Does WICED SDK support TLS Session Ticket Extension?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

If yes, do you have any example to use it?

If no, do you have plan to support it?

0 Likes
8 Replies
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

BTW, Does wiced sdk support TLS Session Identifier caching?

I don't find any doc mention this.

0 Likes

Check this comment in mbedtls/config.h:

/* To use the session resumption feature of TLS, apps just need to enable WICED_TLS_CLI_CACHE_SESSION flag without

* worrying about storing connection info. BESL library takes care of storing the connection info(ip, port, session info)

* and resuming the connections. Number of entries to be stored is determined by WICED_TLS_CLI_CACHE_ENTRIES macro.

*/

In wiced_tls.c, the function mbedtls_ssl_get_session( &tls_context->context, &tls_session) is used to save session to resume later and mbedtls_ssl_set_session( &tls_context->context, tls_context->session ) is used to resume session. You can check session resumption implementation in wiced_tls.c.

0 Likes

1. It's not clear to me about your comment.

   Does WICED_TLS_CLI_CACHE_SESSION means to support "TLS Session Identifier caching"?

   How about support for "TLS Session Ticket Extension"?

2. #define WICED_TLS_CLI_CACHE_SESSION causes compile error for FreeRTOS build

Compiling Supplicant_BESL

WICED/security/BESL/host/WICED/wiced_tls.c:113:5: error: unknown type name 'UINT'

     UINT                    port_num;

     ^

WICED/security/BESL/host/WICED/wiced_tls.c:157:68: error: unknown type name 'UINT'

wiced_result_t get_ssl_cache_entry(wiced_ip_address_t *ip_address, UINT port, wiced_ssl_cache_entry **entry)

                                                                    ^

WICED/security/BESL/host/WICED/wiced_tls.c:180:68: error: unknown type name 'UINT'

wiced_result_t add_ssl_cache_entry(wiced_ip_address_t *ip_address, UINT port, mbedtls_ssl_session *tls_session)

                                                                    ^

WICED/security/BESL/host/WICED/wiced_tls.c: In function 'wiced_generic_start_tls_with_ciphers':

WICED/security/BESL/host/WICED/wiced_tls.c:1204:13: warning: implicit declaration of function 'get_ssl_cache_entry' [-Wimplicit-function-declaration]

             entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

             ^

WICED/security/BESL/host/WICED/wiced_tls.c:1204:83: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

             entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

                                                                                   ^

WICED/security/BESL/host/WICED/wiced_tls.c:1204:124: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

             entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

                                                                                                                            ^

WICED/security/BESL/host/WICED/wiced_tls.c:1393:21: warning: implicit declaration of function 'add_ssl_cache_entry' [-Wimplicit-function-declaration]

                     add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                     ^

WICED/security/BESL/host/WICED/wiced_tls.c:1393:79: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

                     add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                               ^

WICED/security/BESL/host/WICED/wiced_tls.c:1393:120: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

                     add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                                                        ^

WICED/security/BESL/host/WICED/wiced_tls.c:1408:83: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

                         add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                   ^

WICED/security/BESL/host/WICED/wiced_tls.c:1408:124: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

                         add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                                                            ^

WICED/security/BESL/host/WICED/wiced_tls.c: At top level:

WICED/security/BESL/host/WICED/wiced_tls.c:139:21: warning: 'compare_ip_port' defined but not used [-Wunused-function]

static wiced_bool_t compare_ip_port( linked_list_node_t* node_to_compare, void* user_data )

                     ^

make[1]: *** [build/snip.https_client-FreeRTOS-LwIP-BCM94343WWCD2/Modules/./WICED/security/BESL/host/WICED/wiced_tls.o] Error 1

make[1]: *** Waiting for unfinished jobs....

make: *** [main_app] Error 2

1. Yes. Enabling WICED_TLS_CLI_CACHE_SESSION would call add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session) and this would cache the entire structure mbedtls_ssl_session including session identifier. The function get_ssl_cache_entry() would retrieve the cache entry pointing to the TLS session structure. TLS Session ticket extension is supported in mbedTLS. The function ssl_write_session_ticket_ext() is used for the same during client hello (ssl_cli.c). You can enable the macro MBEDTLS_SSL_SESSION_TICKETS for this.

2. The compile error is caused because this feature has been enabled for NetX.

grsr wrote:

2. The compile error is caused because this feature has been enabled for NetX.

Actually, the implementation of WICED/security/BESL/host/WICED/wiced_tls.c

should not include any low level network stack dependent structure.

Anyway, I just point out the problem so you can fix the build problem in next release.

Thanks.

grsr wrote:

TLS Session ticket extension is supported in mbedTLS. The function ssl_write_session_ticket_ext() is used for the same during client hello (ssl_cli.c). You can enable the macro MBEDTLS_SSL_SESSION_TICKETS for this.

I think define MBEDTLS_SSL_SESSION_TICKETS won't work.

see below build warnings:

WICED/security/BESL/host/WICED/wiced_tls.c: In function 'wiced_generic_start_tls_with_ciphers':

WICED/security/BESL/host/WICED/wiced_tls.c:1124:5: warning: passing argument 1 of 'mbedtls_ssl_conf_session_tickets' from incompatible pointer type

     mbedtls_ssl_conf_session_tickets( &conf, opt_config.tickets );

     ^

In file included from ././WICED/security/BESL/host/WICED/tls_types.h:50:0,

                 from ./include/wiced_tls.h:35,

                 from WICED/security/BESL/host/WICED/wiced_tls.c:38:

./WICED/security/BESL/mbedtls_open/include/mbedtls/ssl.h:2181:6: note: expected 'struct mbedtls_ssl_config *' but argument is of type 'struct mbedtls_ssl_config **'

void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );

      ^

PS. The way WICED uses mbedTLS is too hacky as I have pointed out in other thread.

Just a suggestion, when you need to change prototype in mbedLTS, you should probably

think over why on the earth only WICED needs such prototype change.

In additional, if you can minimize the changes in mbedTLS, it will be much easier to upgrade to newer mbedTLS version.

0 Likes

I checked with the engineers on this issue and here is the feedback:

1. We will look into the network stack dependencies issue in session identifier caching. Thank you for the feedback.

2. MBEDTLS_SSL_SESSION_TICKETS is not supported in WICED.

grsr wrote:

I checked with the engineers on this issue and here is the feedback:

1. We will look into the network stack dependencies issue in session identifier caching. Thank you for the feedback.

Still the same build error in sdk-6.2 if #define WICED_TLS_CLI_CACHE_SESSION with freertos build.

0 Likes