Reputation: 1
TLS Alert 70 (Protocol Version) Issue on STM32H563 with NetXDuo
I am using STM32H563 along with ThreadX and NetxDuo. When trying to connect to a server (jsonplaceholder) over https I am receiving an tls alert code 70 from it
I have enabled sntp and verified that proper time is set. I am using dns to get the ip of the server (have verified that it is proper) and Tls1.3 is enabled. I am using a user defined function for a GET request from the server
My https 'GET' function is as follows :
UINT https_get(CHAR *resource,CHAR *receive_data, UINT wait_option)
{
UINT ret;
UINT get_status;
ArduinoJson::JsonDocument doc;
NX_PACKET *receive_packet;
UCHAR receive_buffer[1000];
ULONG bytes;
https_client.nx_web_http_client_connect_port = https_port;
HAL_UART_Transmit(&huart3,(const uint8_t *)"Connecting to Server\n", strlen("Connecting to Server\n"), HAL_MAX_DELAY);
/* Connect to the server. */
// The connection fails here
ret = nx_web_http_client_secure_connect(&https_client,&https_server_address,https_port,tls_setup_callback, wait_option);
/* Check status. */
if (ret != NX_SUCCESS)
{
Error_Handler();
}
HAL_UART_Transmit(&huart3,(const uint8_t *)"Connection Successful\n", strlen("Connection Successful\n"), HAL_MAX_DELAY);
/* Initialize HTTP request. */
ret = _nxe_web_http_client_request_initialize_extended(&https_client,
NX_WEB_HTTP_METHOD_GET,
resource,
strlen((const char *)resource),
(CHAR *)https_host,
strlen((const char *)https_host),
0,
NX_FALSE, /* If true, input_size is ignored. */
https_username,
0,
https_password,
0,
wait_option);
/* Check status. */
if (ret != NX_SUCCESS)
{
Error_Handler();
}
HAL_UART_Transmit(&huart3,(const uint8_t *)"Sending request\n", strlen("Sending request\n"), HAL_MAX_DELAY);
/* Send the HTTP request we just built. */
ret = _nxe_web_http_client_request_send(&https_client, wait_option);
/* Check status. */
if (ret != NX_SUCCESS)
{
Error_Handler();
}
/* Enter the GET state. */
https_client.nx_web_http_client_state = NX_WEB_HTTP_CLIENT_STATE_GET;
get_status = NX_SUCCESS;
while(get_status != NX_WEB_HTTP_GET_DONE)
{
get_status = nx_web_http_client_response_body_get(&https_client, &receive_packet, NX_WAIT_FOREVER);
/* Check for error. */
if (get_status != NX_SUCCESS && get_status != NX_WEB_HTTP_GET_DONE)
{
Error_Handler();
}
else
{
ret = nx_packet_data_extract_offset(receive_packet, 0, receive_buffer, 1000, &bytes);
if(ret)
{
Error_Handler();
}
receive_buffer[bytes] = 0;
HAL_UART_Transmit(&huart3,(const uint8_t *)receive_buffer,strlen((const char *)receive_buffer), HAL_MAX_DELAY);
nx_packet_release(receive_packet);
}
}
return ret;
}
my tls setup is as follows :
UINT tls_setup_callback(NX_WEB_HTTP_CLIENT *client_pt,
NX_SECURE_TLS_SESSION *TLS_session_ptr)
{
UINT ret = NX_SUCCESS;
NX_PARAMETER_NOT_USED(client_pt);
/* Initialize TLS module */
_nx_secure_tls_initialize();
/* Create a TLS session */
ret = _nx_secure_tls_session_create(TLS_session_ptr, &nx_crypto_tls_ciphers_ecc,
crypto_metadata_client, sizeof(crypto_metadata_client));
if (ret != TX_SUCCESS)
{
Error_Handler();
}
ret = _nx_secure_tls_ecc_initialize(TLS_session_ptr,
nx_crypto_ecc_supported_groups,
nx_crypto_ecc_supported_groups_size,
nx_crypto_ecc_curves);
if (ret != TX_SUCCESS)
{
Error_Handler();
}
/* Allocate space for packet reassembly. */
ret = _nx_secure_tls_session_packet_buffer_set(TLS_session_ptr, https_tls_packet_buffer,
sizeof(https_tls_packet_buffer));
if (ret != TX_SUCCESS)
{
Error_Handler();
}
// ret = nx_secure_tls_session_protocol_version_override(TLS_session_ptr,NX_SECURE_TLS_VERSION_TLS_1_3);
// if (ret != TX_SUCCESS)
// {
// Error_Handler();
// }
/* initialize Certificate to verify incoming server certificates. */
ret = _nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)ISRG_Root_X2_der,
(USHORT)ISRG_Root_X2_der_len, NX_NULL, 0, NULL, 0,
NX_SECURE_X509_KEY_TYPE_NONE);
if (ret != TX_SUCCESS)
{
Error_Handler();
}
/* Add a CA Certificate to our trusted store */
ret = _nx_secure_tls_trusted_certificate_add(TLS_session_ptr, &trusted_certificate);
if (ret != TX_SUCCESS)
{
Error_Handler();
}
nx_secure_x509_dns_name_initialize(dns_name,(UCHAR *)https_server_name,strlen(((const char*)https_server_name)));
nx_secure_tls_session_sni_extension_set(TLS_session_ptr, dns_name);
_nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
_nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
return ret;
}
I verified that supported cipher suites and signature algorithm are getting selected and is communicating over tls1.3.(Note: I was able to successfully communicate with the server over http)
I am not able to debug the problem as to why this is occurring. Is there any particular extension that needs to be added or am I missing something else? How should I go ahead with this? Thank you
Edit:
I am not able to directly monitor the communication between the client (device) and server, rather I verified that the device is using tls1.3 by sending the https request to my pc which is hosting a basic tcp server using Hercules and monitor the Client Hello Msg using wireshark to verify the cipher suites and versions supported. The packet which I received from my device was :
As for the server, I used postman for verification of cipher suites and protocol version.
Upvotes: 0
Views: 134
Answers (0)
Related Questions
- STM32F401RE issue with PWM
- Simple serial point-to-point communication protocol
- STM32F407VG with LAN8742A through RMII protocol doesn't run
- ThreadX RAM issue on STM32
- Why we need to make a software reset, I2C protocol?
- Sorting 1 million 8-decimal-digit numbers with 1 MB of RAM
- When using the SPI protocol, is the output data rate synonymous with the baud rate?
- stm32f4-discovery with ov7670