• State
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 1011 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Open TLS Socket

Rosario Borsellino
Intellectual 290 points
Other Parts Discussed in Thread: UNIFLASH, CC3200

Hello,

I'm having a hard time trying to connect trough an encrypted socket.

My final objective is to establish an MQTT_client connection through a TLS1.2 socket.

Currently I'm trying to use the TI ssl example to connect to www.google.com or to test.mosquitto.org, I've used all combination of ciphers and metods, flashed the correct CA file and even private key and certificate, and trying to connect to mosquitto via 8884 port.

I've followed the TI wiki to setup the environment for this example.

From the example I removed the command:

lRetVal = sl_SetSockOpt(iSockID, SL_SOL_SOCKET, \
                            SO_SECURE_DOMAIN_NAME_VERIFICATION, \
                            g_Host, strlen((const char *)g_Host));

because it always returns SL_ENOPROTOOPT (-92)

I'm under linux fedora24 so to download google certificate I followed the wiki procedure exporting it from chrome, when I try to connect using the function sl_Connect(), it returns  the error SL_ESEC_PROTOCOL_VERSION (-370)

Using different combinations of methods and ciphers sometimes I receive the error SL_ESEC_HANDSHAKE_FAILURE (-340).

Therefore I tried the same example configuring it for the server test.mosquitto.org:

- SERVER_NAME "test.mosquitto.org"

- GOOGLE_DST_PORT 8883

- SL_SSL_CA_CERT_FILE_NAME "/cert/129.der" downloaded from test.mosquitto.org in der format

Result: same errors as above.

At last I tried mosquitto to the port 8884, following the mosquitto procedure:

- generate client.key in PEM format

- generate client.csr file

- paste on mosquitto page

- download client.crt

- convert certificate in DER format: $openssl x509 -outform der -in client.crt -out client_crt.der

- convert private_key in DER format: $openssl rsa -in client.key -pubout -outform DER -out client_key.der

- flash files in cc3200 via UniFlash

I added the following code to the example:

-------------------------------------------------------------------------------------------------------------------

#define SL_SSL_KEY_CERT_FILE_NAME "/cert/127.der"

#define SL_SSL_CRT_CERT_FILE_NAME "/cert/128.der"

    lRetVal = sl_SetSockOpt(iSockID, SL_SOL_SOCKET, \
                            SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME, \
                           SL_SSL_KEY_CERT_FILE_NAME, \
                           strlen(SL_SSL_KEY_CERT_FILE_NAME));

    if(lRetVal < 0)
    {
        UART_PRINT("Device couldn't set socket options key \n\r");
        GPIO_IF_LedOn(MCU_RED_LED_GPIO);
        return lRetVal;
    }

    lRetVal = sl_SetSockOpt(iSockID, SL_SOL_SOCKET, \
                            SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, \
                           SL_SSL_CRT_CERT_FILE_NAME, \
                           strlen(SL_SSL_CRT_CERT_FILE_NAME));

    if(lRetVal < 0)
    {
        UART_PRINT("Device couldn't set socket options crt \n\r");
        GPIO_IF_LedOn(MCU_RED_LED_GPIO);
        return lRetVal;
    }

-------------------------------------------------------------------------------------------------------------------

This time the return error is SL_ESECHANDSHAKETIMEDOUT (-462).

If I use openssl from pc with the same parameters, the socket connects without errors.

Could you give me some advice for trying to solve this issue?

Thanks,

Rosario

  • 0
    TI__Mastermind 27605 points
    Hi Rosario,

    Here are a few points:

    You have to download the ROOT CA certificate, and not the certificate issued to the domain in question. Make sure the signer is the same as the signee (all root CA certs are self signed)
    . You should also remove any calls to setting the socket options for ciphers, etc. since that only limits the possible ciphers. Excluding this will allow a full negotiation.
    Please check the SSL example again with these 2 considerations.

    -Aaron
  • 0 in reply to made4engineering
    Intellectual 290 points
    Thank you Aaron for the reply,
    I will follow the procedure to create my own ROOT CA in my server this afternoon, but now i would like to make run the ssl example just with google.
    As you suggested I removed the setup of cipher and method from code.
    I downloaded the google certificate using firefox by clicking the green bolt in the address bar and exporting it in DER format.
    It's name is GeoTrustGlobalCA.crt
    Flashed it and tried the example, sl_Connect() return me SL_ESEC_ASN_SIG_CONFIRM_E (-155).
    If I setup cipher and method, sl_Connect() return me (-340) or (-370).

    What I'm doing wrong? Is there another way to download google CAfile apart this and the one from the wiki?
    If I connect via openssl, the socket open correctly, typing the command:
    $openssl s_client -connect www.google.com:443 -CAfile GeoTrustGlobalCA.crt

