cancel
Showing results for 
Search instead for 
Did you mean: 

TLSv1.3 in STM32H563 using NetXSecure

jishnu1234
Associate II

Hi

I'm trying to setup TLSv1.3 using STM32H63 Nucleo board. I followed the steps in https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/netx-duo-secure-tls/chapter3.md to enable TLSv1.3 in STM32CubeMX. But all I get from the OpenSSL server is:

 

 

ssl.SSLError: [SSL: NO_SUITABLE_SIGNATURE_ALGORITHM] no suitable signature algorithm (_ssl.c:1006)

 

 

How do I solve this? I checked with the debugger and I can see that this code gets hit

 

 

#if (NX_SECURE_TLS_TLS_1_3_ENABLED)
    if(tls_session->nx_secure_tls_1_3)
    {
        /* Send supported TLS versions extensions (for TLS 1.3). */
        status = _nx_secure_tls_send_clienthello_supported_versions_extension(tls_session, packet_buffer, &length, &extension_length, available_size);
        if(status != NX_SUCCESS)
        {
            return(status);
        }

 

 

Using wireshark I can see that clienthello from the client

 

 

Frame 243: 250 bytes on wire (2000 bits), 250 bytes captured (2000 bits) on interface \Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98})
        Interface name: \Device\NPF_{0B831098-E396-4CE0-B06D-0E743D48CD98}
        Interface description: Ethernet 2
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep 18, 2024 16:19:29.214045000 W. Europe Daylight Time
    UTC Arrival Time: Sep 18, 2024 14:19:29.214045000 UTC
    Epoch Arrival Time: 1726669169.214045000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.311093000 seconds]
    [Time delta from previous displayed frame: 19.498310000 seconds]
    [Time since reference or first frame: 57.311405000 seconds]
    Frame Number: 243
    Frame Length: 250 bytes (2000 bits)
    Capture Length: 250 bytes (2000 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: STMicroelect_00:00:00 (00:80:e1:00:00:00), Dst: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
    Destination: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
        Address: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: STMicroelect_00:00:00 (00:80:e1:00:00:00)
        Address: STMicroelect_00:00:00 (00:80:e1:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.5, Dst: 192.168.1.10
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 236
    Identification: 0x0003 (3)
    000. .... = Flags: 0x0
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0xb6a9 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.1.5
    Destination Address: 192.168.1.10
Transmission Control Protocol, Src Port: 62509, Dst Port: 6000, Seq: 1, Ack: 1, Len: 196
    Source Port: 62509
    Destination Port: 6000
    [Stream index: 1]
    [Conversation completeness: Complete, WITH_DATA (31)]
        ..0. .... = RST: Absent
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ·FDASS]
    [TCP Segment Len: 196]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 3489658439
    [Next Sequence Number: 197    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 3945295425
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 8192
    [Calculated window size: 8192]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0xb067 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.451453000 seconds]
        [Time since previous frame in this TCP stream: 0.450463000 seconds]
    [SEQ/ACK analysis]
        [iRTT: 0.000990000 seconds]
        [Bytes in flight: 196]
        [Bytes sent since last PSH flag: 196]
    TCP payload (196 bytes)
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 191
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 187
            Version: TLS 1.2 (0x0303)
            Random: 000000005905b56d8d7d157d43eddf717b97cb45bebba36e904b983a16976d66
                GMT Unix Time: Jan  1, 1970 01:00:00.000000000 W. Europe Standard Time
                Random Bytes: 5905b56d8d7d157d43eddf717b97cb45bebba36e904b983a16976d66
            Session ID Length: 0
            Cipher Suites Length: 24
            Cipher Suites (12 suites)
                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
                Cipher Suite: TLS_AES_128_CCM_SHA256 (0x1304)
                Cipher Suite: TLS_AES_128_CCM_8_SHA256 (0x1305)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
                Cipher Suite: TLS_PSK_WITH_AES_128_CCM_8 (0xc0a8)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 122
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp521r1 (0x0019)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
                Type: supported_versions (43)
                Length: 5
                Supported Versions length: 4
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
            Extension: key_share (len=71) secp256r1
                Type: key_share (51)
                Length: 71
                Key Share extension
                    Client Key Share Length: 69
                    Key Share Entry: Group: secp256r1, Key Exchange length: 65
                        Group: secp256r1 (23)
                        Key Exchange Length: 65
                        Key Exchange: 0429c78232b89a29e36d68aa3b422b7847e7b85b95fb955f3b2eb30b321d87e595520b4cb05c57baedd8b42b16bc1ed8240f27d3149448feba1f8979ba47051fe5
            Extension: signature_algorithms (len=16)
                Type: signature_algorithms (13)
                Length: 16
                Signature Hash Algorithms Length: 14
                Signature Hash Algorithms (7 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
            [JA4: t13i120500_300ad538f728_2ddaf29219d6]
            [JA4_r: t13i120500_003c,003d,009c,00ae,1301,1304,1305,c023,c027,c02b,c02f,c0a8_000a,000b,000d,002b,0033_0403,0503,0603,0401,0501,0601,0303]
            [JA3 Fullstring: 771,4865-4868-4869-49195-49199-49187-49191-156-61-60-174-49320,10-11-43-51-13,23-24-25,0]
            [JA3: 0fe05bb12fd3c7ca77de173a4deb6eae]

