SSL_CTX_use_certificate:ee key too small

[Dmytro Lendel 1]

Hello,

I tried to run demo project OverbyteIcsSimpleSslServer with OverbyteIcsSimpleSslClient. I changed SSLSecLevel to sslSecLevel128bits and I`ve got exception

Can't read certificate file "ClientCert.pem" - error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

I need connect network device with TLS support. TLS: TLS1.2 encryptioin, TLS use no certificate method

 

Can you help me?

Regards, Dmytro

[Angus Robertson 574]

The declaration for sslSecLevel128bits has the comment 'RSA/DH keys=>3072, ECC=>256, FS forced, no TLS/1.0' which means you SSL/TLS certificate must have an RSA key length of 3,072 or later or EC-256.  You probably have a common RSA 2,048 bit certificate. 

 

In recent version of ICS with modern components, you generally don't set the OpenSSL security level, instead you set the client or server security level SslCliSecurity or SslSrvSecurity which set the ciphers, TLS version and security level for various scenarios.

 

Angus

 

[Dmytro Lendel 1]

Thank you very much for your answer. I am a little lost with this problem. I need connect Ethernet module (http://www.hi-flying.com) with TLS encryption support. TLS: TLS1.2 encryption, TLS use no certificate method and I have not ideas what I need to do. Will I need generate new certificate or set some parameters in TSsWSocketServe? I understand how it`s work in theory but don`t know what to do practically. I am sorry. Can you give some help?

Regards, Dmytro

[Angus Robertson 574]

Rather than looking at OverbyteIcsSimpleSslServer and OverbyteIcsSimpleSslClient. which I assumed you wanted to talk to each other,. I suggest you look at OverbyteIcsIpStmLogTst instead, which can be configured as a server or client and handles all the SSL stuff for you, just setting SslCliSecurity or SslSrvSecurity as I mentioned above from combo boxes.  You should be able to talk to your Ethernet module with the demo. It does not support SSL client certificates, but you probably don't need them.

 

Angus

 

[Guest]

My 2 cents:

1) 

11 hours ago, Dmytro Lendel said:

I need connect Ethernet module (http://www.hi-flying.com) with TLS encryption support.

Which module is it ? and what is the specification regarding supported protocols ( TLS version and cipher suites )

Are you going to connect to it as client or it will connect to you as server ?

 

2)

11 hours ago, Dmytro Lendel said:

TLS use no certificate method

You mentioned this twice, and yet it is still not clear, the modules in that links are IOT devices and those devices usually doesn't use the popular cipher suites with certificates because it does complicate things greatly for the trust anchors (chains), most IOT devices use (Pre-Shared Keys) PSK cipher suites and those doesn't need certificate, like your WiFi on android, and there is another less popular cipher suites called SRP that use passwords instead of PSK, so are those available ?

 

3) can you generate a WireShark log for the ClientHello and ServerHello for the failed connection? this will help much and reduce the time needed for pinning the problem, or in your case finding solution, as this is not bug .

 

[Dmytro Lendel 1]

Hello,

Yes, you right. Welter. I am sorry Step by step.

1 Module is Eport-E20

2 In module`s manual I found “TLS: TLS1.2 encryptioin, We use no certificate method. Only support in TCP client mode.” Module is working in client mode now. Manual attached to this message

3 I added isclogger. Result attached to this letter

 

Regards, Dmytro

IOT_Device_Series_Software_Funtion_20200623.pdf

1.txt

[Angus Robertson 574]

IcsLogger output is intended for internal debugging of ICS components, not end user applications, and is always used with extra logging in the application.  So I have no idea what components you are using, with what IP addresses, ports or protocols, nor which of the numerous ways you have setup the module. 

 

If you have setup the module as an SSL TCP client, you need an SSL/TLS certificate for the ICS SSL server or it will not start.  It is more normal to set-up IOT modules as servers, so you contact them, but then they need a certificate.  

 

Suggest you read my earlier message again.

 

Angus

[Guest]

That is interesting, the manual insist on mentioning TLS, and it might be in generic meaning as Transport Security Layer, because looking at your log file, the first packet has 19 byte size and this can't be a ClientHello message record for TLS, as at least a random with 32 byte should be included !

So here 2 points to check

1) That module doesn't have TLS, mean it will use pre shared key for direct encryption/decryption using the algorithms mentioned in the documentation

Quote

AES: AES encryption, CBC method，TCP/UDP all support this.

DES3: DES3 encryption, TCP/UDP all support this.

Input key: AES or DES3 key. For AES encryption, the key is fixed 16 bytes length, the IV value is the same as key. For DES3 encryption, the key is fixed 24 bytes length, the IV value the first 8 Bytes of key. The key can be ASCII or Hex format data. Hex format data need to use “space” character as separator, ex, “01 02 03…”

But here i have difficulty understanding the lack of mentioning of what padding is been used, combine this with the fact first packet was 19 bytes, on other hand this might work if the size of the packet is defined and fixed as 3+n*16 which will start to make sense, but you first need to capture one packet ( the first one with 19 bytes ) and paste it here to see what is inside, will be better if you repeated it and confirmed it is still the same, then change the key on that module ( only the key not the algorithm) and capture another packet to compare them, and do the same for second algorithm 3DES, is there a third option in that security box in Sock group, AES , 3DES .. ?? (TLS may be, if not then TLS is not supported on that module)

 

2) the module does support TLS somehow, but in this case it will be using the PSK cipher suites, i looked at ICS source and i see that the default is all PSK ciphers are disabled, here Angus can help if that is possible to enable them and how, i have no idea.

the ciphers that might be working should be some of those, (all of these doesn't need certificates)

// likely to work

0x00,0x8B    TLS_PSK_WITH_3DES_EDE_CBC_SHA    Y    N    [RFC4279]

0x00,0x8C    TLS_PSK_WITH_AES_128_CBC_SHA    Y    N    [RFC4279]

// very unlikely to be supported
0x00,0x90    TLS_DHE_PSK_WITH_AES_128_CBC_SHA    Y    N    [RFC4279]

0x00,0x94    TLS_RSA_PSK_WITH_AES_128_CBC_SHA    Y    N    [RFC4279]

0x00,0xAE    TLS_PSK_WITH_AES_128_CBC_SHA256    Y    N    [RFC5487]
0x00,0xB2    TLS_DHE_PSK_WITH_AES_128_CBC_SHA256    Y    N    [RFC5487]
0x00,0xB6    TLS_RSA_PSK_WITH_AES_128_CBC_SHA256    Y    N    [RFC5487]

0xC0,0x35    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA    Y    N    [RFC5489]
0xC0,0x37    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    Y    N    [RFC5489]

 

cipher lists from here https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

 

 

Anyway if first case is how it does data been sent then your server doesn't need OpenSSL at all, the second will will need a confirmation from Agnus on how to test it.

[Dmytro Lendel 1]

Hello,

I sent request to the vendor about TLS support. I can`t to understand how they implemented it. Hope will have answer soon

Thank you!

Dmytro