Skip to content

samples: bluetooth: Set CONFIG_BT_SMP_SC_PAIR_ONLY=n when needed #24009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

samples: bluetooth: Set CONFIG_BT_SMP_SC_PAIR_ONLY=n when needed #24009

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions samples/bluetooth/central_bas/prj.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ CONFIG_NCS_SAMPLES_DEFAULTS=y
CONFIG_BT=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y
CONFIG_BT_SMP_SC_PAIR_ONLY=n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why the option was enabled:

Support for Bluetooth LE legacy pairing is no longer enabled by default, because it is not secure.
Using Bluetooth LE legacy pairing introduces, among others, a risk of passive eavesdropping.
Supporting Bluetooth LE legacy pairing makes devices vulnerable to downgrade attacks.
The CONFIG_BT_SMP_SC_PAIR_ONLY Kconfig option is enabled by default in Zephyr.
If you still need to support the Bluetooth LE legacy pairing, you need to disable the option in the configuration.

Ref: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/releases_and_maturity/releases/release-notes-3.0.0.html

You could accept the security risk and disable the CONFIG_BT_SMP_SC_PAIR_ONLY option locally in your configuration, but I am worried that we should not keep it disabled in the sample (preferring security over interoperability).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The initial pairing failures that you replicate might be caused by the fact that pairing with devices that do not support secure connections pairing will not be supported if CONFIG_BT_SMP_SC_PAIR_ONLY is enabled.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The initial pairing failures that you replicate might be caused by the fact that pairing with devices that do not support secure connections pairing will not be supported if CONFIG_BT_SMP_SC_PAIR_ONLY is enabled.

Correct. As a new commer, there was no clear indicator when I updated from 2.2 to 3.1.0 why my simple HID mouse would no longer pair suddenly. I wasted a week troubleshooting before I discovered randomly, a commit where this option was added to other bluetooth/central_* samples. Commit -> 2b1be2d

At the very least, this should be included but commented out with a note?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was documented, but only in the release notes (as it was changed for NCS 3.0.0 release) - it might not be visible enough. Generally we discourage using BLE legacy pairing as it's not secure and most of the BLE devices already support BLE secure connection pairing (unfortunately it seems that still not all of the users' devices support it).

I will think how could we improve documentation to avoid confusing users (keeping in mind that this could affect multiple samples).

Copy link
Contributor

@MarekPieta MarekPieta Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I discussed with tech-writers. We can add a migration guide entry to improve visibility of the information.
@RobertDaleSmith Would this approach be acceptable for you?

CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DM=y
CONFIG_HEAP_MEM_POOL_SIZE=1024
Expand Down
1 change: 1 addition & 0 deletions samples/bluetooth/central_hids/prj.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ CONFIG_NCS_SAMPLES_DEFAULTS=y
CONFIG_BT=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y
CONFIG_BT_SMP_SC_PAIR_ONLY=n
CONFIG_BT_ATT_TX_COUNT=5
CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DM=y
Expand Down
1 change: 1 addition & 0 deletions samples/bluetooth/central_uart/prj.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ CONFIG_UART_CONSOLE=y
CONFIG_BT=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y
CONFIG_BT_SMP_SC_PAIR_ONLY=n
CONFIG_BT_GATT_CLIENT=y

# Enable the BLE modules from NCS
Expand Down