Hello I am working to evaluate NetX for our product. My task is to set up a TLS server using NetX secure and test it using openssl. My task is to implement client authentication using certificate chain. Netx_secure is compiled with TLS1.3, AEAD, CLIENT_CERTIFICATE_VERIFY and SELF_SIGNED_CERTIFICATE I set up the server using the exemple provided in https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter2#small-example-system-tls-web-server , adapting socket behavior to my needs. And I set up the client certificate authentication with this steps ( https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter3#client-certificate-authentication-for-tls-servers ) nx_secure_x509_certificate_initialize nx_secure_tls_trusted_certificate_add To add the root certificate nx_secure_tls_session_client_verify_enable nx_secure_tls_session_x509_client_verify_configure nx_secure_tls_session_certificate_callback_set -- For the test, I use openssl s_client : (certBundle contain user's certificate chain and server CA chain) TLS 1.2 : openssl s_client -tls1_2 -cert user.pem -key user1.key -CAfile certBundle.pem -connect IP:PORT -state : works fine TLS 1.3 : openssl s_client -tls1_3 -cert user.pem -key user1.key -CAfile certBundle.pem -connect IP:PORT -state : fails with error code 0x145 (NX_SECURE_TLS_CERTIFICATE_REQUIRED) and SSL alert 116 (certificate required) When I add the debug flag in openssl, I do not see the user's certificate chain being sent (visible in 1.2) Am I missing a step ?

NetX TLS 1.3 client certificate authentication

Hello

I am working to evaluate NetX for our product. My task is to set up a TLS server using NetX secure and test it using openssl.

My task is to implement client authentication using certificate chain.

Netx_secure is compiled with TLS1.3, AEAD, CLIENT_CERTIFICATE_VERIFY and SELF_SIGNED_CERTIFICATE

I set up the server using the exemple provided in https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter2#small-example-system-tls-web-server, adapting socket behavior to my needs.

And I set up the client certificate authentication with this steps (https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter3#client-certificate-authentication-for-tls-servers)

nx_secure_x509_certificate_initialize
nx_secure_tls_trusted_certificate_add
- To add the root certificate
nx_secure_tls_session_client_verify_enable
nx_secure_tls_session_x509_client_verify_configure
nx_secure_tls_session_certificate_callback_set

For the test, I use openssl s_client :

(certBundle contain user's certificate chain and server CA chain)

TLS 1.2 : openssl s_client -tls1_2 -cert user.pem -key user1.key -CAfile certBundle.pem -connect IP:PORT -state : works fine
TLS 1.3 : openssl s_client -tls1_3 -cert user.pem -key user1.key -CAfile certBundle.pem -connect IP:PORT -state :

fails with error code 0x145 (NX_SECURE_TLS_CERTIFICATE_REQUIRED) and SSL alert 116 (certificate required)

When I add the debug flag in openssl, I do not see the user's certificate chain being sent (visible in 1.2)
Am I missing a step ?

LeelaRajeshSayana-MSFT 13,871 Reputation points

2023-08-30T00:57:24.62+00:00

Hi @AGROFOGLIO Louis-Andre (SAFRAN) Greetings! Thank you for posting this question here. Our community SMEs on this this topic will review this question and get back to you with more details as soon as possible. Please stay tuned to this thread for updates.
Yanwu Cai 90 Reputation points Microsoft Employee

2023-09-01T02:29:02.3466667+00:00

Hi @AGROFOGLIO Louis-Andre (SAFRAN) ,

Can you check if the openssl client received the Certificate Request message?
AGROFOGLIO Louis-Andre (SAFRAN) 40 Reputation points

2023-09-01T14:01:03.1266667+00:00

Hi,

For TLS 1.2, "SSL_connect:SSLv3/TLS read server certificate request" is present in the output of the command.

But, this line is not present in the TLS 1.3 :

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
Can't use SSL_get_servername
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate request
depth=0 CN = "<Same as device Id>"
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write finished
Yanwu Cai 90 Reputation points Microsoft Employee

2023-09-07T12:54:18.1+00:00

Hi @AGROFOGLIO Louis-Andre (SAFRAN) ,

Which version of OpenSSL are you using?
AGROFOGLIO Louis-Andre (SAFRAN) 40 Reputation points

2023-09-08T11:14:06.4066667+00:00

Hi @Yanwu Cai ,

I am using OpenSSL 3.0.2 on a Ubuntu 22.04.
LeelaRajeshSayana-MSFT 13,871 Reputation points

2023-09-13T20:46:26.44+00:00

Hi @Yanwu Cai Greetings! I am following to see if you have any additional feedback on the above information.
AGROFOGLIO Louis-Andre (SAFRAN) 40 Reputation points

2023-10-02T15:26:40.06+00:00

Hi @LeelaRajeshSayana-MSFT , @Yanwu Cai
Any updates ?
Yanwu Cai 90 Reputation points Microsoft Employee

2023-10-08T06:20:27.37+00:00

Are you using RSA certificates for the TLS client? For NetX TLS 1.3, RSA certificates are not supported. Please try ECDSA certificates for the client.

Share via

NetX TLS 1.3 client certificate authentication