8 Replies Latest reply on Jun 6, 2018 6:20 PM by axel.lin_1746341

    Does WICED SDK support TLS Session Ticket Extension?

    axel.lin_1746341

      If yes, do you have any example to use it?

      If no, do you have plan to support it?

        • 1. Re: Does WICED SDK support TLS Session Ticket Extension?
          axel.lin_1746341

          BTW, Does wiced sdk support TLS Session Identifier caching?

          I don't find any doc mention this.

          • 2. Re: Does WICED SDK support TLS Session Ticket Extension?
            grsr

            Check this comment in mbedtls/config.h:

             

            /* To use the session resumption feature of TLS, apps just need to enable WICED_TLS_CLI_CACHE_SESSION flag without

            * worrying about storing connection info. BESL library takes care of storing the connection info(ip, port, session info)

            * and resuming the connections. Number of entries to be stored is determined by WICED_TLS_CLI_CACHE_ENTRIES macro.

            */

             

            In wiced_tls.c, the function mbedtls_ssl_get_session( &tls_context->context, &tls_session) is used to save session to resume later and mbedtls_ssl_set_session( &tls_context->context, tls_context->session ) is used to resume session. You can check session resumption implementation in wiced_tls.c.

            • 3. Re: Does WICED SDK support TLS Session Ticket Extension?
              axel.lin_1746341

              1. It's not clear to me about your comment.

                 Does WICED_TLS_CLI_CACHE_SESSION means to support "TLS Session Identifier caching"?

                 How about support for "TLS Session Ticket Extension"?

               

              2. #define WICED_TLS_CLI_CACHE_SESSION causes compile error for FreeRTOS build

               

              Compiling Supplicant_BESL

              WICED/security/BESL/host/WICED/wiced_tls.c:113:5: error: unknown type name 'UINT'

                   UINT                    port_num;

                   ^

              WICED/security/BESL/host/WICED/wiced_tls.c:157:68: error: unknown type name 'UINT'

              wiced_result_t get_ssl_cache_entry(wiced_ip_address_t *ip_address, UINT port, wiced_ssl_cache_entry **entry)

                                                                                  ^

              WICED/security/BESL/host/WICED/wiced_tls.c:180:68: error: unknown type name 'UINT'

              wiced_result_t add_ssl_cache_entry(wiced_ip_address_t *ip_address, UINT port, mbedtls_ssl_session *tls_session)

                                                                                  ^

              WICED/security/BESL/host/WICED/wiced_tls.c: In function 'wiced_generic_start_tls_with_ciphers':

              WICED/security/BESL/host/WICED/wiced_tls.c:1204:13: warning: implicit declaration of function 'get_ssl_cache_entry' [-Wimplicit-function-declaration]

                           entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

                           ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1204:83: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

                           entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

                                                                                                 ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1204:124: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

                           entry_found = get_ssl_cache_entry((wiced_ip_address_t*)&socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &cache_entry);

                                                                                                                                          ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1393:21: warning: implicit declaration of function 'add_ssl_cache_entry' [-Wimplicit-function-declaration]

                                   add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                   ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1393:79: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

                                   add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                             ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1393:120: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

                                   add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                                                                      ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1408:83: error: request for member 'nx_tcp_socket_connect_ip' in something not a structure or union

                                       add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                                 ^

              WICED/security/BESL/host/WICED/wiced_tls.c:1408:124: error: request for member 'nx_tcp_socket_connect_port' in something not a structure or union

                                       add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session);

                                                                                                                                          ^

              WICED/security/BESL/host/WICED/wiced_tls.c: At top level:

              WICED/security/BESL/host/WICED/wiced_tls.c:139:21: warning: 'compare_ip_port' defined but not used [-Wunused-function]

              static wiced_bool_t compare_ip_port( linked_list_node_t* node_to_compare, void* user_data )

                                   ^

              make[1]: *** [build/snip.https_client-FreeRTOS-LwIP-BCM94343WWCD2/Modules/./WICED/security/BESL/host/WICED/wiced_tls.o] Error 1

              make[1]: *** Waiting for unfinished jobs....

