Internal error NX_SECURE_TLS_INVALID_STATE when connecting to a NetX Duo Secure server

Grégoire DEFOY 20

I have followed the documentation https://video2.skills-academy.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter2 to create a tls server with the NetX Duo Secure addon.

When I connect to the server and when i process the client hello, i get an internal error telling me that there are no ciphersuites, is there something to initialize the ciphersuites ?

PRADEEPCHEEKATLA-MSFT 88,791 Reputation points Microsoft Employee

2023-03-20T05:06:28.2633333+00:00

Hello Grégoire DEFOY,

We received your feedback that the answer provided on the thread was not helpful.

Kindly let us know what we could have done better to improve the answer and make your engagement experience good. We are here to help you and strive to make your experience better and greatly value your feedback.

Our engineer has provided a detailed answer which has clear steps for which you are looking for.

If you wish, you may re-surveying/rating for the engagement you received on the thread. Your feedback is very important to us.

Looking forward to you reply. Much appreciate your feedback!

Regards,

PRADEEPCHEEKATLA-MSFT

2 answers

AshokPeddakotla-MSFT 32,946 Reputation points

2023-03-10T13:12:52.8533333+00:00
Grégoire DEFOY Welcome to Microsoft Q&A forum!

Internal error NX_SECURE_TLS_INVALID_STATE when connecting to a NetX Duo Secure server When I connect to the server and when i process the client hello, i get an internal error telling me that there are no ciphersuites, is there something to initialize the ciphersuites ?

The error "NX_SECURE_TLS_INVALID_STATE" can occur when the TLS state is incorrect.

You can try the following steps to resolve the issue:

Confirm that the TLS state is correct.

Check the TLS state machine to ensure that the correct state is being used.

Ensure that the TLS session was not terminated unexpectedly.

Also, The documentation which you are following show the basic outlines for a TLS Client and Server, respectively, but for clarity the error handling is omitted. However, part of the security TLS provides is dependent on the proper handling of error conditions. Generally, the most serious potential problems will be handled within the TLS stack itself, but it is important for the TLS application to properly respond to and recover from TLS errors that are not handled within the TLS implementation.

Please double check the sample and try the error handling. See the section A Note on TLS Session Error Recovery for more details.

When I connect to the server and when i process the client hello, i get an internal error telling me that there are no ciphersuites, is there something to initialize the ciphersuites ?

It's possible that the ciphersuites have not been properly initialized. Ensure that it has been included.

If you need further help in this matter, please comment in the below section and we are happy to discuss!

If this answers your query, do click Accept Answer and Yes for this answer as helpful. And, if you have any further query do let us know by commenting in the below section.
Please sign in to rate this answer.
Grégoire DEFOY 20 Reputation points

2023-03-10T15:58:02.4333333+00:00

Thank you for your answer,

This is how my program initialises the NetX secure tls server. Is there something missing ?

main function :

nx_system_initialize(); nx_crypto_initialize(); nx_secure_tls_initialize();

on my ip instance

nx_tcp_enable() nx_tcp_socket_create(...)

then in the thread context

nx_secure_tls_session_create(&sTlsSession, &nx_crypto_tls_ciphers_ecc, acTlsCryptoMetadata, sizeof(acTlsCryptoMetadata) ); nx_secure_tls_ecc_initialize(&sTlsSession, nx_crypto_ecc_supported_groups, nx_crypto_ecc_supported_groups_size, nx_crypto_ecc_curves); nx_secure_tls_local_certificate_add(...) // In accept callback nx_tcp_server_socket_accept(...) nx_secure_tls_session_start(&sTlsSession, &sSocket, NX_WAIT_FOREVER); // in receive callback nx_secure_tls_session_receive(&sTlsSession,...)

The code fails when receiving the clientHello part of the handshake and it seems to block when trying to agree on a ciphersuite. I use openssl sclient to connect.

It sends the following supported ciphers :

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

When I go to the nx_crypto_generic_ciphersuites.c file i see the following definition for the cipher suites :

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

So from what i see, the server should be able to select a common cipher suite.

Is there some documentation for the tls state machine so that i may check if i am in the rigth state ?

AshokPeddakotla-MSFT 32,946 Reputation points

2023-03-13T14:25:18.5933333+00:00

Grégoire DEFOY I'm looking into this issue and update you as earliest. Appreciate your time and patience.

QuantumCache 20,266 Reputation points

2023-03-13T18:01:40.87+00:00

Hello Grégoire DEFOY

You may need to configure your client to use a cipher suite that is supported by the server. Alternatively, you may need to update your server configuration to support additional cipher suites that the client is using.

Alternatively i can suggest few steps:
--->include the following files in your application:

nx_secure_tls_api.h

nx_secure_tls_user.h

nx_secure_tls_port.h

nx_secure_x509.h

-->configure some user defines in nx_secure_tls_user.h, such as:

NX_SECURE_TLS_MAX_SESSION_KEYS

NX_SECURE_TLS_MAX_CERTIFICATES

NX_SECURE_TLS_MAX_SERVER_CERTIFICATES

NX_SECURE_TLS_MAX_CLIENT_CERTIFICATES

NX_SECURE_TLS_MAX_TRUSTED_CERTIFICATES

also provides a description of the TLS state machine and its states, such as:

NX_SECURE_TLS_STATE_IDLE

NX_SECURE_TLS_STATE_HANDSHAKE_HELLO_REQUEST

NX_SECURE_TLS_STATE_HANDSHAKE_CLIENTHELLO

NX_SECURE_TLS_STATE_HANDSHAKE_SERVERHELLO

use the function nx_secure_tls_session_get_current_state() to get the current state of your TLS session.

Regarding your question about the TLS state machine, the TLS protocol is defined in RFC 8446 (TLS 1.3) and RFC 5246 (TLS 1.2). The TLS handshake protocol is described in section 4 of RFC 8446 and section 7.3 of RFC 5246. These documents provide detailed information on the TLS handshake protocol and the state machine used by the TLS client and server. You may find these documents helpful in debugging your TLS implementation.

References:

Chapter 2 - Installation and use of Azure RTOS NetX Secure

Chapter 1 - Introduction to Azure RTOS NetX Secure

Chapter 3 - Functional description of Azure RTOS NetX Secure

Here are the links to the TLS specifications:

TLS 1.3: https://datatracker.ietf.org/doc/html/rfc8446

TLS 1.2: https://datatracker.ietf.org/doc/html/rfc5246

Let me know if this helps?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Grégoire DEFOY 20 Reputation points

2023-03-20T09:49:04.0266667+00:00

I managed to solve the problem,

This was due to the ssl certificate generation.

I was not able to get NetX to validate a PKCS-1 key, as it was not in the right format, so i switched to a EC encoded private key, which was accepted in the nx_secure_x509_certificate_initialize() function. This worked and initialized the certificate. but when connecting with openssl, the EC methods were not working, so an error was thrown.

When I finally managed to convert a RSA key to the PKCS-1 format, and initialize it, everything worked.

I'd like to thank everyone in this thread for their time.
Please sign in to rate this answer.
PRADEEPCHEEKATLA-MSFT 88,791 Reputation points Microsoft Employee

2023-03-24T06:40:16.63+00:00

Grégoire DEFOY - Glad to know that your issue has been resolved. And thanks for sharing the solution, which might be beneficial to other community members reading this thread.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Internal error NX_SECURE_TLS_INVALID_STATE when connecting to a NetX Duo Secure server

2 answers

Your answer