Hi,
I have been struggling to establish a secure connection with a server of our interest (m2.tuyain.com).
I have programmed the server root CA certificate (tuya_rootCA.crt) into the filesystem using ccs tool.
PFA code snippet, I have followed the steps as given in the Reference Manual for Simple Link.
connect() returns the error -655 (ASN sig error, confirm failure). There is no much description available in error.h.
By the way, I am able to connect with the server with a client running on a Linux VM (Ubuntu). This confirms the certificate that I’m using is right.
Please suggest whether I’m missing out any step!
Fyi, I also tried another approach ‘upgrading nonsecure socket to secure after connection’ as described in the Ref Man. It seems the server doesn’t support this.
#define SECURE_SOCKET int network_tls_connect(NetworkContext_t *pNetwork, const TLSConnectParams *params) { int ret = 0; tls_context_t *tlsDataParams = NULL; int32_t sock; int32_t status; SlSockAddrIn_t sAddr; uint8_t nb = FALSE; _u32 dummyVal; if(NULL == pNetwork) { return OPRT_INVALID_PARM; } if(NULL != params) { pNetwork->tlsConnectParams = *params; } tlsDataParams = (tls_context_t*)(pNetwork->context); sAddr.sin_family = SL_AF_INET; sAddr.sin_port = sl_Htons((unsigned short)pNetwork->tlsConnectParams.DestinationPort); sAddr.sin_addr.s_addr = sl_Htonl(SL_IPV4_VAL(13, 234, 126, 217)); sock = sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET); tlsDataParams->server_fd.fd = sock; #ifdef SECURE_SOCKET SlDateTime_t dateTime = {0}; dateTime.tm_day = (uint32_t)DEVICE_DATE; dateTime.tm_mon = (uint32_t)DEVICE_MONTH; dateTime.tm_year = (uint32_t)DEVICE_YEAR; dateTime.tm_hour = (uint32_t)HOUR; dateTime.tm_min = (uint32_t)MINUTES; dateTime.tm_sec = (uint32_t)SEC; sl_DeviceSet(SL_DEVICE_GENERAL, SL_DEVICE_GENERAL_DATE_TIME, sizeof(SlDateTime_t), (uint8_t *)(&dateTime)); // method.SecureMethod = SL_SO_SEC_METHOD_TLSV1 | SL_SO_SEC_METHOD_TLSV1_2 | SL_SO_SEC_METHOD_SSLv3_TLSV1_2; // sl_SetSockOpt(sock, SL_SOL_SOCKET, SL_SO_SECMETHOD, &method, sizeof(SlSockSecureMethod_t)); // mask.SecureMask = SL_SEC_MASK_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | // SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA | // SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA; // sl_SetSockOpt(sock,SL_SOL_SOCKET, SL_SO_SECURE_MASK, &mask, sizeof(SlSockSecureMask_t)); // sl_SetSockOpt(sock, SL_SOL_SOCKET, SL_SO_SECURE_DISABLE_CERTIFICATE_STORE, // &dummyVal,sizeof(dummyVal)); /* Set the following to enable Server Authentication */ if(0 != sl_SetSockOpt(sock, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, "tuya_rootCA.crt", strlen("tuya_rootCA.crt"))) { UART_PRINT("%s() line:%d sl_SetSockOpt() failed\n\r", __FUNCTION__, __LINE__); } #ifdef CLIENT_AUTHENTICATION /* Set the following to pass Client Authentication */ sl_SetSockOpt(sock,SL_SOL_SOCKET,SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME, PRIVATE_KEY_FILE, strlen( PRIVATE_KEY_FILE)); sl_SetSockOpt(sock,SL_SOL_SOCKET,SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, TRUSTED_CERT_CHAIN, strlen( TRUSTED_CERT_CHAIN)); #endif #endif status = -1; while(status < 0) { status = sl_Connect(sock, (SlSockAddr_t *)&sAddr, sizeof(sAddr)); if((status == SL_ERROR_BSD_EALREADY)&& (TRUE == nb)) { sleep(1); continue; } else if(status < 0) { UART_PRINT("[%s() line:%d, error:%d] %s\n\r", __FUNCTION__, __LINE__, status, SL_SOCKET_ERROR); sl_Close(sock); return(-1); } break; } }
Regards,
Rohit