CC3200MOD: CC3200MOD

Emilio La Greca

Prodigy 10 points

Part Number: CC3200MOD
Other Parts Discussed in Thread: CC3200

Tool/software:

We use Microsoft IoTHUB and from 31 August Microsoft is IoTHUB is enforcing:

- TLS 1.2 to be used which CC3200MOD we use is configured already for this.

- One of the recommended ciphers from list below:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA38

Currently CC3200MOD we use is configured to use:

TLS_RSA_WITH_AES_256_CBC_SHA

With CC3200MOD running servicepack_1.0.1.11-2.9.0.0.bin what TLS ciphers are available?

My understanding was that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is available for use.

1 month ago

0 Brandon Liu 1 month ago

TI__Prodigy 710 points

Hi Emilio,

Page 120 of the Network Processor of the CC3x20 and CC3x3x shows the cipher suites including the one you mentioned (just a slightly different macro definition). The CC3200 on the other hand has the available ciphers shown on page 9 of this manual.

I hope this helps.

0 Emilio La Greca 1 month ago

Prodigy 10 points

Hi Brandon,

Thanks for your reply.

I referred to the manual you specified for the CC3200 (thanks for this - I worked on this product 7-8 years ago).

From the code the mask settings for the cipher are as listed below (socket.h):

#define SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA (1 << 0)

#define SL_SEC_MASK_SSL_RSA_WITH_RC4_128_MD5 (1 << 1)

#define SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA (1 << 2)

#define SL_SEC_MASK_TLS_DHE_RSA_WITH_AES_256_CBC_SHA (1 << 3)

#define SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (1 << 4)

#define SL_SEC_MASK_TLS_ECDHE_RSA_WITH_RC4_128_SHA (1 << 5)

#define SL_SEC_MASK_TLS_RSA_WITH_AES_128_CBC_SHA256 (1 << 6)

#define SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA256 (1 << 7)

#define SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (1 << 8)

#define SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (1 << 9)

We currently use SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA (1<<2).

One of the ciphers Microsoft has recommended is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Is SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (1<<8) supported because when I use this the connection fails yet Microsoft have indicated this recommended cipher is already supported.

Rgds

Emilio

0 Brandon Liu 1 month ago in reply to Emilio La Greca

TI__Prodigy 710 points

Hi Emilio,

The SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is a cipher suite you can choose for the CC3200 as seen in the 57th page of the CC3200 manual. The list on that page has the same suites that you see (and sent here) in socket.h of the CC3200 SDK.

Section 8.2.2.3 (also at the bottom of page 57) has some things related to what a socket uses for connection which may help you, but I also don't know what stage your connection fails at.

0 Jan D 1 month ago in reply to Brandon Liu

Guru 79905 points

Hi Emilio,

As far I know cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLS socket at client mode was introduced at SDK version 1.1.0 and ServicePack 1.0.0.10.0 and it works properly at CC3200. But this I can't say about IoT Hub. I saw many weird things with this Azure component.

Jan

0 Emilio La Greca 1 month ago in reply to Jan D

Prodigy 10 points

Thanks Jan,

Our device is using SDK 1.3.0 and SP 1.0.1.11-2.9.0.0, so this should be operational.

Microsoft IoTHUB have given us until 31 Aug to comply with new cipher requirement only notifying us 06 Aug via email - disgraceful.

We have 10k devices in service.

CC3200 has proven to be a great system,

IOTHUB has not.

0 Jan D 1 month ago in reply to Emilio La Greca

Guru 79905 points

Hi,

Maybe you can try to test with other server (with enabling TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 only). It is pretty to hard diagnose such kind of issues. At fist step you should try to use Wireshark or tcpdump and sniff beginning of TLS communication. You should see there what cipher suites are offered by CC3200.

Jan

0 Emilio La Greca 29 days ago in reply to Jan D

Prodigy 10 points

Hi Jan,

I received the following response from Microsoft after they checked connection failure:

-->

After reviewing the issue, it appears that the signature algorithm list includes "ECDSA-SHA1" and "DSA-SHA1", which are not supported. This causes the validation to fail, even though valid signatures are also present. Removing these unsupported algorithms from the list may resolve the issue.

<--

I checked and the only mask option I am setting for the MQTT broker socket cipher is "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256".

How can others be in the list as Microsoft have indicated?

0 Jan D 29 days ago in reply to Emilio La Greca

Guru 79905 points

Hi,

I am not sure. I think at first step you should to sniff TLS communication using Wireshark and tcpdump.

From TLS RFC standpoint is not a big issue if one side offer cipher suites which one does not support and this pretty normal. Important thing is that there is at least one cipher supported by the both sides. Personally I don't even believe that what say Microsoft support is correct. If we admit that this is true, this will mean that their implementation is horribly, horribly wrong, and they not respect RFC for TLS.

From the past I know that Microsoft have policy "no SHA1 anywhere". For example they removed SHA1 cipher suites from NetX Duo/NetX secure then this removed mandatory cipher suites according RFC. And they even not bother that this is wrong and this not follow specification. Maybe your case is similar... who knows (definitely this not know a MS support :))

Jan

Wi-Fi

Wi-Fi forum

CC3200MOD: CC3200MOD