Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Embedded software
- Re: TLSv1.3 in STM32H563 using NetXSecure
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
TLSv1.3 in STM32H563 using NetXSecure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-18 07:22 AM - last edited on 2024-09-19 03:17 AM by Guillaume K
Hi
I'm trying to setup TLSv1.3 using STM32H63 Nucleo board. I followed the steps in https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/netx-duo-secure-tls/chapter3.md to enable TLSv1.3 in STM32CubeMX. But all I get from the OpenSSL server is:
ssl.SSLError: [SSL: NO_SUITABLE_SIGNATURE_ALGORITHM] no suitable signature algorithm (_ssl.c:1006)
How do I solve this? I checked with the debugger and I can see that this code gets hit
#if (NX_SECURE_TLS_TLS_1_3_ENABLED)
if(tls_session->nx_secure_tls_1_3)
{
/* Send supported TLS versions extensions (for TLS 1.3). */
status = _nx_secure_tls_send_clienthello_supported_versions_extension(tls_session, packet_buffer, &length, &extension_length, available_size);
if(status != NX_SUCCESS)
{
return(status);
}
Using wireshark I can see that clienthello from the client
Frame 243: 250 bytes on wire (2000 bits), 250 bytes captured (2000 bits) on interface \Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98}, id 0
Section number: 1
Interface id: 0 (\Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98})
Interface name: \Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98}
Interface description: Ethernet 2
Encapsulation type: Ethernet (1)
Arrival Time: Sep 18, 2024 16:19:29.214045000 W. Europe Daylight Time
UTC Arrival Time: Sep 18, 2024 14:19:29.214045000 UTC
Epoch Arrival Time: 1726669169.214045000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.311093000 seconds]
[Time delta from previous displayed frame: 19.498310000 seconds]
[Time since reference or first frame: 57.311405000 seconds]
Frame Number: 243
Frame Length: 250 bytes (2000 bits)
Capture Length: 250 bytes (2000 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:tls]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: STMicroelect_00:00:00 (00:80:e1:00:00:00), Dst: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
Destination: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
Address: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: STMicroelect_00:00:00 (00:80:e1:00:00:00)
Address: STMicroelect_00:00:00 (00:80:e1:00:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.5, Dst: 192.168.1.10
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 236
Identification: 0x0003 (3)
000. .... = Flags: 0x0
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0xb6a9 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.1.5
Destination Address: 192.168.1.10
Transmission Control Protocol, Src Port: 62509, Dst Port: 6000, Seq: 1, Ack: 1, Len: 196
Source Port: 62509
Destination Port: 6000
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (31)]
..0. .... = RST: Absent
...1 .... = FIN: Present
.... 1... = Data: Present
.... .1.. = ACK: Present
.... ..1. = SYN-ACK: Present
.... ...1 = SYN: Present
[Completeness Flags: ·FDASS]
[TCP Segment Len: 196]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 3489658439
[Next Sequence Number: 197 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 3945295425
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 8192
[Calculated window size: 8192]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xb067 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 0.451453000 seconds]
[Time since previous frame in this TCP stream: 0.450463000 seconds]
[SEQ/ACK analysis]
[iRTT: 0.000990000 seconds]
[Bytes in flight: 196]
[Bytes sent since last PSH flag: 196]
TCP payload (196 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 191
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 187
Version: TLS 1.2 (0x0303)
Random: 000000005905b56d8d7d157d43eddf717b97cb45bebba36e904b983a16976d66
GMT Unix Time: Jan 1, 1970 01:00:00.000000000 W. Europe Standard Time
Random Bytes: 5905b56d8d7d157d43eddf717b97cb45bebba36e904b983a16976d66
Session ID Length: 0
Cipher Suites Length: 24
Cipher Suites (12 suites)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_128_CCM_SHA256 (0x1304)
Cipher Suite: TLS_AES_128_CCM_8_SHA256 (0x1305)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
Cipher Suite: TLS_PSK_WITH_AES_128_CCM_8 (0xc0a8)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 122
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
Type: supported_versions (43)
Length: 5
Supported Versions length: 4
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Extension: key_share (len=71) secp256r1
Type: key_share (51)
Length: 71
Key Share extension
Client Key Share Length: 69
Key Share Entry: Group: secp256r1, Key Exchange length: 65
Group: secp256r1 (23)
Key Exchange Length: 65
Key Exchange: 0429c78232b89a29e36d68aa3b422b7847e7b85b95fb955f3b2eb30b321d87e595520b4cb05c57baedd8b42b16bc1ed8240f27d3149448feba1f8979ba47051fe5
Extension: signature_algorithms (len=16)
