Using LoRa Basics Station on RPI gateway

Gateways Raspberry Pi Gateways
11

In case it’s related, in Slack’s #ops channel the following was posted, emphasis mine:

@robertlie 2020-04-07 9:27 AM

On April 5, I could not connect to TTN LNS:
wss://lns.eu.thethings.network:443
Note: Before April 5, I had no problems using the basic station packed forwarder.

The problem does NOT occur when using:
wss://lns.us.thethings.network:443

After some debugging I have pin pointed the problem:
basicstation/src/net.c at v2.0.3 · lorabasics/basicstation · GitHub

When using:
wss://lns.eu.thethings.network:443
the function mbedtls_ssl_handshake keeps returning the decimal values: -26880 and -9984

When using:
wss://lns.us.thethings.network:443
the function mbedtls_ssl_handshake returns the decimal values: -26880 and 0
0 = GOOD, it means ready to run websocket protocol.

if( conn->tlsctx ) {
    err = mbedtls_ssl_handshake(conn->tlsctx);
    LOG(DEBUG, "XXXXXXXXXXXXXXX mbedtls_ssl_handshake %d",err);
}

In both cases I use the same tc.trust file.

anton 2020-04-07 9:45 AM

For looking into the TLS setup in more detail you can set the environment variable STATION_TLSDBG=4 when executing LBS

return code -0x2700 means:

$ grep -rin 0x2700
include/mbedtls/x509.h:73:#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */

The reason it does not verify the certificate is because the subject name does not match the hostname (lns.in.thethings.network != lns.eu.thethings.network):

ssl_tls.c:3754 MBEDTLS[2]: <= read record
ssl_tls.c:4524 MBEDTLS[3]: peer certificate #1:
ssl_tls.c:4524 MBEDTLS[3]: cert. version     : 3
ssl_tls.c:4524 MBEDTLS[3]: serial number     : 03:C0:15:AE:30:BD:E0:20:C1:4D:38:86:90:1D:89:A6:A4:00
ssl_tls.c:4524 MBEDTLS[3]: issuer name       : C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
ssl_tls.c:4524 MBEDTLS[3]: subject name      : CN=lns.in.thethings.network
ssl_tls.c:4524 MBEDTLS[3]: issued  on        : 2020-01-06 13:02:23
ssl_tls.c:4524 MBEDTLS[3]: expires on        : 2020-04-05 13:02:23
ssl_tls.c:4524 MBEDTLS[3]: signed using      : RSA with SHA-256
ssl_tls.c:4524 MBEDTLS[3]: RSA key size      : 2048 bits
ssl_tls.c:4524 MBEDTLS[3]: basic constraints : CA=false
ssl_tls.c:4524 MBEDTLS[3]: subject alt name  : lns.in.thethings.network
ssl_tls.c:4524 MBEDTLS[3]: key usage         : Digital Signature, Key Encipherment
ssl_tls.c:4524 MBEDTLS[3]: ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

@htdvisser 2020-04-07 9:58 AM

When I connect to lns.eu.thethings.network I’m getting the correct cert.

Could it be possible that LBS isn’t setting TLS SNI correctly?

anton 2020-04-07 10:03 AM

Ok, so you are serving multiple certificates on the same connection

@KrishnaIyerEaswaran2 2020-04-07 10:04 AM

Yes indeed.

1 Like