" runs in another machine or on a mobile phone.

May be the test system is useful to you.
I am interested on your results and whether you can tune the configurations to select the TLS versions, ciphers and authentication modes which you want to use.

Regards,
Olaf
Re: Certificate issues while accepting incoming connection [message #1844827 is a reply to message #1844818] Mon, 27 September 2021 11:15 Go to previous messageGo to next message
Yann Garcia is currently offline Yann GarciaFriend
Messages: 145
Registered: June 2016
Senior Member
Hello Olaf,

Thanks a lot, I'm going to investigate it.

BR\Yann
Re: Certificate issues while accepting incoming connection [message #1844850 is a reply to message #1844827] Tue, 28 September 2021 06:06 Go to previous messageGo to next message
Yann Garcia is currently offline Yann GarciaFriend
Messages: 145
Registered: June 2016
Senior Member
Hello Olaf,

The main difference is that I use the ssl_verify_certificates("yes") to force the certificate verification.
I agree, everything works fine for me if I don't use the ssl_verify_certificates("no") which is the default behavior of SSL_socket.

Thanks a lot for your help,

BR\Yann
Re: Certificate issues while accepting incoming connection [message #1844881 is a reply to message #1844850] Tue, 28 September 2021 15:26 Go to previous message
Olaf Bergengruen is currently offline Olaf BergengruenFriend
Messages: 127
Registered: November 2018
Senior Member
Right, Yann, the verification was not done.

I updated in the Client cfg (TLSTest_C.cfg) as follows:
*.tlsPort.mode := "advanced"
*.tlsPort.ssl_use_ssl := "yes"
*.tlsPort.server_mode := "no" 
*.tlsPort.ssl_trustedCAlist_file := "/home/olaf/TLSTest/rootCA.crt"
*.tlsPort.ssl_verify_certificate := "yes"
*.tlsPort.use_connection_ASPs := "yes"


This works, i.e. the Client verifies the Server certificate using rootCA.crt as the CA.
The tricky part is the keys and certificate generation for testing. I followed the instructions as written in Certification-Info.txt in the project I sent before. There are probably many other ways to generate keys and certificates.

Refards,
Olaf
Previous Topic:[SOLVED] Build Titan with FUNCTION_TEST_RUNTIME := yes
Next Topic:Titan Java IPL4 example project
Goto Forum:
  


Current Time: Tue Oct 15 16:25:05 GMT 2024

Powered by FUDForum. Page generated in 0.07892 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top