• State Resolved
  • Locked Locked
  • Replies 8 replies
  • Subscribers 55 subscribers
  • Views 1016 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CCS/LAUNCHXL-CC3235S: SSL_CONNECTION_ERROR(/The TLS handshake failed.)

SARJU BHATNAGAR
Expert 1020 points
Part Number: LAUNCHXL-CC3235S
Other Parts Discussed in Thread: CC3235S, UNIFLASH

Tool/software: Code Composer Studio

Hello team!!!

I need your help to resolve this problem, Actually I am trying to use "subscribe_publish_sample_CC3235S_LAUNCHXL_freertos_ccs", to conncet with AWS cloud, this example is belongs to AWS_IOT_SDK "C:\ti\aws_cc32xx_3_30_00_03\examples\rtos\CC3235S_LAUNCHXL\aws\subscribe_publish_sample" FYI i have gone through following steps

1)  I have create aws account, as per the instruction that came in doc section of the AWS_IOT_SDK.

2) during that i have downloaded 

a) public key

b) private key

c) certificate

d) root certificate'

3) i changed the name of the files and i wrote same name in aws_iot_config.h

4) and i changed host, id,port and things as i created .

5) and i attached certificate to the things

6) and policy to the certificate

7) configured wifi ssid and key as per my router.

8) in unflash i kept certificate,private key and root CA(/starfield also)

please see following pic ,to know how i kept file and where

after that i took binary file of the project and i burned the program inside cc3235s . and i got this.....

it recognized all the certificate and keys successfully but its not getting connect with the AWS server or connection is not getting established or TLS handshake failed.

please guide me to resolve this problem.

waiting your response....

i will appreciate you help

thanks in advance...

  • 0
    TI__Mastermind 40965 points

    Hi,

    To clarify, are you using the Starfield Class 2 Certification Authority cert as the ca_file.pem? That is the correct root CA file that you'll need to provide to the CC3220 in order to connect successfully to any ATS-secured AWS IoT endpoints.

    Regards,

    Michael

  • 0 in reply to Michael Reymond
    Expert 1020 points

    Thanks for your reply Michael,

    FYI let me tell that i am using Starfield class 2 Certificate that i download at the time of AWS Thing creation, not only this i used

    1) RSA 2048 bit key: Amazon Root CA 1 

    2) RSA 2048 bit key: VeriSign Class 3 Public Primary G5 root CA certificate

    as well but no luck.

    and i changed my aws_iot_config.h file as per my host , port, client id and thing.  

    and wificonfig.h file as per my ssid and key

    and i changed cert.c file private key 

     Starfield class 2 file

    and unsigned char client_private_key_pem[]  as follows

    and i read some where that subscribe_publish_sample_CC3235S_LAUNCHXL_freertos_ccs program supported only production mode. so i burned the program in production mode also but no luck.

    what's wrong i am doing every time i am getting error(-4) that is 

    please let me know where i am wrong and what should i try for it.

    Again, thanks for your reply and

    waiting for your response....

  • 0 in reply to SARJU BHATNAGAR
    TI__Mastermind 40965 points

    Hi,

    It doesn't seem like you are using the correct root CA certificate. Please download and provide the Starfield Class 2 Certification Authority cert I mentioned in my previous post to your application. I've attached the corrected root_ca_pem[] for your convenience:

    // ATS root CA
unsigned char root_ca_pem[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\r\n"
"MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\r\n"
"U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\r\n"
"NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\r\n"
"ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\r\n"
"ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\r\n"
"DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\r\n"
"8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\r\n"
"+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\r\n"
"X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\r\n"
"K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\r\n"
"1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\r\n"
"A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\r\n"
"zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\r\n"
"YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\r\n"
"bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\r\n"
"DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\r\n"
"L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\r\n"
"eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\r\n"
"xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\r\n"
"VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\r\n"
"WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\r\n"
"-----END CERTIFICATE-----";

    Please give that a try and see if it resolves your issues. Let me know what happens if you use that root_ca_pem[] file.

    Regards,

    Michael

  • 0 in reply to Michael Reymond
    Expert 1020 points

    Hi Michael,

    Thank you so much for your valuable reply..

    it's worked well ...

    but i have few doubts/questions....

    Que.1: From where should i download this certificate?

    because i have downloaded almost all the certificates those appeared at the time of thing creation. see the this following pictures those tells, which certificates i downloaded..

    but no one is matching with your given certificate. kindly clarify..

    Que.2: is it different for different users?

    Again thank you so much for your reply.

    Waiting for your response....

    Sarju Bhatnagar

  • 0 in reply to SARJU BHATNAGAR
    TI__Mastermind 40965 points

    Hi Sarju,

    I'm glad you got the AWS IoT connection working.

    See my post here for an explanation of why that specific Starfield root CA cert is needed and not any of the one provided by Amazon: https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/p/789112/2919312#2919312

    You can find it online but the method I use simply takes it from your PC's cert store. You can find a post of mine demonstrating how you'd get it from your PC here: 

    https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/p/673247/2478357#2478357

    The steps are for a different root CA but you can search for the Starfield cert. You'll need to save it as a Base-64 encoded file though, instead of DER formatted-file.

    That Starfield Class 2 Certification Authority cert is used for all ATS-secured AWS IoT endpoints at the moment.

    Let me know if you need more clarification or have further questions.

    Regards,
    Michael

  • 0 in reply to Michael Reymond
    Expert 1020 points

    Thank you so much for your support ,  

                                                         My issue has been solved.

    I appreciate your help.

    Again Thanks you so much...

    sarju bhatnagar

  • 0 in reply to SARJU BHATNAGAR
    Prodigy 90 points

    Hi Sir,

    I have the same issue but I do not solve it. 

    May I know why we need to add the client private key, starfield class 2 file and client cert file in cert.c?

    AWS CC32XX Quick Start Guide show we have to use UniFlash to flash the cert. to MCU.

    But, it doesn't work.

  • 0 in reply to Edwin Chan
    TI__Mastermind 40965 points

    Hi,

    Copying the certificate contents to cert.h will help prevent issues due to incorrect conversion of the certs from PEM to DER on your PC, and will remove the need for you to flash the certs using Uniflash.

    Regards,

    Michael