Type: signature_algorithms (13)
Length: 16
Signature Hash Algorithms Length: 14
Signature Hash Algorithms (7 algorithms)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA224 ECDSA (0x0303)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
[JA4: t13i120500_300ad538f728_2ddaf29219d6]
[JA4_r: t13i120500_003c,003d,009c,00ae,1301,1304,1305,c023,c027,c02b,c02f,c0a8_000a,000b,000d,002b,0033_0403,0503,0603,0401,0501,0601,0303]
[JA3 Fullstring: 771,4865-4868-4869-49195-49199-49187-49191-156-61-60-174-49320,10-11-43-51-13,23-24-25,0]
[JA3: 0fe05bb12fd3c7ca77de173a4deb6eae]
which results in a handshake failure
Ethernet II, Src: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6), Dst: STMicroelect_00:00:00 (00:80:e1:00:00:00)
Destination: STMicroelect_00:00:00 (00:80:e1:00:00:00)
Address: STMicroelect_00:00:00 (00:80:e1:00:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
Address: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.10, Dst: 192.168.1.5
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 47
Identification: 0xdb69 (56169)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.1.10
Destination Address: 192.168.1.5
Transmission Control Protocol, Src Port: 6000, Dst Port: 62509, Seq: 1, Ack: 197, Len: 7
Source Port: 6000
Destination Port: 62509
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (31)]
..0. .... = RST: Absent
...1 .... = FIN: Present
.... 1... = Data: Present
.... .1.. = ACK: Present
.... ..1. = SYN-ACK: Present
.... ...1 = SYN: Present
[Completeness Flags: ·FDASS]
[TCP Segment Len: 7]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 3945295425
[Next Sequence Number: 8 (relative sequence number)]
Acknowledgment Number: 197 (relative ack number)
Acknowledgment number (raw): 3489658635
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 64044
[Calculated window size: 64044]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x8381 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 0.451832000 seconds]
[Time since previous frame in this TCP stream: 0.000379000 seconds]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 243]
[The RTT to ACK the segment was: 0.000379000 seconds]
[iRTT: 0.000990000 seconds]
[Bytes in flight: 7]
[Bytes sent since last PSH flag: 7]
TCP payload (7 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
Am I missing some extra configuration? Any tips would be helpful
Solved! Go to Solution.
Labels:
- Labels:
-
AzureRTOS
-
Ethernet
-
STM32CubeMX
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 06:41 AM
Not sure...
Comparing with example of MQTT client which uses TLS in Projects\STM32H573I-DK\Applications\NetXDuo\Nx_MQTT_Client I didn't see this call in your code:
/* allocate space for the certificate coming in from the remote host */
ret = nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, certificate_ptr,
tls_packet_buffer, sizeof(tls_packet_buffer));
if (ret != TX_SUCCESS)
{
Error_Handler();
}
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 02:48 AM
What is the certificate used by the server ? Is it an RSA certificate ?
If you are using "openssl s_server" command for your test, please show what is the command line parameters.
The way the RSA signature is done has changed between TLS 1.2 and TLS 1.3.
With TLS 1.2 RSA signature were handled with rsa_pkcs1_sha256 signature algorithm (-sigalgs parameter with openssl s_server).
With TLS 1.3, RSA signature can be handled with rsa_pss_rsae_sha256, rsa_pss_pss_sha256 signature algorithms.
Currently, Netxduo doesn't support RSA certificates in TLS 1.3 with the new signatures.
There is an issue in eclipse-threadx netxduo github: Supporting RSA signed client certificates with TLS 1.3 · Issue #161 · eclipse-threadx/netxduo · GitHub
It is for client certificates, but same problem applies with server certificates.
You can try to test with "openssl s_server" using an non-RSA certificate (e.g. ECDSA) to see if it works ( with options -cert, -key).
There is no RSA problem with TLS 1.2.
Note: there could be other problems with netxduo and TLS 1.3 with cipher suites not supported (SHA384) but it is not in the traces you showed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 04:21 AM
Hi
Thanks for the reply, I made some progress by using ECDSA certs. Now I get a different error after server hello in the openssl server
100000000A000000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:865:SSL alert number 80
shutting down SSL
CONNECTION CLOSED
ERROR
shutting down SSL
CONNECTION CLOSEDWhile debugging I can see this
With status values of 0x20007.
I checked if the server can be connected using openssl client mode
openssl s_client -connect 192.168.1.15:6000 -cert certsv2/client.crt -key certsv2/client_key.key -CAfile certsv2/rootca.crt -tls1_3 -sigalgs "ECDSA+SHA256"and it seems to work with that.
Is there some other NetXDuo thing I'm missing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 05:00 AM
Status value 0x20007 could be NX_CRYPTO_PTR_ERROR defined in nx_crypto_const.h.
