• State Resolved
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 388 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3235S: Certificate file location

CC3235S: Certificate Verification

Christian Grau28
Intellectual 375 points
Part Number: CC3235S
Other Parts Discussed in Thread: UNIFLASH,

Dear all

I used UniFlash to upload certificates (for WPA Enterperise) onto my CC3235S Launchpad. According to the instructions SWRU455M "4.3.3.2 Preferred Networks (Profiles)" -> Enterprise Profile I created the following files.

– /sys/cert/ca.der - CA for the server authentication

– /sys/cert/client.der - Optional, if server requests client authentication

– /sys/cert/private.key - Optional, if server requests client authentication

I use the network_terminal with and without adding the profiles.

wlanconnect -t WPA2 -p "dummy" -s "XYZ" -ent "UserName"

Since nothing has helped so far, I'm worried if I made a mistake with the certificates. Does anyone know, how I can verify the certificates on the target? I cannot read it back (for security reasons), right?

What can I do?

Kind regards

Chris

  • 0
    Guru 75055 points

    Hi Chris,

    This depends on mode of your CC3235 device. If you device is flashed at development mode, you should be able read back certificates via Unifhash. But this will depends on how your certificate files were created (security flags, token, etc.). I don't know easy and simple way how to verify certificates uploaded inside device.

    Jan

  • 0 in reply to Jan D
    Intellectual 375 points

    Hi Jan

    Thank you.

    I did it in developer mode and have not added any file security yet. I'll give it a try.

    Do you know a simple way to get error codes out of the network_terminal when the connection fails? All I see is "0" even though I cannot connect. I was hoping to see something like "SL_ERROR_BSD_ESEC_HANDSHAKE_FAILURE" or so but the return value of sl_WlanConnect() does not seem to contain any information.

    Kind regards

    Christian

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi Christian,

    API sl_WlanConnect() just starts connection attempt. Some error codes in case of unsuccessful connection you can get from asynchronous handlers (e.g. disconnect reason codes 208, 209, 210). Very important for diagnose of issue with EAP connection is log from RADIUS server.  Make sure that TLS 1.0 is enabled at RADIUS server. For example at FreeRADIUS is TLS 1.0 not allowed by default.

    Jan

  • 0 in reply to Jan D
    TI__Guru 57310 points

    Chris,

    this is a parallel thread to what we started.

    Just wanted to add here that I was able to decide some more of the NWP code and I can see that the wlanconnect() does use EAP so in terms of the network_terminal you should be OK. However, in the log I could see only a single EAP message received (I assume this is the EAP Identity request from the AP) but the handshake stopped there. So I tried to set my AP to enterprise mode and although I do not have a RADIUS server here at the moment, I was able to see the Identity request and response messages (also on an air sniffer). At this point, the certificates (which I do not program), are not even used. The certificates should be used only after the Identity response gets to the RADIUS server and the RADIUS server sends an EAP request back to the device. So in your case, I do not think it is related to certificates. Are you sure that the RADIUS server behind the AP is available?

    NWP logs are definitely required in this case for debug (and an air sniffer is a plus). As Jan mentioned, also good to see the RADIUS server logs.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 375 points

    Hi everyone

    It's possible to connect to the AP using a Laptop and WPA Enterprise. So I guess it's not an Issue of not having the Radius running.

    I tired to enable TLS 1.0 on the NPS. But I'm not a server admin.

    How ever, that did not do the trick. Shlomi, I sent you the LOG of the radius server in the private message. There's not much one can see there, right? 

    I have bought a WLAN adapter that can be put in monitoring mode and I have installe Wireshark. Is there a simple guide on how to sniff over the air?

    Jan, which asynchronous handler shall I observe?

    Many thanks and kind regards

    Chris

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi Chris,

    You can check SimpleLinkWlanEventHandler() and event SL_WLAN_EVENT_DISCONNECT. But according type of issue, you may not see calling this handler.

    Jan

  • 0 in reply to Jan D
    Intellectual 375 points

    Ok, I could verify TLS 1.0 is enabled on the server.

    In the SimpleLinkWlanEventHandler() I only see, that the disconnect event is comming from the AP.

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi,

    What reason code (pWlanEvent->Data.Disconnect.ReasonCode) do you see?

