LAUNCHXL-CC3235SF: MQTT TLS security issue - round 2.

ok. this certificate looks fine. it should be used "as-is" as the 2nd file in the table.

the private key that you provided before doesn't seem valid (maybe only the content i got is invalid) and it seems that this is the only missing piece (should be the first file in the table).

Can you try using the Mqtt_Client_secure_files[] = {<your-prv-key>, "broker-client", "broker-client.pem", "ca.intelliport.local", NULL };

Thanks Kobi, I'll try again this afternoon and let you know how it goes. One question, you have 5 files in the file list, I thought it maxed out at 4, is that "ca.intelliport.local" extraneous?

Please remove the "broker-client" - this was a mistake. The 2nd file name meant to be "broker-client.pem".

Please remove the "broker-client" - this was a mistake. The 2nd file name meant to be "broker-client.pem".

I gave that a try, still getting a -456 error.

Hi Kobi. I tried something this afternoon to get the server certificate. However, when I run the openssl command on port 8883 on our server, it gets no certificate back. Could that be part of the problem? Here is the output of openssl asking for the certificate:

PS C:\Users\10385585> openssl s_client -showcerts -servername intelliportgw.eastus.cloudapp.azure.com -connect intelliportgw.eastus.cloudapp.azure.com:8883
CONNECTED(00000274)
write:errno=10054
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 341 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I do get a certificate if I use port 443

Thoughts?

Hi Kobi,

Thanks for the response. All of my files are in the FS root folder. Here are the relevant declarations:

1) File names

#define PRIVATE_KEY                     "broker-client-key.pem"
#define CLIENT_CERT                     "broker-client.pem"
#define CA_FN                           "ca-fn"

#define CLIENT_NUM_SECURE_FILES         4

2) Connection parameters:

static char *Mqtt_Client_secure_files[CLIENT_NUM_SECURE_FILES] = {PRIVATE_KEY, CLIENT_CERT, CA_FN, NULL};

MQTTClient_ConnParams g_mqtt_conn_params =
{
    MQTTCLIENT_NETCONN_IP4 | MQTTCLIENT_NETCONN_SEC |
//        MQTTCLIENT_NETCONN_SKIP_DOMAIN_NAME_VERIFICATION |
        MQTTCLIENT_NETCONN_SKIP_CERTIFICATE_CATALOG_VERIFICATION,
    MQTT_CONNECTION_ADDRESS,                 // SERVER_IP_ADDRESS,
    MQTT_CONNECTION_PORT_NUMBER,             // SECURED_PORT_NUMBER,
    SLNETSOCK_SEC_METHOD_SSLv3_TLSV1_2,
    SLNETSOCK_SEC_CIPHER_FULL_LIST,
    CLIENT_NUM_SECURE_FILES,
    Mqtt_Client_secure_files
};

3) Creation of the files programmatically at startup:

    int32_t         fHdl;

    fHdl =
        sl_FsOpen((uint8_t *)PRIVATE_KEY,
                  (SL_FS_CREATE | SL_FS_CREATE_FAILSAFE | SL_FS_OVERWRITE |
                   SL_FS_CREATE_MAX_SIZE(MAX_CACERT_SIZE)),NULL);

    if(fHdl >= 0)
    {
        ret = sl_FsWrite(fHdl, 0, (unsigned char *)brokerClientKeyPem, strlen(brokerClientKeyPem));
        ret = sl_FsClose(fHdl,0,0,0);

    }
    else
    {
    }
        
    fHdl =
        sl_FsOpen((uint8_t *)CLIENT_CERT,
                  (SL_FS_CREATE | SL_FS_CREATE_FAILSAFE | SL_FS_OVERWRITE |
                   SL_FS_CREATE_MAX_SIZE(MAX_CACERT_SIZE)),NULL);

    if(fHdl >= 0)
    {
        ret = sl_FsWrite(fHdl, 0, (unsigned char *)brokerClientPem, strlen(brokerClientPem));
        ret = sl_FsClose(fHdl,0,0,0);

