• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 808 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220S-LAUNCHXL: SimpleLink Secure Socket Connection Failure.

Karl Nicholas
Intellectual 660 points
Part Number: CC3220S-LAUNCHXL
Other Parts Discussed in Thread: CC3220S, UNIFLASH

This code uses the netwifi.c file found in many of the examples to make the initial connection to the wlan, but afterwards it attempts a Secure TLS connection to the AWS IOT port, and fails with the -468 error.

This has been discussed in a few threads here with no solution that I can find. There are some workarounds that involve ignoring the connection error, but no solution.

I'm starting a new one because the others have died or become to confused.

Can someone at TI verify that this fails or works on different hardware than I'm using. I manually wrote the DER certificates/key files into directories mentioned.

I'm using a CC3220S LAUNCHXL Rev A.

//*****************************************************************************
// includes
//*****************************************************************************
#include <stdlib.h>

/* TI-DRIVERS Header files */
#include <ti/display/Display.h>
#include <ti/drivers/net/wifi/simplelink.h>
#include "uart_term.h"

//****************************************************************************
//                      LOCAL FUNCTION PROTOTYPES
//****************************************************************************

#define AWS_IOT_MQTT_HOST              "a3joj5u9gv9t8f.iot.us-east-1.amazonaws.com" ///< Customer specific MQTT HOST. The same will be used for Thing Shadow
#define AWS_IOT_MQTT_PORT              8883 ///< default port for MQTT/S

#define AWS_IOT_ROOT_CA_FILENAME       "/cert/root-ca.crt" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME   "/cert/545acc1c00-certificate.crt" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME   "/cert/545acc1c00-private.key" ///< Device private key filename

extern void NetWiFi_init();
extern Display_Handle AWSIOT_display;


//*****************************************************************************
//
//! mainThread
//!
//!  \param  pvParameters
//!
//!  \return none
//!
//!  \brief Task handler
//
//*****************************************************************************

void *manualMainThread(void *arg0)
{
    _i16 status = -1;
    _u32 DestinationIP;
    SlSockAddrIn_t Addr;
    _u8 secMethod = SL_SO_SEC_METHOD_SSLv3_TLSV1_2;

    /* Initialize SimpleLink */
    NetWiFi_init();

    // Assume no errors
    sl_NetAppDnsGetHostByName(AWS_IOT_MQTT_HOST, strlen(AWS_IOT_MQTT_HOST), &DestinationIP, SL_AF_INET);
    _i16 sHandle = sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET);
    sl_SetSockOpt(sHandle, SL_SOL_SOCKET, SL_SO_SECMETHOD, &secMethod, sizeof(secMethod));
    sl_SetSockOpt(sHandle, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME,
                  &AWS_IOT_ROOT_CA_FILENAME, strlen(AWS_IOT_ROOT_CA_FILENAME));
    sl_SetSockOpt(sHandle, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME,
                  &AWS_IOT_CERTIFICATE_FILENAME, strlen(AWS_IOT_CERTIFICATE_FILENAME));
    sl_SetSockOpt(sHandle, SL_SOL_SOCKET, SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME,
                       &AWS_IOT_PRIVATE_KEY_FILENAME, strlen(AWS_IOT_PRIVATE_KEY_FILENAME));

    Addr.sin_family = SL_AF_INET;
    Addr.sin_port = sl_Htons(AWS_IOT_MQTT_PORT);
    Addr.sin_addr.s_addr = sl_Htonl(DestinationIP);

    // fail -468 error here
    status = sl_Connect(sHandle, (const SlSockAddr_t *)&Addr, sizeof(Addr));
    if ( status < 0 ) {
        Display_printf(AWSIOT_display, 0, 0, "sl_Connect fail: %d\n", status);
        return (NULL);
    }

    sl_Close(sHandle);

    return (NULL);
}

  • 0
    TI__Guru 64455 points

    Karl,

    I do not see an issue with the procedure itself.

    BTW, have you used the AWS package itself?

    In any case, the SL_ERROR_BSD_ESECUNKNOWNROOTCA error indicates that the root CA is not known to your certificate catalog.

    Where did you get the root CA? can you attach it?

    what root CA catalog are you using via Uniflash?

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 660 points

    Hi Shlomi, 

    I have tried the AWS package but it gives the same error. It's for that reason that I am trying to debug the issue.

    I got the root CA from AWS. See pem version below. It works okay when I attempt the same connection with openssh.

    The latest flash was done with OOB-RTOS.zip file from the SDK using the playground certificates. Since the root CA is being validated by AWS's server it doesn't matter what was used to flash the CC3220.

    Thanks, 

    Karl.

    -----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----

  • 0 in reply to Karl Nicholas
    TI__Guru 64455 points

    Now it all makes sense.

    The CA you are using is real and works fine with your openssh.

    When you work with cc3220, you need to have the ability to check these root CAs against a real root CA catalog, not the playground one which is fake for development purposes.

    Please use the real one from <SDK installation dir>\tools\cc31xx_tools\certificate-catalog

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 660 points
    Yes! It worked. Thank you, and Eugene, and others.

    I used UniFlash to flash an empty, servicepack only project, but with the certificate-catalog files at

    C:\ti\simplelink_cc32xx_sdk_1_50_00_06\tools\cc32xx_tools\certificate-catalog.

    I was trying to flash OOB-RTOS with those files but having troubles. That's for a different thread.

    Hey, I'm thrilled. This is cool, secure connections into AWS-IoT. Time to send some temp data!

    I'm planning on using the accelerometer as sort of an amateur LIGO detector. Let's hope it doesn't detect any nearby black hole mergers!
  • 0 in reply to Karl Nicholas
    TI__Guru 64455 points

    I am happy that it works for you, Karl.

    Good luck.