    This is behaviour of CC3220, but I expect that CC3235 should behove similarly:

    ReasonCode =208

    • wrong user or wrong password for EAP (according to EAP mode)
    • it is not possible to validate RADIUS server against CA file
    • wrong private key (for some EAP modes)
    • TLS 1.0 not enabled at RADIUS server
    • other reasons (RADIUS server is not running, wrong configuration of RADIUS server, unsupported EAP method)

    ReasonCode) = 209

    • missing CA file
    • wrong certificate at filesystem

    ReasonCode) = 210

    • certificate expired (or not set time inside NWP)

    Jan

  • 0 in reply to Jan D
    Intellectual 375 points

    The reason Code is 209. Your great. Now I have to find out what's wrong with the certificates.

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi,

    I think error 209 is from basic certificate check (e.g. missing file, wrong certificate format). Maybe Shlomi can provide more details to this reason code.

    Jan

  • 0 in reply to Jan D
    Intellectual 375 points

    Not that I'm certain, I use TLS 1.0, I recorded a new log... Shlomi, maybe you can see something.

    4722.putty.log 
    11�{�<��P�Z`$\�2		v"	w"	x"	y"	�
	�"	�"	�"	c"	�!cc	�!	�!y[�!y�[W!�A'��		/	=�	 	'(#B 12��!΀�	"!
� -�-1{�(����	9
�


�
�	-�-1{�( Lc
�
�
�
��

�!
'�/sys/certstore.lst
��J
�

�
-��J-��J�-�	�J���-
�*��1
�
�	�
�*� @{�A��n*�[*�"" 4�e�
�*� ���C�1��
�	��
5-
�
�
'�/sys/servicepack.ucf
���`
�
- �? B
�!
'�/sys/ucf_signatures.bin
��Ql-��Ql-��Ql4-��Ql4T-�	�Ql��
�
�!
'�/sys/servicepack.ucf
���`
�
-���`!-���`-���`x-���`p
�
�
�	
�
�
�
�
�
�
�
���*��!�~#�����-���I4-���I4�-�	��I
��-���`�{p��p�p�
�*�@ *�Q �*�	 0*�	 
�
�
�-���`-���`x-���`p
�
�
�-���`pQ*����
�����-�	��`-��?
��
��)��`aaA	9	�)�-1{�(	�!
'�/sys/certstore.lst	��J	�
	�
)��J	�)��J�)�	�J��	�
'�/sys/fips.cfg	��:��We(�[e(`aaA			�!
'�/sys/mdmpcfg.ini	��I��ye(	�!�
'�/sy{/pmcfg.ini�	�I��fg`�^@YJB�	a"~b��@F�������kn((��������Z�����,����	��BK��a������P��
�?�i宩��i>�I����.��Q�������ң��ʸ��̓������������������������������� ��"�4.@�L`��d��`1w@  ��	1�`�	�		�	� 
	f	�		g6!	�	�		�!
'�/sys/devname.cfg	��c)��c	�)��c4)��c4b)�	�c	��			

	

