CC3235 TLS Alert

kumzugloom · July 15, 2024, 9:34am

I’m sorry to revive this thread, but as my issue is pretty much related, I wanted to join the discussion right here. I also have a cc3235 variant.
I also do keep getting the Error Message “Owl” from my Tonie. My DNS is successfully reconfigured, as I can observe the TLS Communication with a tcpdump on the docker host.
As to the Instructions here I deleted the server certificates several times and let them be recreated by a docker compose restart. Each time i copied the ca.der to the Toniebox, but it always fails with a TLS Alert:

Alert Message
    Level: Fatal (2)
    Description: Bad Certificate (42)

Then I recently found this thread and tried to generate the certs with the gencert.sh. Now these CA-files are larger, so I’m not sure, if my usual way of doing so will work: https://tonies-wiki.revvox.de/docs/tools/teddycloud/flash-ca/cc3235/

When booting the Tonie afterwards, I do have a change:
After the Teddycloud provides the certificate, the Toniebox just quits the TCP connection with a RST, ACK instead of a TLS Layer Alert.

I have also recently flashed the original files, and the connection test to the original cloud works fine (after removing the pi-hole-entries, obviously). So this makes me think, flashing does work basically fine.

Do you guys have any ideas?
Thanks in advance!

0xbadbee · July 15, 2024, 3:57pm

You may try to use the old gencert script and generate a CA with 4096bit

See tc-0.3.5 creates certificates with 2048bit key length · Issue #138 · toniebox-reverse-engineering/teddycloud · GitHub

kumzugloom · July 15, 2024, 6:26pm

Thanks for coming back to me so quickly!
In fact, I was using this Version of gencert, which is already creating 4096bit Keys.
Any other ideas?

0xbadbee · July 15, 2024, 6:45pm

Be sure the box is connected to the cloud and updates itself during the setup.
Be also sure that the new CA ist not bigger than the original one.

Are you sure that teddyCloud uses your freshly generated certificate by restarting it and checking the logs for errors.
You may also check the CA / Certs with your browser.

kumzugloom · July 16, 2024, 8:48am

Oh, I was just too silly yesterday. You were right, I obviously had to restart the teddycloud container!
It’s working now!

Thank you so much for your support! I probably would not have figured it out myself.

PS: It would probably be helpful to add these (or some similar lines to this documentation to avoid more people running into this issue):

On CC3225 Devices, you have to make sure, that the CA-Key you generate has 4096bits. So instead of using the certificates, teddycloud automatically generates, you should rather use this script, place the certificates in the teddycloud_certs/_data/server folder (for docker installations) and make sure to restart the container.

While I’m at it: I had another issue with DNS configuration on the pi-hole. As I assume, many do use this, another addition to the documentation could be something like:

If you are using Pi-Hole as a local DNS service, you should make sure, that prod.de.tbs.toys and rtnl.bxcl.de are on the whitelist of your configuration, because some adblock-lists block them.

henryk · July 16, 2024, 5:20pm

Only prod.de.tbs.toys is necessary. The RTNL one can be still blocked.