• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Subscribers 41 subscribers
  • Views 1933 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3200: Making a socket connection to AWS IoT.

Tarun Chari
Prodigy 170 points
Part Number: CC3200
Other Parts Discussed in Thread: UNIFLASH

Hi all,

I am attempting to connect to AWS IoT through an Enterprise WiFi network using the CC3200 SDK. I am not strictly following the AWS SDK, however, I did follow the instructions to flash my device certificates (generated within AWS). Now I have 5 files in the /cert/ folder: ca.pem and private.key for the Enterprise WiFi connection and ca.der, cert.der, and key.der for the AWS connection (as per the AWS SDKs README). I have confirmed this via output from Uniflash's List File System shown below:

[11:27:50] INFO:     file    start    size    fail    total size    filename
[11:27:50] INFO:     index    block    [BLKs]    safe    [BLKs]
[11:27:50] INFO: ----------------------------------------------------------------------------
[11:27:50] INFO:     N/A    0    5    N/A    5        FATFS
[11:27:50] INFO:     9    73    5    yes    10        /tmp/phy.cal
[11:27:50] INFO:     10    83    1    yes    2        /sys/stacfg.ini
[11:27:50] INFO:     11    5    33    yes    66        /sys/servicepack.ucf
[11:27:50] INFO:     12    71    1    no    1        /cert/ca.pem
[11:27:50] INFO:     13    72    1    no    1        /cert/private.key
[11:27:50] INFO:     20    99    1    no    1        /cert/ca.der
[11:27:50] INFO:     21    100    1    no    1        /cert/cert.der
[11:27:50] INFO:     22    101    1    no    1        /cert/key.der

(Note I have deleted several rows which I did not believe to be useful here).

My relevant C code looks like this:

method.secureMethod = SL_SO_SEC_METHOD_TLSV1_2;
cipher.secureMask = SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
certdir_ca = "/cert/ca.der";
certdir_cert = "/cert/cert.der";
certdir_key = "/cert/key.der";
iSocketID = sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET);
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECMETHOD, (_u8 *)&method, sizeof(method));
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_MASK, (_u8 *)&cipher, sizeof(cipher));
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, certdir_ca, strlen(certdir_ca));
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, certdir_cert, strlen(certdir_cert));
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME, certdir_key, strlen(certdir_key));
lRetVal = sl_Connect(iSocketID, (SlSockAddr_t *)&Addr, sizeof(SlSockAddrIn_t));

I am using the CC3200 SDK v 1.3 as well as CCS v 7.2

EDIT: My problem is that I am able to connect to my enterprise WiFi network but not to AWS.

Questions

1. Is there anything obviously wrong with this code?

2. Also, is there any way to debug the output of sl_Connect()? The documentation merely says that a negative value indicates a failed connection but it would be nice to see the response from AWS to better understand the failure.

  • 0
    TI__Mastermind 28285 points
    Tarun,

    What problem are you facing? Can you connect to the network? or is it that you cannot connect to the socket?

    VR
  • 0 in reply to Vincent Rodriguez
    Prodigy 170 points

    Sorry! I am able to connect to the WiFi network but I am not able to connect to the socket. I found that the sl_Connect() output was giving me the value -456 which, from errors.h in the drivers\net\wifi portion of the SDK, indicates "error secure level bad CA file".  So I tried replacing the specified certificate directories with nonsense to see if the output value changed to -454 (CA file not found), however the output remained -456.

    Is it possible that despite providing the location of the CA file (/cert/ca.der) the device is defaulting to /cert/ca.pem for some reason?

  • 0 in reply to Tarun Chari
    TI__Mastermind 28285 points
    whats the definition of SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME?

    It should your ca.der file that you would like as the certificate.
  • 0 in reply to Vincent Rodriguez
    Prodigy 170 points

    Here are the following definitions I am using are found in socket.h:

    #define SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME (30) /* This option used to configue secure file */
#define SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME (31) /* This option used to configue secure file */
#define SL_SO_SECURE_FILES_CA_FILE_NAME          (32) /* This option used to configue secure file */
#define SL_SO_SECURE_FILES_DH_KEY_FILE_NAME      (33) /* This option used to configue secure file */

  • 0 in reply to Tarun Chari
    TI__Mastermind 28285 points
    What is certdir_ca defined as? Just trying to make sure the defines are correct.

    VR
  • 0 in reply to Vincent Rodriguez
    Prodigy 170 points

    The certdir_XX files are defined as follows:

    #define AWS_ROOT_CA             "/cert/ca.der" ///< Root CA file name
#define AWS_CERTIFICATE         "/cert/cert.der" ///< device signed certificate file name
#define AWS_PRIVATE_KEY         "/cert/key.der" ///< Device private key filename
...
char             *certdir_ca = AWS_ROOT_CA;
char             *certdir_cert = AWS_CERTIFICATE;
char             *certdir_key = AWS_PRIVATE_KEY;
...
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, certdir_ca, strlen(certdir_ca)); 
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, certdir_cert, strlen(certdir_cert)); 
lRetVal = sl_SetSockOpt(iSocketID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME, certdir_key, strlen(certdir_key));

    Also is it possible for you to confirm that the error values output from sl_Connect correspond to the errors found in sockets.h? I ask because according to the comments -456 indicates a bad CA file. However, I tried invoking other error codes, like using a completely nonsensical path to invoke a CA file not found (-454) error but was unable to generate any other error except for -456. This could be because a) the error codes in sockets.h do not correspond to the output of sl_Connect, b) sl_Connect is falling back on the certs/ca.pem file, or c) some other issue. I'm going to remove my ca.pem file and try again to rule out b) but I'd also like to rule out a).

  • 0 in reply to Tarun Chari
    TI__Mastermind 29085 points

    Hi Tarun!

    Yes, the error codes returned from sl_Connect will correspond to the definitions in sockets.h. The SL_ESECNOCAFILE (-454) error is used when the CC3200 device is the server and does not have a CA file to provide. It is not used when the CC3200 is the client.

    In your case, you will always see SL_ESECBADCAFILE because you successfully receive the server certificate from the AWS server during the TLS handshake. The issue is occurring when comparing it to the CA we expect (the one loaded on the device).

    There must be an issue with the certificate you are using. Either it is the wrong file or the .der is formatted incorrectly.

    Best Regards,

    Ben M

  • 0 in reply to Benjamin Moore
    Prodigy 170 points
    Thanks Ben,

    I did some digging using the simplelink file system functions and discovered that my .der files were tiny (<20 bytes). Seems the certflash tool provided in the AWS SDK didn't flash properly.
    Manually converted the pem's to der's and flashed with uniflash. Now I'm getting a bad private file error, but at least it's new!

    For other readers:
    I used an online pem to der conversion tool (I'll write my own conversion tool when I start doing production level work) since AWS supplies pem files.
    Using uniflash, I simply added new files, made the name fields /cert/<certificate_name>.der and the Url field to where the appropriate .der file was downloaded and performed a standard flash. I also flashed my Enterprise WiFi certificates to the System Files certificate locations.
  • 0 in reply to Tarun Chari
    TI__Mastermind 29085 points
    Hi Tarun,

    Great! Using Uniflash is the preferred method for adding the files to the file system so that is good.

    I'm going to close this thread, but you can open a new one regarding the private key if needed.

    Thank you,
    Ben M