Commissioner/Joiner example: Join failed [Security]

639 views
Skip to first unread message

jerome....@gmail.com

unread,
Sep 27, 2017, 11:15:00 AM9/27/17
to openthread-users
Hello,

Running test case with commissioner/joiner:

https://github.com/openthread/openthread/wiki/Thread-Commissioning-Example

 

I am working on proprietary prototype.


I get the following error after joiner start command:

> joiner start ot-psk

Done

> Join failed [Security]

 

 

My OpenThread stack is compiled with all the required preprocessor “define” needed for commissioner and joiner usecase:

 

/* Define to 1 to enable joiner. */

#define OPENTHREAD_ENABLE_JOINER 1

 

/* Define to 1 to enable the commissioner role. */

#define OPENTHREAD_ENABLE_COMMISSIONER 1

 

/* Define to 1 to enable dtls support. */

#define OPENTHREAD_ENABLE_DTLS 1

 

mbedtls is compiled with no change to mbeddtls-config.h.

 

Looking at the spec and compared to wireshark trace, I get following data flow:


 

Commissioner                                     Joiner

                                    ß-----------DTLS- Client Hello


Hello Verify Request----------------à

 

 

Server Hello,

Server Key Exchange,

Server Hello Done            ----------------à

 

                                                            Client Key Exchange,

                                                            Change Cipher Spec,

                                    <----------------------Encrypted Handshake

 

Alert (Level: Fatal,

Description: Handshake Failure) ---------à

 

Any idea?

Thanks 

Jerome

Jonathan Hui

unread,
Sep 29, 2017, 3:40:08 AM9/29/17
to jerome....@gmail.com, openthread-users
There are a number of things that can cause a fatal handshake failure.  It would help if you could provide some more information.

In particular:

1) Check what the `rval` is when `mbedtls_ssl_send_alert_message()` is called in src/core/meshcop/dtls.cpp

2) Increase `OPENTHREAD_CONFIG_LOG_LEVEL`, which will also increase mbedtls' log level.

--
Jonathan Hui

--
You received this message because you are subscribed to the Google Groups "openthread-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openthread-users+unsubscribe@googlegroups.com.
To post to this group, send email to openthread-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openthread-users/d512c62c-42e4-441d-bfac-cca0a9a58e70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

jerome....@gmail.com

unread,
Oct 5, 2017, 5:20:07 AM10/5/17
to openthread-users
Thanks for your feedback Jonathan.

1) rval value `mbedtls_ssl_send_alert_message()` is called is : (-0x6800) (#define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. *)
2) OPENTHREAD_CONFIG_LOG_LEVEL is set to OT_LOG_LEVEL_INFO

Please find in attached file traces from commissioner and joiner + wireshark log.

BR
Jerome
joiner_traces.txt
wireshark_commissioning.pcapng
commissioner_traces.txt

jerome....@gmail.com

unread,
Oct 16, 2017, 9:04:16 AM10/16/17
to openthread-users
Hello,

Any idea when looking at the logs?

Thanks 
Jerome 

Jonathan Hui

unread,
Oct 19, 2017, 6:03:10 PM10/19/17
to jerome....@gmail.com, openthread-users
I have reviewed the logs.

The commissioner log shows that the DTLS/EC-JPAKE operations are taking a *very* long time.

In particular, processing the second Client Hello (with cookie) and generating the response is taking far too long.  Here's the breakdown:

1) Client Hello (with cookie) is received.
[0000085455] [MAC]   [INFO]-MAC-----: Received IPv6 UDP msg, len:499, chksum:122d, from:16ef4eea24f9cc43, sec:no, prio:low

2) Processing the Client Hello takes over 12 seconds.
[0000086158] [MESH_COP]  [INFO]-MESH-CP-: found ecjpake kkpp extension
[0000098825] [MESH_COP]  [INFO]-MESH-CP-: received TLS_EMPTY_RENEGOTIATION_INFO

3) Generating the Server Hello takes over 12 seconds.
[0000099039] [MESH_COP]  [INFO]-MESH-CP-: server hello, ecjpake kkpp extension
[0000111876] [MESH_COP]  [INFO]-MESH-CP-: server hello, total extension length: 345

4) Generating the Server Key Exchange message takes over 7 seconds.
[0000112017] [MESH_COP]  [WARN]-MESH-CP-: => write server key exchange
[0000119200] [MESH_COP]  [WARN]-MESH-CP-: => write record

So a single call into mbedTLS is taking over 34 seconds to return.

At the same time, the Commissioner needs to exchange Keep Alive messages with the Leader to maintain its active role.  However, due to mbedTLS execution time, the Commissioner cannot do so in a timely manner and the session times out.

--
Jonathan Hui

--
You received this message because you are subscribed to the Google Groups "openthread-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openthread-users+unsubscribe@googlegroups.com.
To post to this group, send email to openthread-users@googlegroups.com.

jerome....@gmail.com

unread,
Oct 20, 2017, 12:01:51 PM10/20/17
to openthread-users
Thank you Jonathan for your comments on the logs.

We definitely need to check our system to understand why this is so slow...(and of course use Hardware Acceleration when possible)

BR
Jerome
Reply all
Reply to author
Forward
0 new messages