• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Subscribers 41 subscribers
  • Views 3085 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3100 SSL: Bad CA file? (Which is the right cipher & method options?)

viethoang
Prodigy 230 points
Other Parts Discussed in Thread: CC3100

Hi all,

          So now I can connect to www.google.com:443 after flashing certificate file to CC3100's sFlash (I export EquifaxSecureCA certificate from Firefox, then use openssl to convert to .der format and use FS API to write .der file to sFlash).

          Next step, I want to connect to www.meethue.com/api/nupnp:443. Using the same way as for connecting to google.com, I can export and write certificate for that site to CC3100's sFlash.

          In Firefox browser I can see that that meethue.com site uses TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

          Problem is: I don't know which value I should set for SL_SO_SECMETHOD and SL_SO_SECURE_MASK. I tried several combinations and always got error connecting to that site. The closest option to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 seems to be SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA but this also gave error -456. I tried to use default value by not setting SL_SO_SECMETHOD & SL_SO_SECURE_MASK and the error was also -456. Also tried to use the one that use for connecting to google.com and got the same error.

          I also tried to change method to SL_SO_SEC_METHOD_SSLV3, SL_SO_SEC_METHOD_TLSV1, SL_SO_SEC_METHOD_SSLv3_TLSV1_2.

          Has any one had any experience on this? Is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 supported by CC3100? Which options I should use in this case?

          I know what -456 error code is, but that's not clear enough. Bad file? Or bad combination with method & cipher? ...

          #define SL_ESECBADCAFILE                      (-456)  /* error secure level bad CA file */

Thanks,

Viet Hoang.

  • 0
    Prodigy 230 points

    Hi all,

              My mistake, the certificate file exported from Firefox when  visiting google.com:443 in fact cannot be used to connect to google page. I have to use EquifaxSecureCA file.

              But my questions are still same as above, plus one more: How can we know what certificate file should be used?

    Thanks,

    Viet Hoang.

  • 0 in reply to viethoang
    TI__Mastermind 26205 points

    Hi Viet,

    The certificate needed depends upon the application and server requirements.

    For client connection:

    • Private Key, Certificate (SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME)

    If client authentication is needed by the server, both private key and certificate are mandatory together.

    • Root CA (SL_SO_SECURE_FILES_CA_FILE_NAME)

    The Server certificate issued by the root CA authority. This is used to validate the server to which the connection is attempted. This certificate is optional and depends on the application. If the server verification is not needed the connection will occur but the connection command returns 'SL_ESECSNOVERIFY' as a warning.

    -456 error code is returned if the wrong/bad root ca certificate is used.

    Regards,

    Ankur

  • 0 in reply to Ankur Baranwal
    Prodigy 230 points

    Hi Ankur,

              Thank you for your answers.

              I think in this particular case (www.meethue.com/api/nupnp:443) there's no need for SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME and  SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME. I also tried to use wget on my Linux machine to get the content at https://www.meethue.com/api/nupnp successfully.

              About setting Root CA (SL_SO_SECURE_FILES_CA_FILE_NAME), I also thought that I wrote the wrong CA file to CC3100's sFlash. But I don't know what file I should use in this case. How can we pick the right CA file for a particular site/server?

    Thanks,

    Viet Hoang.

  • 0 in reply to viethoang
    TI__Mastermind 26205 points

    Viet,

    You can very well connect to the server without verifying it (without using the Root CA) also. Please check my previous post.

    For using the CA certificate to verify the server. If you know the name of the CA certificate you can extract it from your windows machine also.

    http://processors.wiki.ti.com/index.php/CC32xx_SSL_Demo_Application#CA_Certificate

    Otherwise need to check with the host of the server.

    Regards,

    Ankur

  • 0 in reply to Ankur Baranwal
    Prodigy 230 points

    Hi Ankur,

              OK, without setting SL_SO_SECURE_FILES_CA_FILE_NAME I can connect to that meethue site, and connect() returns SL_ESECSNOVERIFY.

    Thank you very much,

    Viet Hoang.

  • 0 in reply to viethoang
    Intellectual 640 points

    Hi,

    I did the same on code without setting SL_SO_SECURE_FILES_CA_FILE_NAME, and I got  sl_connect() returns SL_ESECSNOVERIFY(-453). However, I also got SL_SOCKET_ASYNC_EVENT, and EventType is SSL_ACCEPT (1).

    What did this mean?

    Thanks,

    Leo