NetX TLS 1.3 client certificate authentication

AGROFOGLIO Louis-Andre (SAFRAN) 40 Reputation points
2023-08-29T15:42:04.6633333+00:00

Hello

I am working to evaluate NetX for our product. My task is to set up a TLS server using NetX secure and test it using openssl.

My task is to implement client authentication using certificate chain.

Netx_secure is compiled with TLS1.3, AEAD, CLIENT_CERTIFICATE_VERIFY and SELF_SIGNED_CERTIFICATE

I set up the server using the exemple provided in https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter2#small-example-system-tls-web-server, adapting socket behavior to my needs.

And I set up the client certificate authentication with this steps (https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter3#client-certificate-authentication-for-tls-servers)

  • nx_secure_x509_certificate_initialize
  • nx_secure_tls_trusted_certificate_add
    • To add the root certificate
  • nx_secure_tls_session_client_verify_enable
  • nx_secure_tls_session_x509_client_verify_configure
  • nx_secure_tls_session_certificate_callback_set

--

For the test, I use openssl s_client :

(certBundle contain user's certificate chain and server CA chain)

  • TLS 1.2 : openssl s_client -tls1_2 -cert user.pem -key user1.key -CAfile certBundle.pem  -connect IP:PORT -state : works fine
  • TLS 1.3 : openssl s_client -tls1_3 -cert user.pem -key user1.key -CAfile certBundle.pem  -connect IP:PORT -state :

fails with error code 0x145 (NX_SECURE_TLS_CERTIFICATE_REQUIRED) and SSL alert 116 (certificate required)

  • When I add the debug flag in openssl, I do not see the user's certificate chain being sent (visible in 1.2)
    Am I missing a step ?
Azure RTOS
Azure RTOS
An Azure embedded development suite including a small but powerful operating system for resource-constrained devices.
331 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.