Hi Reporting on this: > So, I will re-visit this and test the following: > 1) non-provisioned sampleserver_mfg with proper certificate chain > 2) provisioningclient with proper certificate chain provisions the > sampleserver > (I re-confirm 1 and 2 already work great either with sample code and > certificates and also using my newly created certificates) > 3) Third client with proper certificates chain accesses the > sampleserver_mfg resources. > I have a feeling this will work. Will let you guys know tomorrow.
Did not work. My feeling was wrong. Glad it did not. It would not be logical if it works actually. Still the same issue. The provisioningclient works all right and now owns the server_mfg. If a second client uses a certificate to communicate with the server_mfg something needs to be called to init the ciphersuite associated with the DTLS connection. 56:55.797 DEBUG: OIC_SRM_CREDL: In InitCipherSuiteListInternal 56:55.797 DEBUG: OIC_SRM_CREDL: Out InitCipherSuiteListInternal 56:55.797 DEBUG: OIC_SRM_PKIX_INTERFACE: Out InitCipherSuiteList 56:55.797 DEBUG: OIC_CA_NET_SSL: Supported ciphersuites: 56:55.797 ERROR: OIC_CA_NET_SSL: *No ciphersuites configured, secure connections will fail* 56:55.797 DEBUG: OIC_CA_NET_SSL: Out SetupCipher 56:55.797 ERROR: OIC_CA_NET_SSL: Failed to set up cipher 56:55.797 DEBUG: OIC_CA_NET_SSL: In DeleteSslEndPoint 56:55.797 DEBUG: MBED_TLS: => free 56:55.797 DEBUG: MBED_TLS: <= free 56:55.797 DEBUG: OIC_CA_NET_SSL: In DeleteCacheList 56:55.797 DEBUG: OIC_CA_NET_SSL: Out DeleteCacheList 56:55.797 DEBUG: OIC_CA_NET_SSL: Out DeleteSslEndPoint 56:55.797 ERROR: OIC_CA_NET_SSL: *TLS handshake failed* 56:55.797 ERROR: OIC_CA_IP_ADAP: CAencryptSsl failed! On Sun, Dec 30, 2018 at 3:57 PM Khaled Elsayed via Lists.Iotivity.Org <khaledieee=gmail....@lists.iotivity.org> wrote: > Hi Gregg. I am not using any new code. Just the code in > ~/iotivity/examples/OCFSecure and also the code in and the code in > resource/csdk/security/provisioning/sample. I just created new > certificates/private keys and json files for a client and server. The > certificates and json files work great for the provisioningclient and > sampleserver_mfg. So, I don't have a bug in the certificate and their usage > in the json files. My problem is if I get one client and one server which > are pre-provisioned ad their json uses certificate chain based > authentication, the secure DTLS is not established. I suspect that this is > probably just the model. the server should be provisioned first with a > certificate holding client after which it can provide access. But I am not > sure why or if this interpretation is correct. > > So, I will re-visit this and test the following: > 1) non-provisioned sampleserver_mfg with proper certificate chain > 2) provisioningclient with proper certificate chain provisions the > sampleserver > (I re-confirm 1 and 2 already work great either with sample code and > certificates and also using my newly created certificates) > 3) Third client with proper certificates chain accesses the > sampleserver_mfg resources. > I have a feeling this will work. Will let you guys know tomorrow. > > I generate the certificates and keys using the utility certgenerator that > also comes with the provisioning code. It is a very straight-forward tool. > Then I process the output further with openssl to put the certificates in > DER format to fill the JSON files. > > Let me know if there is anything else you need to restart on this. > > BR, > > Khaled > > > > On Thu, Dec 27, 2018 at 10:40 PM Gregg Reynolds <d...@mobileink.com> wrote: > >> >> >> On Mon, Dec 10, 2018, 1:02 AM Khaled Elsayed <khaledi...@gmail.com wrote: >> >>> Hi Gregg, >>> >>> No unfortunately. I will have a second look today but If I could not, I >>> will proceed using the non-certificate based shared key credential >>> supporting a limited number of clients for the time being >>> >> >> Do you have any code you can share? I'm gearing up to work on this sorta >> stuff in January. >> >> G >> >>> _._,_ >>> >>>> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10109): https://lists.iotivity.org/g/iotivity-dev/message/10109 Mute This Topic: https://lists.iotivity.org/mt/28611921/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-