 

 

which results in a handshake failure

 

Ethernet II, Src: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6), Dst: STMicroelect_00:00:00 (00:80:e1:00:00:00)
    Destination: STMicroelect_00:00:00 (00:80:e1:00:00:00)
        Address: STMicroelect_00:00:00 (00:80:e1:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
        Address: LuxsharePrec_b9:e4:e6 (60:6d:3c:b9:e4:e6)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.10, Dst: 192.168.1.5
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 47
    Identification: 0xdb69 (56169)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.1.10
    Destination Address: 192.168.1.5
Transmission Control Protocol, Src Port: 6000, Dst Port: 62509, Seq: 1, Ack: 197, Len: 7
    Source Port: 6000
    Destination Port: 62509
    [Stream index: 1]
    [Conversation completeness: Complete, WITH_DATA (31)]
        ..0. .... = RST: Absent
        ...1 .... = FIN: Present
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ·FDASS]
    [TCP Segment Len: 7]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 3945295425
    [Next Sequence Number: 8    (relative sequence number)]
    Acknowledgment Number: 197    (relative ack number)
    Acknowledgment number (raw): 3489658635
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 64044
    [Calculated window size: 64044]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x8381 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.451832000 seconds]
        [Time since previous frame in this TCP stream: 0.000379000 seconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 243]
        [The RTT to ACK the segment was: 0.000379000 seconds]
        [iRTT: 0.000990000 seconds]
        [Bytes in flight: 7]
        [Bytes sent since last PSH flag: 7]
    TCP payload (7 bytes)
Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

Am I missing some extra configuration? Any tips would be helpful 

1 ACCEPTED SOLUTION

Accepted Solutions

Not sure...

Comparing with example of MQTT client which uses TLS in Projects\STM32H573I-DK\Applications\NetXDuo\Nx_MQTT_Client I didn't see this call in your code:

  /* allocate space for the certificate coming in from the remote host */
  ret = nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, certificate_ptr, 
                                                  tls_packet_buffer, sizeof(tls_packet_buffer));
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }   

 

View solution in original post

8 REPLIES 8
Guillaume K
ST Employee

What is the certificate used by the server ? Is it an RSA certificate ?

If you are using "openssl s_server" command for your test, please show what is the command line parameters.

The way the RSA signature is done has changed between TLS 1.2 and TLS 1.3.

With TLS 1.2 RSA signature were handled with rsa_pkcs1_sha256  signature algorithm (-sigalgs parameter with openssl s_server).

With TLS 1.3, RSA signature can be handled with rsa_pss_rsae_sha256, rsa_pss_pss_sha256 signature algorithms.

Currently, Netxduo doesn't support RSA certificates in TLS 1.3 with the new signatures.

There is an issue in eclipse-threadx netxduo github: Supporting RSA signed client certificates with TLS 1.3 · Issue #161 · eclipse-threadx/netxduo · GitHub

It is for client certificates, but same problem applies with server certificates.

You can try to test with "openssl s_server" using an non-RSA certificate (e.g. ECDSA) to see if it works ( with options -cert, -key).

There is no RSA problem with TLS 1.2.

Note: there could be other problems with netxduo and TLS 1.3 with cipher suites not supported (SHA384) but it is not in the traces you showed.

 

Hi

Thanks for the reply, I made some progress by using ECDSA certs. Now I get a different error after server hello in the openssl server

jishnu1234_1-1726744656933.png

 

100000000A000000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:865:SSL alert number 80
shutting down SSL
CONNECTION CLOSED
ERROR
shutting down SSL
CONNECTION CLOSED

 While debugging I can see this

jishnu1234_0-1726744569852.png

With status values of 0x20007.
I checked if the server can be connected using openssl client mode

openssl s_client -connect 192.168.1.15:6000 -cert certsv2/client.crt -key certsv2/client_key.key -CAfile certsv2/rootca.crt  -tls1_3 -sigalgs "ECDSA+SHA256"

and it seems to work with that.
Is there some other NetXDuo thing I'm missing?

