• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 231 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHCC3220MODASF: Domain Name Verification

Roman Jordan
Expert 2051 points

Part Number: LAUNCHCC3220MODASF

Tool/software:

Hello all,

I am a little bit confused about the terms used and the actions described in "SimpleLinkTm Wi-Fi® CC3x20, CC3x3x Built-in Security Features" swra509c.pdf regarding to a secure socket.

Basically question: The documentation differentiates "2.2.3.4 Authenticating the Peer" and "2.2.3.5 Domain Name Verification".
I assume that both actions are used to authenticate and verify a TLS connection between a CC32x20-based network client and an server.
I am right?

excerpt


1 picture: marked yellow: Is the "Chain of trust evaluation" in section 2.2.3.5 the same as the "Full chain of trust verification" mentioned in section 2.2.3.4?

2 picture: marked blue: The section "2.2.3.5 Domain Name Verification" states "This is achieved by comparing the content of the certificate presented by the server and the expected prestored certificate."
Is the "expected prestored certificate" the public certificate of the RootCa?

My sample case:
The server myServer.com has the valid server certificate myServer that is signed by the Intermediate Certificate myIntermediate which in turn is signed by the myRootCA.

myServer <- myIntermediate <- myRootCa

On the CC32x0-based device the public certificate of the myRootCa is stored on the file system and the file name is configured using the security attribute SLNETSOCK_SEC_ATTRIB_PEER_ROOT_CA.
Doing so activates the "full chain of trust verification" described in section "2.2.3.4 Authenticating the Peer".
I am right?

Ffurthermore the domain name myServer.com is configured with the security attribute SLNETSOCK_SEC_ATTRIB_DOMAIN_NAME.
Doing so activates the "domain name verification" described in section "2.2.3. Domain Name Verification"..
I am right?


The function SlNetSock_secAttribSet, configured with the mentioned security settings, is used to connect to the server myServer.com.


If the function returns 0, then:
* The connection is established in secure and encrypted way.
* The "full chain of trust verification" described in section 2.2.3.4 is successfully done.
* The "domain name verification" described in section 2.2.3.5 is successfully done.

And at least Slight smile
Is there a technical specification, e.g. an RFC, or a recommendation, ideally published by the NIST, of which TI has implemented the Full Chain and Domain Name Verification?

Many thanks for reading this.

Best regards,
Roman