• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 148 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHXL-CC3235SF: CC3235SF not able to connect to cloud server with ISRG Root X1

Subramanyan Krishnan
Intellectual 510 points
Part Number: LAUNCHXL-CC3235SF
Other Parts Discussed in Thread: CC3235SF, UNIFLASH

Hi, 

I am using CC3235SF Dev Kit to connect to our Cloud. I am using AT command library provided by TI to send MQTT AT commands to the server.

Our Cloud MQTT server has been using DST Root CA X3 as the certificate so far. I have been able to connect to the MQTT server securely using the AT commands and providing the DST Root CA X3.pem for CA file name in the AT command.

Since DST Root CA X3 has expired on 30 Sept, the Cloud server is now using the certificate ISRG Root X1. So, I saved ISRG Root X1 (isrg_root_x1.pem) in the TI3235SF file system using Uniflash. 

Now, in the AT command, when I use isrg_root_x1.pem as CA file name, and issue an MQTT connect command, I get an error "Wrong Root CA". It gives an error code of -688 which is "ASN no signer to confirm failure".

I am not validating the certificate against the certificate store in the flash. The certstore.lst, I think does not contain the ISRG Root X1 certificate. In any case, since I am not validating against the cert store, in the AT command, I have set it to skip_cert_verify in the AT command.

The AT commands I am using is

------------------------------------------------------------------------------------------------------------ 

AT+MqttCreate=123,url|sec|skip_date_verify|skip_domain_verify|skip_cert_verify,server_name,8883,SSLV3_TLSV1_2,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,,,isrg_root_x1.pem,,v3_1_1,1,1

AT commands to set username and password

AT+MQTTConnect=0 /* This fails with the above mentioned error and says Wrong Root CA */

------------------------------------------------------------------------------------------------------------

When I connect to the MQTT broker using mosquitto, I am able to connect with the same isrg_root_x1.pem certificate. If I use the command below, it works fine.

mosquitto_sub -h "server_name" -t "topic" -p 8883 --cafile isrg_root_x1.pem -u "user" -P "pw"

What could be the issue why the CC3235SF is not able to MQTT connect to the server using the new certificate?

Thanks for your help.

Regards,

Subramanyan

  • +1
    TI__Guru 61386 points

    -688 means that the server requires a different root CA.

    Maybe it is still using the old root CA.

    Use the following code as a reference for printing the name of the root CA required for the connection (it is received in the Socket Async Event:

    void SimpleLinkSockEventHandler(SlSockEvent_t *pSock)
{
    if ( pSock->Event == SL_SOCKET_ASYNC_EVENT)
    {
        switch (pSock->SocketAsyncEvent.SockAsyncData.Type)
        {
        case SL_SSL_NOTIFICATION_WRONG_ROOT_CA:
            /* on socket error Restart OTA */
            LOG_INFO("SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA");
            LOG_INFO("Please install the following Root Certificate:");
            LOG_INFO(" %s\n\r", pSock->SocketAsyncEvent.SockAsyncData.pExtraInfo);
            break;
        default:
            /* on socket error Restart OTA */
            LOG_INFO("SL_SOCKET_ASYNC_EVENT socket event %d", pSock->Event);
        }
    }
}