This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CCS: How to implement a SSL server which can verify secure socket is good

Other Parts Discussed in Thread: CC3220SF, CC3235SF

Tool/software: Code Composer Studio

Hi,

Im trying to create a secure socket from CC3220SF platform, following is my testing code.

    SlSockAddrIn_t  Addr;
    SlSockSecureMethod_t method;
    SlSockSecureMask_t cipher;
    _i32 sd,len,dummyVar;
    _i16 status;
    _i16 AddrSize;
    _i8 buf[100];
    do {
        /*char cmd[64] = {0};*/
        /*strncpy(cmd, (char*)arg, sizeof(cmd)-1);*/
        /*char *ip = strtok(cmd, " ");*/
        /*char *port = strtok(NULL, " ");*/
        Addr.sin_family = SL_AF_INET;
        Addr.sin_port = sl_Htons(8888);
        Addr.sin_addr.s_addr = sl_Htonl(SL_IPV4_VAL(192,168,143,102));;
        AddrSize = sizeof(SlSockAddrIn_t);
        /* Open TLS socket */
        sd = sl_Socket(SL_AF_INET,SL_SOCK_STREAM,0);
        if(sd < 0) {
            error("create socket failed\n");
            break;
        }
        method.SecureMethod = SL_SO_SEC_METHOD_SSLv3_TLSV1_2;
        status = sl_SetSockOpt(sd,SL_SOL_SOCKET,SL_SO_SECMETHOD,&method,sizeof(SlSockSecureMethod_t));
        if(status < 0) {
            error("fail to set secure method\n");
            break;
        }
        /* set a CA filename to be used to verify the SMTP server
           certificate when the handshake will take place */
        // openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform der -out key.der
        status = sl_SetSockOpt(sd,SL_SOL_SOCKET,SL_SO_SECURE_FILES_CA_FILE_NAME,
                               "user.der",strlen("user.der"));
        if(status < 0) {
            error("fail to verify ca file\n");
            break;
        }
        status = sl_Connect(sd, ( SlSockAddr_t *)&Addr, AddrSize);
        int count = 0, ret = 0;
        struct timeval start, end, tmp;
        gettimeofday(&start, NULL);
        do {
            ret = sl_Send(sd,"Hello server",strlen("HELLO server"),0);
            if (ret > 0) {
                count+=ret;
            } else {
                error("ret is %d\n", ret);
                break;
            }
            gettimeofday(&end, NULL);
            timersub(&end, &start, &tmp);
            if (tmp.tv_sec > 60) {
                break;
            }
        } while (true);
        info("total: %d byte during %d sec\n", count, tmp.tv_sec);
    } while (false);
    sl_Close(sd);

Following are how I create the user.der.

openssl req -x509 -newkey rsa:2048 -keyout user.key -out user.crt -days 365 -nodes
cat user.key user.crt > user.pem
openssl x509 -in user.pem -outform der -out user.der

And this is my server sample code. HERE

When I run server and CC3220SF together, I always got "

4718220736:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:".

Which part is wrong. Please correct me. Thanks.

  • Hi,

    I try to add following code after sl_Connect. Look like the secure socket still fail to connect server. What should I do? Thanks.

    status = sl_SetSockOpt(sd,SL_SOL_SOCKET,SL_SO_STARTTLS,&dummyVar,sizeof(dummyVar));

  • Hi Eric,

    Is the unsecured socket connecting successfully? Also what return do you get when calling SetSockOpt with SL_SO_STARTTLS?

    Jesu

  • Hi Jesu,

    Unsecured socket is working well. The return value from SetSockOpt with SL_SO_STARTTLS is 0.

    sl_Connect will return failure. By the way, Im following the guide with "CC3x20, CC3x35 SimpleLinkTM Wi-Fi® and Internet of Things Network Processor - Programmer's Guide.pdf" page 124. Thanks.

  • Hi Jesu,

    Could you please kindly give me a sample code to run secure socket client and it can connect and send data to SSL server successfully?

    You can run SSL server by 

    openssl s_server -key user.key -cert user.crt -accept 8888

    Thanks.

  • Hi Jesu,

    After referencing examples/rtos/CC3235SF_LAUNCHXL/demos/network_terminal/socket_cmd.c, secure socket is working.

    But, could you please teach me how to create trusted-chain.pem,  dummy-trusted-cert-key and dummy-root-ca-cert for my local testing?

    Thanks.

  • Hi Eric,

    Glad you got it working. The certificates in the certificate-playground folder (e.g. the certificates you mentioned above are located here) are perfectly suitable testing. I don't see the need to create your own but if you want to you will have to generate a key pair, setup the information for the certificate and use a tool to perform a certificate signing request. This is a high level explanation. I've never done this before so I'm not sure about the details. 

    Jesu

  • Hi Jesu,

    Looks like I still need the process of how to create own certification. Because I need it to decrypt the packages on Wireshark.

    Please help. Thanks.

  • Hi Eric,

    To decrypt TLS/SSL on Wireshark you just need to give it the private key for the corresponding certificate. There is tutorials on the internet for how to configure this on wireshark. 

    Jesu

  • Hi Jesu,

    Yes, but Wireshark need the input to be pem format. So, please guide me how to create my own certification. Thanks.

  • Hi Jesu,

    Any update for you? Thanks.

  • Hi Eric,

    I'm not sure how this feature works in Wireshark - perhaps you need to re-direct your query to them. We do not offer any tools to create certificates or keys either and I do not have much experience doing this. If you could help me better understand why you want to decrypt TLS traffic maybe we could come up with a different solution. What is the use case/benefit here to decrypt TLS traffic?

    Jesu

  • Hi Jesu,

    The benefit of decrypting the TLS traffic is very useful when I try to debug the protocol issue.

    Sometimes, one byte is missing or wrong, I can use Wireshark with decrypting key to analysis each packets.

    I think what I need is simple, teach me how to create own key for secure socket is enough. Thanks.

  • Hi Eric,

    You can find many resources online for what you're trying to accomplish as your question is not related specifically for CC32XX but network security in general. As I've mentioned I don't have much experience in this but I pointed out a few resources I think would be helpful to get started. If you have any questions or issues specifically related to our Wi-Fi devices I am happy to help. 

    Sometimes, one byte is missing or wrong, I can use Wireshark with decrypting key to analysis each packets.

    Could you reproduce this issue without using secure sockets? I don't see how decrypting would help you debug why data is missing. 

    Jesu

  • Hi Jesu,

    Thanks. I will try to figure out by ourself.