    }
    else
    {
    }
    

    fHdl =
    sl_FsOpen((uint8_t *)CA_FN,
              (SL_FS_CREATE | SL_FS_CREATE_FAILSAFE | SL_FS_OVERWRITE |
               SL_FS_CREATE_MAX_SIZE(MAX_CACERT_SIZE)),NULL);

    if(fHdl >= 0)
    {
        ret = sl_FsWrite(fHdl, 0, (unsigned char *)srvCAPem, strlen(srvCAPem));
        ret = sl_FsClose(fHdl,0,0,0);

    }
    else
    {
    }
    

So something is wrong in the buffer you are writing (-456 refers to the ROOTCA, so seems that the serCAPem has some issue).

You can use Uniflash to connect to the device, then download the file (using the Online File browser) and compare it to the original "ca.intelliport.local".

That sounds like a good plan. One question: How do I use Uniflash and access the Online File browser? I am using Uniflash 8.2.0, and I don't see an option to browse the FS of the device. I can connect and see chunks of the devices memory with the Memory button, but how do I see the file system?

Thanks,

John

see chapter 6.13 in https://www.ti.com/lit/swru469.

Hello again Kobi, I read that section of the document and I do not have an "online user files" button that I can see in Uniflash. I'm pretty sure I am running in development mode since I can use my IAR IDE and the XDS debugger to load, run and debug the device.

I suggest you read the entire document.

You should be in the ImageCreator's Advanced Mode and the button will appear only when you are connected to the device.

Good suggestion, that was informative. When I am in Advanced Mode, I cannot connect. I keep getting this error: Operation failed: Error: SLImageCreator.exe: BootLoaderError, Timeout reading data. When I do not go into new project and just use the configured device from the start screen, I can read the devices memory, so I think the UART is working.

you must start the image creator and work through it (other uniflash interfaces are not supported).

I'm not sure what is this error you are facing. try to detach the USB cable and retry.

you must start the image creator and work through it (other uniflash interfaces are not supported).

I'm not sure what is this error. try to detach the USB cable and retry.

Yes, that is what I am doing. I start the image creator, ensure I select the proper device, enter the MAC address, ensure the use original mac address is checked, and I click connect. The connection fails with that time out message. It also fails in "simple" mode. I power everything down, restarted my laptop etc. Does not help. I validated the UART connection as well.

Here is my setup:

Here is the error:

Are you using TI Launchpad or a customized board?

Can you try without changing anything regarding the MAC address (create new project, try to connect - by default it will read and use the MAC Address from the device)?

What is the SOP (Sense On Powerup) pins status? (should be 010)

I am using a custom board. I'm using the debugger on the Launchpad to debug on our HW basically we take all the jumpers off the long set of jumpers for the XDS to Launchpad CC3235 off, connect a custom board to the jumpers and then ribbon cable over to our HW.

I tried it without the MAC address, still could not connect.

The SOP pins are indeed 010

It is very strange.

have you installed SP before (this is required)? with uniflash?

It is very strange. Regarding the SP, we just went up to version 6_10_00_05 of the SDK, so an upgrade to the SP in that SDK is warranted. I haven't done this before, I'll read the docs and give that a shot.

I do have a couple of updates for you. First I am still unable to get Uniflash up list the files on the device for me. Is there another approach we can try? Is that something that can be done with that dslite.bat script? Second, yesterday I was able to connect to our MQTT broker on the secure port with a set of certs and a key generated by a coworker. That was encouraging, however when I brought those files into our application and flashed them programmatically before starting MQTT, we get the -456 bad CA file. I did set a breakpoint in the SimpleLinkSockEventHandler again, no luck having it hit.

Thanks for your patience with me Kobi. Your last post triggered a thought regarding the files that led me to now be able to connect to our gateways secure MQTT port!