Hi, I am trying to get certificate-based credential management to work between a provisioned server and a client. So, I worked a bit more with the provisionclient and sampleserver_mfg. I created new certificates via the crtgenerator application. I configured the json files with the new certificates and private keys for both application. The provisioning worked. This is the good news proving that these certificates and json files do work.
The bad news is if I want to apply the certificate based authentication/credntial in other examples not including provisioning, it does not work. I use the sample client and server in the examples/OCFSecure folder. The client and server initiate properly and reads the cred/certificates correctly. However, when the client attempts to issues a GET request over coaps, it fails. Obviously there is something that needs to be invoked to associate the client and server so that they use the certificates to calculate the shared symmetric encryption key. This seems to occur when the provisioningclient starts to access the /doxm resource in the sampleserver_mfg. I could see that in the log but I cannot figure out how to make the OCFSecure client/server start the certificate exchange process. Here is the log. It complains *No ciphersuites configured* (see below) although they are to start DTLS handshake (InitiateTlsHandshake is being invoked). So, what procedure should be invoked to create a cipher between the two endpoints using the certificates before reaching to the point they exchange coaps payloads. Thanks for any pointers. 48:53.275 INFO: OIC_CA_MSG_HANDLE: CASendUnicastData type : 1 48:53.275 DEBUG: OIC_CA_INF_CTR: unicast message to adapter 48:53.275 DEBUG: OIC_UQUEUE: Queue Count : 1 48:53.275 INFO: OIC_CA_PRTCL_MSG: adapter value of CoAP/TCP is 1 48:53.275 DEBUG: OIC_CA_RETRANS: sent pdu, msgtype=1, msgid=60490 48:53.275 DEBUG: OIC_CA_RETRANS: not supported message type 48:53.275 DEBUG: OIC_CA_MSG_HANDLE: CADestroyData IN 48:53.275 DEBUG: OIC_CA_MSG_HANDLE: CADestroyData OUT 48:53.275 DEBUG: OIC_CA_QING: wait.. 48:53.275 DEBUG: OIC_CA_QING: wake up.. 48:53.275 DEBUG: OIC_CA_IP_ADAP: DTLS encrypt called 48:53.275 DEBUG: OIC_CA_NET_SSL: In CAencryptSsl 48:53.275 DEBUG: OIC_CA_NET_SSL: Port 39115 48:53.275 DEBUG: OIC_CA_NET_SSL: Data to be encrypted dataLen [30] 48:53.275 DEBUG: OIC_CA_NET_SSL: In GetSslPeer 48:53.275 DEBUG: OIC_CA_NET_SSL: Return NULL 48:53.275 DEBUG: OIC_CA_NET_SSL: Out GetSslPeer 48:53.279 DEBUG: OIC_CA_NET_SSL: In InitiateTlsHandshake 48:53.279 DEBUG: OIC_CA_NET_SSL: In NewSslEndPoint 48:53.279 DEBUG: MBED_TLS: set_timer to 0 ms 48:53.279 DEBUG: OIC_CA_NET_SSL: New [client role] endpoint added [ 10.0.0.2:39115] 48:53.279 DEBUG: OIC_CA_NET_SSL: Out NewSslEndPoint 48:53.279 DEBUG: OIC_CA_NET_SSL: In SetupCipher 48:53.279 DEBUG: OIC_SRM_PKIX_INTERFACE: In InitCipherSuiteList 48:53.279 DEBUG: OIC_SRM_CREDL: In InitCipherSuiteListInternal 48:53.279 DEBUG: OIC_SRM_CREDL: Out InitCipherSuiteListInternal 48:53.279 DEBUG: OIC_SRM_PKIX_INTERFACE: Out InitCipherSuiteList 48:53.279 DEBUG: OIC_CA_NET_SSL: Supported ciphersuites: *48:53.279 ERROR: OIC_CA_NET_SSL: No ciphersuites configured, secure connections will fail* 48:53.279 DEBUG: OIC_CA_NET_SSL: Out SetupCipher 48:53.279 ERROR: OIC_CA_NET_SSL: Failed to set up cipher 48:53.279 DEBUG: OIC_CA_NET_SSL: In DeleteSslEndPoint On Tue, Nov 27, 2018 at 9:16 AM Khaled Elsayed <khaledi...@gmail.com> wrote: > Thanks Mats for the pointer. Very handy tool. Nicely done Rami. > > Khaled > > > > On Mon, Nov 26, 2018 at 5:21 PM Mats Wichmann <m...@wichmann.us> wrote: > >> On 11/26/18 7:53 AM, Khaled Elsayed wrote: >> > Hi Nathan >> > >> > Just wanted to confirm that json2cbor from iotivity-2.0.0 and latest >> master >> > both fail when an ACE contains a roletype entry. >> > >> > For the provisioning client example, is there anyway to inspect the .dat >> > files that are modified after the provisioning is performed? Something >> like >> > a cbor2json if there is such a tool. >> > >> > Thanks >> > >> > Khaled >> >> https://github.com/alshafi/iotivity-tool >> >> should be able to do this - it converts in both directions. >> >> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10044): https://lists.iotivity.org/g/iotivity-dev/message/10044 Mute This Topic: https://lists.iotivity.org/mt/28611921/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