 

Guillaume K
ST Employee

Status value 0x20007 could be NX_CRYPTO_PTR_ERROR defined in nx_crypto_const.h.

It looks like an incorrect netxduo configuration in the code running on the STM32.

How is the memory allocated ? is there enough memory for a TLS network stack ?

It's difficult to understand the root cause without the full project sources you are using.

Did you modify an example provided in Cube H5 package ? (Nx_IPerf, NX_UDP_echo_client, ...)

The full ServerHello packet details from wireshark , and the full openssl s_server trace (with -trace option) could help.

Hi

I'm attaching the full project zip file. And yes I modified the UDP client to make this project.

Server Hello from wireshark:

 

 

 

Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 123
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 119
            Version: TLS 1.2 (0x0303)
            Random: 54f7c48d3f72cce5abb776fec83ebc778ff45763bf2dd527b1f8f731a717f687
            Session ID Length: 0
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Compression Method: null (0)
            Extensions Length: 79
            Extension: supported_versions (len=2) TLS 1.3
                Type: supported_versions (43)
                Length: 2
                Supported Version: TLS 1.3 (0x0304)
            Extension: key_share (len=69) secp256r1
                Type: key_share (51)
                Length: 69
                Key Share extension
                    Key Share Entry: Group: secp256r1, Key Exchange length: 65
                        Group: secp256r1 (23)
                        Key Exchange Length: 65
                        Key Exchange: 04c11f5da38e360f98ff1f8a63dc010fc0521f50ec204bdff9875c4c7af4cfce30bcb0d8574fcf496c331c2dd2b5e9488ee6d39fe47772ca9856781044bd06fea3
            [JA3S Fullstring: 771,4865,43-51]
            [JA3S: f4febc55ea12b31ae17cfb7e614afda8]
    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 49
        Encrypted Application Data: 7a094fd69013178359f6ecad2437e5c81a0f45167fb78f81f060a25b1e86fdb9a39a9517595e2a46d980252b62ca7b1054
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 977
        Encrypted Application Data [truncated]: 74b0f57482d56f805fd98295ebb6aa27119693bfae2e133ff71ca8693b0c8a089c0aafe2694e1c7d8060457a977c6938d89dbc56b9f6aba681277c8f2eeaf9ce99cbd5f2d7d4e475c9e6ea2f1430593b11530cfc8efc2d677da80d9a86c9bb3b545d4b6
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 96
        Encrypted Application Data: ec0d7dd15d5998d7e6657576ccae5eda666c2ef96160f956c389633d6db8ce64a33e13c80cdf5a9c8009c6d7d72dc51b26967e2a5be3e07e72c18f2506004cce43753ea51a24e68762f06566133c1d254b654b30d8045c29004773c623e89b5b
        [Application Data Protocol: Hypertext Transfer Protocol]
    TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 53
        Encrypted Application Data: f89cda87f51a7a9d41e78d53017e3dc3c09225e7d04d188e4874f9d0115d816c6f53aeea971557b5728ee4c585bd6dbbde9b116373
        [Application Data Protocol: Hypertext Transfer Protocol]

 

 

Attached trace from openssl

 

Not sure...

Comparing with example of MQTT client which uses TLS in Projects\STM32H573I-DK\Applications\NetXDuo\Nx_MQTT_Client I didn't see this call in your code:

  /* allocate space for the certificate coming in from the remote host */
  ret = nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, certificate_ptr, 
                                                  tls_packet_buffer, sizeof(tls_packet_buffer));
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }   

 

From https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/netx-duo-secure-tls/chapter3.md
it says:
"The TLS Client also needs space for the incoming server certificate to be allocated (assuming a Pre-Shared Key mode is not being used). As of NetX Duo Secure TLS 5.12, it is no longer necessary for the application to allocate space for remote certificate. However, the legacy option to allocate space for a server certificate is still available and user-allocated certificates will be used before the internal certificate buffer optimization8 – see the nx_secure_tls_remote_certificate_allocate service for more information."
Thats why I skipped it. But I can try adding it.

This was it. Adding enough space for remote cert did that trick. Thanks a lot for your help

OK. It's strange that the Netxduo documentation says it is not needed to call it explicitly.