• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 343 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Provisioning WiFi device - AP Method, HTTPS + Browser

Nathan Brown
Prodigy 10 points

Hey,

I am trying to come up with a design in which to securely transmit WiFi credentials to a device in AP mode as to provision it onto the WiFi network.

This document:
https://www.ti.com/lit/wp/swry011a/swry011a.pdf
describes a method in which the device creates a hotspot, the user then connects to this hotspot and can provision the device using the browser.

As suggested, this method should make use of HTTPS to ensure the credentials are securely transmitted.

My problem comes from attempting to make an HTTPS connection to the device:

Any modern browser will refuse the connection due to certificate issues. Even if the certificate used is from a CA trusted by the browser, there will be no way to pass the hostname verification.

Due to this, any sort of HTTPS connection attempts will be blocked by the browser.

How can this problem be overcome?

Thanks in advance,

Nathan

  • 0
    Guru 79885 points

    Hi Nathan,

    This issue is common for all devices with local https webserver (switches, routers, APs, etc.). Only way is upload self signed certificate (CA file) into browser and certificate into device with https server. Other way is to set security exception into browser. But this is not a secure way.

    Jan

  • 0 in reply to Jan D
    TI__Guru 63006 points

    When using AP mode, you can set a domain name (see below):     sl_NetAppSet(SL_NETAPP_DEVICE_ID,SL_NETAPP_DEVICE_DOMAIN,strlen(domain_name),(_u8 *) domain_name); 

    You can purchase a certificate from a known CA (signed by valid root CA) where the subjectAltName is based on the domain_name.

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Guru 79885 points

    Hi,

    Yes, way described by Kobi can work for AP mode. But there are some limitation:

    • you need to purchase domain which you want to use at AP mode from domain registrar
    • you need to buy every year new certificate from CA and this certificate you need to distribute into devices by OTA update every year (you cannot purchase certificate with longer validity than one year)
    • access into AP mode webpages will be possible via domain name only. In case you insert IP address, security warning will be shown. Be aware usage domain name at AP mode may not be reliable at 100% due to DNS cache at client device.

    Jan