It looks like an incorrect netxduo configuration in the code running on the STM32.
How is the memory allocated ? is there enough memory for a TLS network stack ?
It's difficult to understand the root cause without the full project sources you are using.
Did you modify an example provided in Cube H5 package ? (Nx_IPerf, NX_UDP_echo_client, ...)
The full ServerHello packet details from wireshark , and the full openssl s_server trace (with -trace option) could help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 05:31 AM
Hi
I'm attaching the full project zip file. And yes I modified the UDP client to make this project.
Server Hello from wireshark:
Transport Layer Security
TLSv1.3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 123
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 119
Version: TLS 1.2 (0x0303)
Random: 54f7c48d3f72cce5abb776fec83ebc778ff45763bf2dd527b1f8f731a717f687
Session ID Length: 0
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Compression Method: null (0)
Extensions Length: 79
Extension: supported_versions (len=2) TLS 1.3
Type: supported_versions (43)
Length: 2
Supported Version: TLS 1.3 (0x0304)
Extension: key_share (len=69) secp256r1
Type: key_share (51)
Length: 69
Key Share extension
Key Share Entry: Group: secp256r1, Key Exchange length: 65
Group: secp256r1 (23)
Key Exchange Length: 65
Key Exchange: 04c11f5da38e360f98ff1f8a63dc010fc0521f50ec204bdff9875c4c7af4cfce30bcb0d8574fcf496c331c2dd2b5e9488ee6d39fe47772ca9856781044bd06fea3
[JA3S Fullstring: 771,4865,43-51]
[JA3S: f4febc55ea12b31ae17cfb7e614afda8]
TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 49
Encrypted Application Data: 7a094fd69013178359f6ecad2437e5c81a0f45167fb78f81f060a25b1e86fdb9a39a9517595e2a46d980252b62ca7b1054
[Application Data Protocol: Hypertext Transfer Protocol]
TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 977
Encrypted Application Data [truncated]: 74b0f57482d56f805fd98295ebb6aa27119693bfae2e133ff71ca8693b0c8a089c0aafe2694e1c7d8060457a977c6938d89dbc56b9f6aba681277c8f2eeaf9ce99cbd5f2d7d4e475c9e6ea2f1430593b11530cfc8efc2d677da80d9a86c9bb3b545d4b6
[Application Data Protocol: Hypertext Transfer Protocol]
TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 96
Encrypted Application Data: ec0d7dd15d5998d7e6657576ccae5eda666c2ef96160f956c389633d6db8ce64a33e13c80cdf5a9c8009c6d7d72dc51b26967e2a5be3e07e72c18f2506004cce43753ea51a24e68762f06566133c1d254b654b30d8045c29004773c623e89b5b
[Application Data Protocol: Hypertext Transfer Protocol]
TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 53
Encrypted Application Data: f89cda87f51a7a9d41e78d53017e3dc3c09225e7d04d188e4874f9d0115d816c6f53aeea971557b5728ee4c585bd6dbbde9b116373
[Application Data Protocol: Hypertext Transfer Protocol]
Attached trace from openssl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 06:41 AM
Not sure...
Comparing with example of MQTT client which uses TLS in Projects\STM32H573I-DK\Applications\NetXDuo\Nx_MQTT_Client I didn't see this call in your code:
/* allocate space for the certificate coming in from the remote host */
ret = nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, certificate_ptr,
tls_packet_buffer, sizeof(tls_packet_buffer));
if (ret != TX_SUCCESS)
{
Error_Handler();
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-19 07:01 AM
From https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/netx-duo-secure-tls/chapter3.md
it says:
"The TLS Client also needs space for the incoming server certificate to be allocated (assuming a Pre-Shared Key mode is not being used). As of NetX Duo Secure TLS 5.12, it is no longer necessary for the application to allocate space for remote certificate. However, the legacy option to allocate space for a server certificate is still available and user-allocated certificates will be used before the internal certificate buffer optimization8 – see the nx_secure_tls_remote_certificate_allocate service for more information."
Thats why I skipped it. But I can try adding it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-20 12:23 AM
This was it. Adding enough space for remote cert did that trick. Thanks a lot for your help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2024-09-20 12:26 AM
OK. It's strange that the Netxduo documentation says it is not needed to call it explicitly.
Related Content
- ADC injected mode with GPDMA? in STM32 MCUs Motor control
- Azure RTOS support in STM32H563/73 in STM32 MCUs Embedded software
- STM32H563: Unable to Regress or Debug Authenticate in STM32 MCUs Security
- Recovering STM32H563 from closed product_state in STM32 MCUs Products
- Unable to perform Regression or Debug Authentication on STM32H5 in STM32 MCUs Security