              make: *** [main_app] Error 2

              1 of 1 people found this helpful
              • 4. Re: Does WICED SDK support TLS Session Ticket Extension?
                grsr

                1. Yes. Enabling WICED_TLS_CLI_CACHE_SESSION would call add_ssl_cache_entry( (wiced_ip_address_t*) &socket->socket.nx_tcp_socket_connect_ip, socket->socket.nx_tcp_socket_connect_port, &tls_session) and this would cache the entire structure mbedtls_ssl_session including session identifier. The function get_ssl_cache_entry() would retrieve the cache entry pointing to the TLS session structure. TLS Session ticket extension is supported in mbedTLS. The function ssl_write_session_ticket_ext() is used for the same during client hello (ssl_cli.c). You can enable the macro MBEDTLS_SSL_SESSION_TICKETS for this.

                 

                2. The compile error is caused because this feature has been enabled for NetX.

                1 of 1 people found this helpful
                • 5. Re: Does WICED SDK support TLS Session Ticket Extension?
                  axel.lin_1746341

                  grsr wrote:

                   

                  2. The compile error is caused because this feature has been enabled for NetX.

                  Actually, the implementation of WICED/security/BESL/host/WICED/wiced_tls.c

                  should not include any low level network stack dependent structure.

                  Anyway, I just point out the problem so you can fix the build problem in next release.

                  Thanks.

                  1 of 1 people found this helpful
                  • 6. Re: Does WICED SDK support TLS Session Ticket Extension?
                    axel.lin_1746341

                    grsr wrote:

                    TLS Session ticket extension is supported in mbedTLS. The function ssl_write_session_ticket_ext() is used for the same during client hello (ssl_cli.c). You can enable the macro MBEDTLS_SSL_SESSION_TICKETS for this.

                     

                    I think define MBEDTLS_SSL_SESSION_TICKETS won't work.

                    see below build warnings:

                    WICED/security/BESL/host/WICED/wiced_tls.c: In function 'wiced_generic_start_tls_with_ciphers':

                    WICED/security/BESL/host/WICED/wiced_tls.c:1124:5: warning: passing argument 1 of 'mbedtls_ssl_conf_session_tickets' from incompatible pointer type

                         mbedtls_ssl_conf_session_tickets( &conf, opt_config.tickets );

                         ^

                    In file included from ././WICED/security/BESL/host/WICED/tls_types.h:50:0,

                                     from ./include/wiced_tls.h:35,

                                     from WICED/security/BESL/host/WICED/wiced_tls.c:38:

                    ./WICED/security/BESL/mbedtls_open/include/mbedtls/ssl.h:2181:6: note: expected 'struct mbedtls_ssl_config *' but argument is of type 'struct mbedtls_ssl_config **'

                    void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );

                          ^

                     

                    PS. The way WICED uses mbedTLS is too hacky as I have pointed out in other thread.

                    Just a suggestion, when you need to change prototype in mbedLTS, you should probably

                    think over why on the earth only WICED needs such prototype change.

                    In additional, if you can minimize the changes in mbedTLS, it will be much easier to upgrade to newer mbedTLS version.

                    • 7. Re: Does WICED SDK support TLS Session Ticket Extension?
                      grsr

                      I checked with the engineers on this issue and here is the feedback:

                       

                      1. We will look into the network stack dependencies issue in session identifier caching. Thank you for the feedback.

                      2. MBEDTLS_SSL_SESSION_TICKETS is not supported in WICED.

                      1 of 1 people found this helpful
                      • 8. Re: Does WICED SDK support TLS Session Ticket Extension?
                        axel.lin_1746341

                        grsr wrote:

                         

                        I checked with the engineers on this issue and here is the feedback:

                         

                        1. We will look into the network stack dependencies issue in session identifier caching. Thank you for the feedback.

                        Still the same build error in sdk-6.2 if #define WICED_TLS_CLI_CACHE_SESSION with freertos build.