Because of the Thanksgiving holiday in the U.S., TI E2E design support forum responses may be delayed the week of Nov. 21. Thank you for your patience.

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHXL-CC3235SF: Opening secure socket using AT Command

Part Number: LAUNCHXL-CC3235SF
Other Parts Discussed in Thread: CC3235SF, UNIFLASH

Hi Experts,

Seeking your assistance on this query from Cx:

I am using AT command example application from TI with LAUNCHXL_CC3235SF. I want to open secured socket for communication with remote server using MQTT protocol. I am using following AT commands in sequence as given below:

AT+Socket=INET,STREAM,SEC //this returns socket descriptor (normally returns as 0) and OK as response

AT+NetAPPGetHostByName=hostname,INET //hostname is the name of the server. This returns OK +netappgethostgyname:

hostname,Host IP address

AT+SetSockOpt =0,SOCKET,SECMETHOD,TLSV1_2 //This returns OK response

AT+Connect=0,INET,8883,IPAddress //IP address is Host IP address returned by previous command.

above connect command does not return any response.

If I use TCP instead of SEC in AT+Socket command then AT+Connect command does return response as OK. But If I open TCP socket then it does not receive any response from server in response my MQTT connect packet.

Can anybody let me know issue with using SEC in AT+Socket command? Is my sequence of socket opening to connect is correct

For your assistance please. Thank you.

Regards,
Archie A.

  • In order to connect using TLS, you will need (at least) to provide the server's root CA certificate  (with AT+SetSockOpt=[sd],SOCKET,SECURE_FILES_CA_FILE_NAME,"root-ca-filename").

    If you want to connect to an MQTT broker, you can refer to the "MQTT Client Commands" chapter and use AT+MqttCreate and AT+MqttConnect.

  • Hi Kobi,

    Thanks for your comment. Cx responded:

    "Actually I am trying to connect to Azure IoT Hub. I am using custom board with MCU on which I have ported azure_iot_middleware_for_freertos. On UART port of MCU, I have connected CC3235SF board which is executing AT Command application. Azure IoT Middleware for freeRTOS uses IoT Embedded C SDK with core MQTT protocol layer. I have implemented socket wrapper in MQTT protocol layer to transfer data packets from MQTT layer to CC3235SF over UART port.
    I have tried using simple_http_.. example of CC3235SF_LAUNCHPAD board. I was able to connect to server using this example but then we also need device twinning and DPS features. Hence we ported Azure IoT stuff on MCU side.

    I have root CA certificate file in array form on MCU side. Should this file be on CC3235SF board? if yes, can you please guide as how to include same in ATCommand application?"

    Thank you.

    Regards,
    Archie A.

  • You can use the AT+Command File system commands (chapter 6.4 in the https://www.ti.com/lit/pdf/swru534) to write the certificate files into the CC3235 File system, then use the path to the file using the AT+SetSockOpt command).

    Why don't you use the Azure software on the CC3220 MCU and create a simple communication protocol (it can be based on modified AT+CMD) to the external MCU?

  • Hello Kobi,

    Thank you. Customer has the ff. follow up:

    "I have certificates in C array format as provided in azure_IoT_Middleware_FreeRTOS source code from Microsoft. I have to find out a way to transfer this data over AT Commands for file system to load these certificate data in CC3235. Any suggestions?
    I have some basic questions:
    Can I load these certificates data in CC3235SF flash memory using Uniflash tool? I saw some Advance options but not sure how to specify path of Certificate files in same.
    If I can load using Uniflash tool then how will I know the path of the file which needs to be specified as option for opening secure socket?
    If I load using AT Commands for File system then will it go to flash memory of RAM memory?

    Your suggestion about having Azure software over CC3235 MCU is absolutely correct. But our device will have option of using other network modules (other then wifi) for connecting to IoT hub. In such a case we need to again port Azure software on that module."

    Regards,
    Archie A.

  • The AT FS commands will go to CC3235 flash (just like writing from uniflash).

    Please refer to the following uniflash-cc3235 documents for instruction about adding user files: https://www.ti.com/lit/swru469 

    Regarding the design - at the end of the day of course this is the customer decision, but using the AT_Commands doesn't make full use of the CC3235 MCU. If there are other network interfaces mav be they can be accessed from the CC3235 MCU. I understand that N/W stack may be required and so on, but this can also be offloaded from their main MCU.  

  • Helo Kobi,

    Thank you for your response.

    Customers understand that using AT Commands application is their choice and will test it properly before the release.

    We will wait for your response on AT+Connect command returning -468 error code which means it is "connected but the root CA used to validate the peer is unknown".

