Hi folks, On vacation so just a brief response: TLS deadlock is likely caused by a known issue being actively worked (see Jira https://jira.iotivity.org/browse/IOT-3059). Aleksey Volkov (cc’d, Security Maintainer) can hopefully provide more details (or correct me if this is a different issue).
Thanks, Nathan From: iotivity-dev@lists.iotivity.org [mailto:iotivity-dev@lists.iotivity.org] On Behalf Of Gregg Reynolds Sent: Tuesday, August 21, 2018 12:20 PM To: yitzc...@coapp.co.il Cc: iotivity-dev <iotivity-dev@lists.iotivity.org> Subject: Re: [dev] Major issues with connecting to cloud using TLS Have you been following the work Ondrej has been doing? OCF Cloud is up in the air afaik. Pun intended. On Tue, Aug 21, 2018, 3:50 AM <yitzc...@coapp.co.il<mailto:yitzc...@coapp.co.il>> wrote: I am currently trying to get a setup working with OCF devices connecting to the cloud using TLS. I found the following issues: 1. There is a easy to reproduce deadlock (reproducable via the airconditioner examples).since there is a lock on the ssl resource (g_sslContextMutex in ca_adapter_net_ssl.c), and on the tcp resource (g_mutexObjectList in catcpserver.c). When a message is sent (ssl is locked and then tcp) and another received (tcp is locked and then ssl) around the same time, there is a deadlock. 2. I tried breaking up the deadlock by naively unifying the locks. This causes a major slowdown, especially if the connections fail. The reason for this is that the ssl resource lock holds locks around connection related events which can take a long time. Usually threads should not be waiting for locks on network events! 3. I then tried to modify the way the ssl resource lock works, and to have it not lock around connection related events. It still didn't help because it turns out that the way the ssl handshake implemented in a seemingly strange way where it is created from jumping around between different parts of the code which happen to only work if the locks are implemented as there were. Another issue that I found is when I run a OCF server more than once, the function "OCSaveTrustCertChain" used to register a certificate will just continue to a dd the certificate to the secure db, causing the file to grow, and worse, causing resource discovery on an ocf server to stop working. My conclusion from this is that TLS connection with cloud is utterly broken.I would like to hear some input on this issue, hopefully proving me wrong. I can provide more details as needed. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9885): https://lists.iotivity.org/g/iotivity-dev/message/9885 Mute This Topic: https://lists.iotivity.org/mt/24874400/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