	�	�	�	�	�)�G�	�			�	�	�		�!
'�/sys/phybg.cal	��^�)��^�	�	�	�!
'�/sys/phya.cal	�r$��0(�r	�!
'�/sys/phypwr.cal	�e�A)�e�A	�	�	�	�	�	P	P	P	P	P	P 	P@	P�PS�	
	�	�		
	�)�1	�!
'�/sys/macadd.bin	��q
�ye(	5	V4	2$�e�		
	�	�!
'�/sys/niptlv.bin	�:D��dEJ	�	�)�,	�)���`�P	�p)���`Qp	�)�	��`)��?	�	�)��^�	�	�)�p	�)��^���	�	��)��^�h	5%)�	�^��t	�	�	�	�)���	�)�e�A�8)�e�A8)�	e�A�8	�	�	�)(��8	����	� 
	�	0		)	
0�
��
�	
0l 	L
	L
	�	�	�	1	�
'�/sys/rxfltr.ini	�����We(�[e(	�
'�/sys/rxfltr.ini	�����We(�[e(�A	�
'�/sys/rxfltr.ini	�����We(�[e(�Q�A"�A�A�A�A�A�A�B�B			�!��C��i�s/mfns.cfg 	�:[\)��[\W@���  CB�閴u����P����]������)�	[^�k#��&ԋ�?�) ~T���$�n-�Q@�D�
�A����*�=����e�JJ�0��ɡ	%�����o��?�t�/�'.<��JΈ��D��o�g�����G���ޖ�[�VבK:�eo����Dh�Si|��	ľ
�����i�ͽ�ate_vime/cfg�	�
>()�
>(	�)�
>(4)�
>(44)�	
>(	�h	3�)0	
717				=	=	�		(	�	
)2�		�!
'�/sys/httpsrv.cfg!āBB��	3)'4!āBB��)'4).!āBB��)):))'))?4)), de��), ����), ,-��), ��)	
:)r1`aaA	s	6	)		
:)W$e�xV.
�\��)i	�!
'�/sys/stacfg.ini	�F�	�TU)�TU	�)�TU4)�TU4�-�	TU	M�`�Á�)���	�)���4)���4�)�	���$62)	2)�F�4�)	��		�!
'�/sys/stacfg.ini	�TU)�TU	�)�TU4)�TU4�)�	TU	��	C6�)	�)	��	
	6�)	�)	a�T!a�		;
�!
'�/sys/mode.cfg	���I)	)���I	�)���I4)���I4�)�	��I	��6a)	a)	s�6s)	s�!�)]"<)�"	Z")�	F���	�	�	�	 	�	�	�	�	 	�		�	�P	�P�:	 		**"*"))'y�)]"<)�"	Z"�!	6s	)	s!
� -�-1{�(����	9
�


�
�	-�-1{�( Lc
�
�
�
��

�!
'�/sys/certstore.lst
��J
�

�
-��J-��J�-�	�J���-
�*��1
�
�	�
�*� @{�A��n*�[*�"" 4�e�
�*� ���C�1��
�	��
5-
�
�
'�/sys/servicepack.ucf
���`
�
- �? B
�!
'�/sys/ucf_signatures.bin
��Ql-��Ql-��Ql4-��Ql4T-�	�Ql��
�
�!
'�/sys/servicepack.ucf
���`
�
-���`!-���`�-���`x-���`p
�
�
�
�
�
�
�
�
�
�
�
�
�
��h5	�
�!
'�/sys/mode.cfg
���I-���I-���I4-���I4�-�	��I
��-���`�{p��p�p�
�*�@ *�Q �*�	 0*�	 
�
�
�-���`-���`x-���`p
�
�
�-���`pQ*����
�����-�	��`-��?
��
��)��`aaA	9	�)�-1{�(	�!
'�/sys/certstore.lst	��J	�
	�
)��J	�)��J�)�	�J��	�
'�/sys/fips.cfg	��:��We(�[e(`aaA			�!
'�/sys/mdmpcfg.ini	��I��ye(	�!
'�/sys/pmcfg.ini	�I��ye(	\	a"<b)�?p�	�	�
'�/sys/servicepack.ucf	���`	�
) �? B	�!
'�/sys/ucf_signatures.bin	��Ql)��Ql	�)��Ql4)��Ql4T)�	�Ql��	�	�!
'�/sys/servicepack.ucf	���`	�
)���`!	�)���`)���`x�)���`�p@	����:�	�	�)���`�$	�	�\$	�)���`�$�,)���`�$,	�	�)�,	�)���`�P	�p)���`Qp	�)�	��`)��?	�	�)��^�	�	�)�p	�)��^���	�	��)��^�h	5%)�	�^��t	�	�	�	�)���	�)�e�A�8)�e�A8)�	e�A�8	�	�	�)(��8	����	� 
	�	0		)	
0�
��
�	
0l 	L
	L
	�	�	�	1	�
'�/sys/rxfltr.ini	�����We(�[e(	�
'�/sys/rxfltr.ini	�����We(�[e(�A	�
'�/sys/rxfltr.ini	�����We(�[e(�A�A"�A�A�A�A�A�A�B�B			�!
'�/sys/mdns.cvo ��$��m�+G���x��q������^���������� 	���I)	)���I	�)���I4)���I4�)�	��I	��)*6�)	�)�F�	�)�F�4)	4�T!4�	�!
'�/sys/mdos.cfgIg�+u�)�[\ 	�)�[�4��)��ŀm��(�)�	[\��!
'�?�ޮ���k�cfg�	�[\)�0���)�[\	�)�[\4)�[\4�)�	[\�	B�3j	�		�!
'�/sys/mdns.cfg	�[\)�[\	�)�[\4)�[\4�)017)2�)�	[\�B�	3)�F�4�3j)0	�64)	4	�!
'�/sys/fips.cfg	��:��ye()	f�6f)	f)	3�	�!
'�/sys/macadd.bin	��q
�ye(	5	V4	2$�e�63)	3)�	F���	�	�	�	 	�	�	�	�	 	�	17	�	�P	)2��P�:	 		3	**"*")	���!
'�/sys/date_time.cfg	�
>()
)�
>(	�)�
>(4)�
>(44)�	
>(	�h�	6�)	�)	��6�)	�)	��11�}�l��P�	�1��x@������������1����������<����1������2��������	�"AKO	�Iqx�G(a(a	!�`G	3
"��	y
��)���	T	�	�)3A	6�)	�		(�!+
'�/sys/phya.cal	�r$	�r$	.$BREL	r	)"++)/#����	0#BREL>�	=	.$BREL	r	)"++)/#����	0#BREL>�	=	.$AKO	r	)"++)/#����	0#AKO(aA�AKO$a1%�AKO#>�	=	z	.$AKO	H		�"AKO	�	.$ebo	r	)"++)/#����	0#ebo>�	= 	.$AKO	r	)"++)/#����	0#AKO(aA�AKO$a1%�AKO#>�	=	.$BREL	r	)"++)/#����	0#BREL>�	=	.$Cana	r	)"++)/#����	0#Cana>�	=	.$Cana	r	)"++)/#����	0#Cana>�	=	.$Cana	r	)"++)/#����	0#Cana>�	=	.$Cana	r	)"++)/#����	0#Cana>�	=	�	�
	�!�	)
) 
)0
)@
)P
)`
	��0)�r$	�11��j���P�Z`$\�2		v"	w"	x"	y"	�
	�"	�"	�"	c"	�!VV	�!	�!y[�!y�[W!�A���		O	K�		'(#B 12��!΀�	.$Cana	r	)"++)/#$����	0#Cana>�	=	.$Cana	r	)"++)/#$����	0#Cana>�	=	.$Cana	r	)"++)/#$����	0#Cana>�	=	.$Cana	r	)"++)/#$����	0#Cana>�	=		r&&	)"00(a4��
"��>�	=	�		8#AKO	�	L$AKO	M4��
"��!Ł$�!Ł$'97!�`G	q	 	�	
		�	
	�	�			�	�	>�	=	 $)��)��1"	r	
	#	�)Vl* �	T	r	)",,	�>�	=)]"<)�"	Z"	) 	�	!Ł���#	�)E	�	�	!)"$���m2�)#����))	))))=?"	r""	)"7>�	=	))0)1 	�	!	r!!>�	=	r  >�	=	r>�	=	,	r	)">�	=97!�`G!Ł$�!Ł$�!Ł$'), eg���), -.���), ���), ���), gl��), ��), ��),0�@h�!!���m�?"	r""	)"), 0/��), ��), ��	�
)-8��	�
'�/sys/cert/client.der	�\���We(�[e(	�)�"�2���AKO6�L)	�s,	p	n>�	=		�	�	!	97!�`G), heX��), /-X��), ���	�
)	�)]"<)�"	Z"d)*	�	�	r	)"5@"!ā�>�	=	
!āBB��!ā�!āBB��!ā�!āBB��!ā�!āBB��979V	A"	5		�"2���AKO6�L)	�	3	(aR�SS1"	{	3	
		
		
		
	11��M���P�Z`$\�2		v"
	w""	x"	y"	�
�"	�"	�"	c"�	�!]c	�!	�!y[�!y�[W!�A���		O	K�		&(!#Bl12�!΀�

  • 0 in reply to Christian Grau28
    Intellectual 375 points

    It's not so easy to understand the documentation if it comes to certificates. Having gotten this error message from the network_terminal

    user:wlanconnect -s "XYZ" -t WPA2 -p "dummy" -ent "name"
    [ERROR] - FATAL ERROR: Abort NWP event detected: AbortType=2, AbortData=0x24c

    [wlanconnect] : Timeout expired connecting to AP: XYZ

    I tried to redo der Certificates. The NWP User Guide says "Server Root CA file – This file must be in PEM format". A few lines later (also in the server authentication) there is the name: "Root CA – sys/cert/ca.der"

    What's the truth now? Do I need a DER or a PEM file?