    Regards,
    Archie A.

  • -468 is a warning that can be ignored,

    The connection is open, but the server's root CA is not part of the certificate catalog (probably because the customer is using the "dummy" playground catalog). 

    The choices are (1) to ignore the warning, to (2) disable the catalog verification (through setsockopt) or (3) to use a catalog that contains the root CA (either TI "production" catalog or vendor-specific catalog, see https://www.ti.com/lit/pdf/swru547).

  • Hi Kobi,

    Thank you. Cx responded:

    -468 error - Yes, I am using playground catalog.
    I worked on choices provided by you:
    1. Ignoring the warning: After sending MQTT connect packet, I receive the ack bytes from server, First 2 of them are correct but next 2 are incorrect. First 2 bytes - 0x20 & 0x02. Next 2 bytes: 0x18 & 0xF0. Not sure if TI team can throw some light here.
    2. Disable the catalog verification : Using AT Command - AT+SetSockOpt , I do not see any option in socket options to disable catalog verification in AT Command document. Can you please point out exact option to do this?
    3. Using TI Production catalog: I am not sure if you are referring to catalog folder in simplelink SDK. I can see certcatalog20190217.lst & certcatalog20190217.lst.signed_3235.bin in SDK. Are these files you are referring too? If yes, then I already tried flashing them but it gives flash error as in attached image.

    Question: If I have flashed some file in CC3235SF user file section then how do i delete it?

    Regards,
    Archie A.

  • Regarding 1, not sure we can help - what MQTT stack are you using?

    Regarding 2, probably not supported through AT-CMD, you can add it to the AT-driver or just ignore the -468.

    Regarding 3, yes i meant the certcatalog20190217.lst

  • Hello Kobi,

    Thanks for your responses.

    1. I am using coreMQTT as provided with Azure IoT Middleware for FreeRTOS
    2. ok
    3. The certcatalog20190217.lst is giving me error while flashing. Please refer my attachment with previous message. Can you please help me resolving the same?

    Question: If I have flashed some file in CC3235SF user file section then how do i delete it?

    Regards,
    Archie A.

  • when using certcatalog20190217 - you can't use the Playground certificate for programming. You will need to use a a valid certificate with a root CA that is included in the catalog (check the README in the catalog folder to find the supported root). You will still need the entire certificate including the valid root ca to be stored in flash.

  • Did you try using the internal MQTT stack (through the AT MQTT Client Commands)?

  • Thanks Kobi, for the information.

    Cx shared:

    I referred the readme and found that certcatalog20190217 includes "Baltimore CyberTrust Root" root CA. So I downloaded this root CA from Microsoft Azure weblink and flashed the same. Inspite of this I am getting FS_ERR_ROOT_CA_IS_UNKOWN. Does this mean root CA which I downloaded from Microsoft Azure weblink is not correct?
    Apart from root CA, will I also need any device specific certificate for connectivity with IoT Hub server? If yes, do we have to purchase it? I am referred Certificates Handling document from TI and hence asking this question.

    I haven't tried internal MQTT stack. I will try that too.

    Regards,
    Archie A.

  • Are you getting the FS_ERR_ROOT_CA_IS_UNKOWN when programming the device or when trying to connect to Azure?

  • Hi Kobi,

    Good day. Cx confirmed that they are getting that error.

    Let u know how to proceed. Thank you.

    Regards,
    Archie A.

  • My question is when. During programming or during TLS connection?

  • Hello Kobi,

    Cx just confirmed, that they are getting this error DURING programming in flash memory using UNIFLASH tool.

    Regards,
    Archie A.

  • It means that he is using a root certificate that is not included in the catalog and this will not work,

    Either he will use the Playground catalog with the Playground certificates (as long as this is just for development) or the certcatalog20190217 with a certificate purchased from a known certificate authority (with root that is included in the catalog).

    Another option is to use Vendor catalog - see https://www.ti.com/lit/pdf/swru547.

  • Hi Kobi,

    Apology for the delayed response as customer just responded.

    1. Is there anyway to use certcatalog20190217 without purchasing certificate? Can we generate some device certificate for small period of validity based on known root CA in certcatalog20190217. This is only for testing purpose.

    2. Why vendor catalog is related to OTP programming?

    Thank you.

    73,
    Archie A.

  • 1. no, you must have valid certificate (signed by a known CA) for signing your code.

    2. In order to verify the vendor catalog, you need to to install the root of trust (a root certificate to verify the catalog, that corresponds to the vendor's private key) on the device which can't be changed - and OTP is used to install such root certificate (the catalog from TI is based on root-of-trust in ROM)