• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 41 subscribers
  • Views 459 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235SF: secure socket problem

Lemon Wang
Prodigy 190 points
Part Number: CC3235SF


Tool/software:

Hi  TI engineer

       Now SDK ver is 6.10.00.05,use secure  socket api  connect  serure server.The TCP connected  but not SSL handshake.

       This is my  secure socket code 

	ssl_fd = sl_Socket(AF_INET,SOCK_STREAM,0);
		if(ssl_fd<0)
		{
			goto tcp_error;
		}

		SlSockSecureMethod_t method;
		_i16 status;
		method.SecureMethod = SL_SO_SEC_METHOD_SSLv3_TLSV1_2;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECMETHOD,&method,sizeof(SlSockSecureMethod_t));
		SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL status=%d",status);
		SlSockSecureMask_t mask;
		mask.SecureMask = 0xFFFFF;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_MASK,&mask,sizeof(SlSockSecureMask_t));
		SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL mask=%d",status);
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_FILES_CA_FILE_NAME,"ssl_ca",strlen("ssl_ca"));	
		_u32 dummyVal;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET, SL_SO_SECURE_DISABLE_CERTIFICATE_STORE,&dummyVal,sizeof(dummyVal));

		ret = sl_Connect(ssl_fd,(struct sockaddr *)&dest, sizeof(dest));
		if(ret!=0)
		{
			SYS_LOGE(SSL_TAG,"connect false,ret is %d,errno is %d\n",ret,errno);
			sl_Close(ssl_fd);
			sleep(1);
			goto create_socket;
		}
			
		SYS_LOGI(SSL_TAG,"tcp client connect success\n");
		while(1)
	    {
	        ret = sl_Recv( ssl_fd, ssl_recv_buf, MAX_SSL_MSG ,0);

	        if( ret < 0 )
	        {
	            SYS_LOGE(SSL_TAG,"failed\n  ! mbedtls_ssl_read returned %d,errno=%d\r\n", ret ,errno);
	            break;
	        }

	        if( ret == 0 )
	        {
	            SYS_LOGE(SSL_TAG,"server discon" );
	            break;
	        }
			if(ssl_param.ssl_recv_deal)
	        	ssl_param.ssl_recv_deal(ssl_recv_buf,ret);
	    }
	sl_Close(ssl_fd);

  • +1
    Guru 80285 points

    Hi Lemon,

    Yes, this is expected. Because you have created pure TCP not a secured socket. For TLS sockets you need to create socket with secured flag (SL_SEC_SOCKET), e.g.:

    sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET);

    Jan

  • 0 in reply to Jan D
    Prodigy 190 points

    Thanks reply!

            This is a bad error to me. Now test successed.Does it support not verifying certificates?

  • 0 in reply to Lemon Wang
    Guru 80285 points

    Hi,

    If you don't want to verify certificates, you can continue at connection when SL_ERROR_BSD_ESECSNOVERIFY is returned from sl_Connect() API.

    Jan

  • 0 in reply to Jan D
    Prodigy 190 points

    Hi   

       I test connect AWS  ,need vertify server and client.  The certs is ok and  other device can connected AWS . But now connect false ,sl_Connect return -688.   

    		SlSockSecureMethod_t method;
		_i16 status;
		method.SecureMethod = SL_SO_SEC_METHOD_SSLv3_TLSV1_2;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECMETHOD,&method,sizeof(SlSockSecureMethod_t));
		SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL status=%d",status);
		SlSockSecureMask_t mask;
		mask.SecureMask = 0xFFFFF;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_MASK,&mask,sizeof(SlSockSecureMask_t));
		SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL mask=%d",status);

		if(ssl_param.mode>=SSL_MODE_CHECK_SERVER)
		{
			status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_FILES_CA_FILE_NAME,"ssl_ca",strlen("ssl_ca"));
			SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL SL_SO_SECURE_FILES_CA_FILE_NAME=%d",status);
		}
		if(ssl_param.mode==SSL_MODE_CHECK_CLIENT)
		{
			status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME,"ssl_client_cert",strlen("ssl_client_cert"));
			SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME=%d",status);
			status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET,SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME,"ssl_client_key",strlen("ssl_client_key"));
			SYS_LOGW(SSL_TAG,"sl_SetSockOpt SSL SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME=%d",status);
		}
		_u32 dummyVal;
		status = sl_SetSockOpt(ssl_fd,SL_SOL_SOCKET, SL_SO_SECURE_DISABLE_CERTIFICATE_STORE,&dummyVal,sizeof(dummyVal));
		
		ret = sl_Connect(ssl_fd,(struct sockaddr *)&dest, sizeof(dest));
		if(ret!=0)
		{
			if(ssl_param.mode == SSL_MODE_NOCHECK_SERVER && ret==SL_ERROR_BSD_ESECSNOVERIFY )
			{
				SYS_LOGE(SSL_TAG,"ssl connected but no vertify server");
			}
			else
			{
				SYS_LOGE(SSL_TAG,"connect false,ret is %d,errno is %d\n",ret,errno);
				sl_Close(ssl_fd);
				sleep(1);
				goto create_socket;
			}
		}
       

    What configuration is needed?

  • +1 in reply to Lemon Wang
    Guru 80285 points

    Hi,

    For such authentication you need to set and upload certificate, private key and CA file. Usage of self-signed certificates with AWS may to be problematic.

    For more details about AWS connectivity issues please search for "SL_ERROR_BSD_ESEC_ASN_NO_SIGNER_E AWS" or "-688 AWS" at e2e forum. You will find multiple threads related to this topic.

    Jan