    The printout is:
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEgDCCA2igAwIBAgIIP3RJuIQCu0owDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwMzI5MTM0MjQ3WhcNMTcwNjIxMTMzMDAw
    WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
    Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYwjJV
    23SwlE2mr5QqfSfhYLEFa0Wb8Usm7AmperGC5ff17ZS1E4HV0gmk92Mv/3Rquet5
    Wo+PYVTMDFcesbQVf7aCF8xtlA7Lm7gBRfIfhTKJ66al+B73xiKWZiqX/Ywq2g3u
    ilap+FUGxTwtANz27TWGOnjgMU42g34XCm1TkO6P+NB5z9CiSl/f0WpaYgRLQj3j
    0wHhbbMr5iT/fKBAfEOoLhZ8UAmUXq56wTDY95tli4isVBGkGcjUaesgqw3gb5i3
    tVtGObbnGEBV9YgwLiQFnWYt+G0Iddnzxi2djf8HV5dVwaGcuZzVAZd+gbe2I+MS
    FQpTWM5Ht4FtF23zAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
    KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
    XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
    MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
    A1UdDgQWBBRqf2VUXS9eXzSAijCAdOHcfKOGmTAMBgNVHRMBAf8EAjAAMB8GA1Ud
    IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
    eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
    bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEATN3m4gZHvD2KSAfH
    j9LfldNVHKi+5UdENFKMNjIAvGA+fqaRPT0mVmoS/xDHEY8TX1JC+vivc2f3+6oj
    qLdlqtZF9qeFyT1aYwxSqYeh2q0r9VXxIDbPG7MqFPWLc2Cs58iseEkF/xsflnBL
    9GnwAOySF8a/M4oTJCoCgSKz4cXFxoMB70RK/YIOtjVzbrb0sy8Xm8Qjx9FY6wj6
    HWzb7Bu6z3b9x8zYOYLdk5KVeEFDzckJvyUH3rgQinaHG88Mh1+Y/4wpcxyRnZZ1
    EBMhAzEtZNuqhsJqDuurBGvB9mxi7flr/Y8H1jgsTWKyg6BMdFnB79mQSU9OSVaq
    gyyGbg==
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3727 bytes and written 327 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8C7486A397A58330E3E7A865AE72DA325D57C97FB531ACA3C71DF5A2449F08B4
    Session-ID-ctx:
    Master-Key: D0D082B77FDD3F1FD4A7C4310E13EB833A93C50F6E36FF02832F04DA3313D74FA2AE3A522CBE1F9594DD8763F36DAABB
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - a2 65 ba c5 8d 61 cb 28-0c ea b2 fe a9 2f 10 09 .e...a.(...../..
    0010 - 15 67 ec 05 c2 52 a8 4d-23 0f 10 3c 7e a7 a2 97 .g...R.M#..<~...
    0020 - 49 7e 83 9b 5c bc ad 57-95 f1 1f cc 23 76 88 fb I~..\..W....#v..
    0030 - ec da ff e3 1e f2 f5 95-38 32 6f 99 8d f7 83 39 ........82o....9
    0040 - fd 37 f3 32 4e 7f e1 52-20 39 57 6e 66 34 67 50 .7.2N..R 9Wnf4gP
    0050 - 45 f1 74 1f 60 57 65 83-41 22 f3 4b 5d ee 94 89 E.t.`We.A".K]...
    0060 - 7a 14 76 83 da a4 6d c0-1b e1 d3 b0 8c c2 ad e7 z.v...m.........
    0070 - e8 0d 30 bf aa d2 a5 91-84 80 85 84 92 dd 24 0d ..0...........$.
    0080 - 99 37 4a 87 29 2e 5c 42-90 fc d9 59 66 9e b4 12 .7J.).\B...Yf...
    0090 - ad 2d 88 fc 1a 60 74 35-29 4e da c9 36 b0 a5 70 .-...`t5)N..6..p
    00a0 - 8c e8 1a bf ....

    Start Time: 1491817544
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---

    Will the NWP printout be of any use in this situation?
  • 0 in reply to Rosario Borsellino
    TI__Expert 3470 points

    Hello Rosario,

    Couple of things that might help.

    1.  In your certificate chain above, please note that the root of the chain is Equifax.  This is what the NWP will verify the complete root of trust against.  Please download and use that certificate in your filesystem.

    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

     

    2.  Please configure the cipher as SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA  

    unsigned int uiCipher = SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA;

sl_SetSockOpt(iSockID, SL_SOL_SOCKET, SL_SO_SECURE_MASK, &uiCipher, sizeof(uiCipher));

    Hope that helps,

    ~roger

    AES256-SHA
  • 0 in reply to RogerMonk
    Intellectual 290 points
    Thank you Roger,
    but no luck so far.
    I tried a fresh start and I imported the TI ssl example in a new workspace and from this I made the following:
    1) - in main.c I removed all the calls for gpio_if (cause in my board those are inputs) and set the time defines.
    2) - in pinmux.c I removed the configurations of the gpio and added the configuration for the standard UART (PIN_55 TX, PIN_57 RX).
    3) - in properties I removed the symbol NOTERM.
    4) - with UniFlash I added the file MD5CollisionsInc(http:wwwphreedomorgmd5).crt from EquifaxInc as /cert/testcacert.der (exported from firefox in DER format).
    5) - I built and ran it.
    The function sl_Connect() returned the code SL_ESEC_HANDSHAKE_FAILURE (-340).

    So I tried with:
    unsigned int uiCipher = SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA;
    Now sl_Connect() returns the code SL_ESEC_ASN_SIG_CONFIRM_E (-155).

    I tried with Aaron hint: I removed the two calls that set the method and cipher.
    But I got the same error: SL_ESEC_ASN_SIG_CONFIRM_E (-155).

    It seems that point 4 is wrong, if I flash a CA certificate for a different server I get the same error.

    Could you send me a tested ROOT CA for google or could you tell me how I can get one that does not give me the above error?

    Are those errors related to a bad certificate only or there are some other issues?

    Is there another ssl example that I could try to test the correct functionality of an encrypted socket?

    Thank you,
    Rosario
  • 0 in reply to Rosario Borsellino
    TI__Expert 3470 points

    Hi Rosario,

    Please try the following cert, (printed using openssl) and use the SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA  cipher.

    $ openssl.exe x509 -in equifax.cer -inform DER
    -----BEGIN CERTIFICATE-----
    MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
    UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
    dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
    MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
    dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
    BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
    cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
    AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
    MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
    aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
    ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
    IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
    MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
    A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
    7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
    1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
    -----END CERTIFICATE-----

    Let me know ;)

    ~roger