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi,

    At CC3220 is required binary format = .DER format. I expect that for CC3235 this will be same.

    I know that there is typo at documentation. Even TI employees know this, but I am not sure why documentation was not updated.

    Jan

  • +1 in reply to Christian Grau28
    TI__Guru 57310 points

    Hi Christian,

    Not sure why but again the NWP logger starts OK but then right after initialization it stops. This is the best tool to see the errors and what is going on. Not sure where the assert is coming from but having the 209 error does suggests that it has something to do with one of the certificates. 

    Do you bypass the root CA via the SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH? If so, I believe the documentation is misleading and disabling is when setting it to 0 (not 1).

    Regarding the format, I agree it is confusing. The filename should be exactly as it says, i.e. "sys/cert/ca.der". The format should be PEM (there is an internal conversion from PEM to DER). I appreciate if you can share the root CA certificate so I can take a look.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 375 points

    Shlomi, I send you the certifcates in PEM format in the private conversation.

  • 0 in reply to Shlomi Itzhak
    Guru 75055 points

    Hi Shlomi,

    Is there difference between CC3220 and CC3235. Because I am 100% sure that CC3220 requires .DER for EAP (EAP does not work with .PEM).

    Jan

  • 0 in reply to Jan D
    TI__Guru 57310 points

    I am not 100% sure but from CC3235 logs I have I can see a conversion from PEM to DER so I assume it can get both.

  • 0 in reply to Shlomi Itzhak
    Intellectual 375 points

    I have another question regarding the documentation. SimpleLink Wi-Fi Certificates Handling SWPU332A states in "1.3.1 DER (*.der extensions) Format" that the der format was compatible with PKCS#10. openssl seems not to be able to do that. 

    Is that a problem in the document or do I need a special version of openssl?

  • 0 in reply to Christian Grau28
    TI__Guru 57310 points

    taking it offline to the friendship zone.

  • 0 in reply to Shlomi Itzhak
    TI__Guru 57310 points

    Hi Chris,

    I was able to test with an enterprise server running TLS1.0 and PEAP0 MSCHAPv2 and it connects for me.

    The certificates I used were all in PEM format but the filenames were the regular reserved names as above.

    There is a conversion made internally from PEM-->DER. Not sure if it would work directly with DER (didn't have time to check).

    Please note that when using Uniflash and creating these files, the tool should detect that these are PEM formatted files and would pop you for the CR+LF conversion to CR. You should agree.

    Again, only a decent NWP log would tell me more and for some reason it is not a complete log in your case.

    Can you double check?

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 375 points

    Hi Shlomi

    Thank you for your support. When I told the customer, that we would need to allow TLS 1.0 on the serverside, I was told switch architecture. To me it makes sense, that a enduser, that cares for security (an therefore wants WPA Enterprise) will not want do open his server for an old compromised standard.

    If you could pass this comment to your management, I'd appreciate. I would have liked to use the CC3235 but as I said, that issue was a roadblock.

    Maybe we'll hear from eachother again. 

    Best wishes

    Chris

  • 0 in reply to Christian Grau28
    Guru 75055 points

    Hi Chris,

    From technical stand point using TLS 1.0 with WPA2 EAP is not a security issue. But according my experiences many big companies including Microsoft and Google have policy "no TLS 1.0 anywhere". Due this limitation at CC32xx/CC31xx WPA EAP feature is literally useless.

    Side note: I discussed this topic with TI few times. They was not able to convince me that implementation of TLS 1.2 for WPA2 EAP at CC32xx/CC31xx (2nd, 3rd gen) devices is not possible. From my point view it looks like that TI is focusing development resources to newer devices and they don't want to allocate resources to new features of older devices.

    Jan

  • 0 in reply to Christian Grau28
    TI__Guru 57310 points

    Sure Chris,

    I will forward it although as Jan stated, it has been discussed many times before and at this point this is not planned.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 375 points

    Hi Shlomi

    Thank you. Even if discussed my times before, there might be a change in strategy if there's enough evidence, that the market actually has a need for that feature. So let's hope...

    Best regards

    Chris