• State TI Thinks Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 802 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3100MOD: Problems with setting up a TCP connection with TLSv1

Caspar Verver
Prodigy 170 points
Part Number: CC3100MOD
Other Parts Discussed in Thread: UNIFLASH, , CC3100, CC3100SDK

Hi

I'm programming a IoT network using the MQTT protocol (TCP/IPv4). Using the Paho lib's I have succesfully made an API where I have functions to connect, ping, pub/sub and disconnect properly.

Now for the next step I want to implement TLS for a secured connection. To do this I have taken the following steps to achieve this, but without succes.

1. Use OpenSSL to make certificates (for certificate based TLS). 

I have tested the certificates using mosquitto server and a GUI mqtt client app. So no problems here.

2. Converting the certificate for the client to a .der file and make an C application which converts the .der file to a byte array.

I have done this, so I can use the Fs_api (uniflash is not an option), but I don't no if this is the proper aproach. after running the app I copied the bytearray the app outputted and pasted it in the CCS app into an array. The file was succesfully (i've tested this) created on the cc3100mod using the name parameter "mqtt_ca.der".

3. I wrote the following function to connect to the server:

_u32  cipher = SL_SEC_MASK_TLS_RSA_WITH_AES_128_CBC_SHA256;
_u8   method = SL_SO_SEC_METHOD_TLSV1;

int TLSConnectNetwork(int g_SockID, SlSockAddrIn_t sAddr,  SlSockSecureFiles_t* certificates,
                      unsigned char sec_method, unsigned int cipher)
{

    int addrSize;
    int retVal;

    addrSize = sizeof(SlSockAddrIn_t);

    g_SockID = sl_Socket(SL_AF_INET,SL_SOCK_STREAM, SL_SEC_SOCKET);
    if (g_SockID < 0) {
        return -1;
    }

    SlSockSecureMethod method;
    method.secureMethod = sec_method;
    retVal = sl_SetSockOpt(g_SockID, SL_SOL_SOCKET, SL_SO_SECMETHOD, &method, sizeof(method));
    if (retVal < 0) {
        return retVal;
    }

    SlSockSecureMask mask;
    mask.secureMask = cipher;
    retVal = sl_SetSockOpt(g_SockID, SL_SOL_SOCKET, SL_SO_SECURE_MASK, &mask, sizeof(mask));
    if (retVal < 0) {
        return retVal;
    }


    retVal = sl_SetSockOpt(g_SockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, SL_SSL_CA_CERT, strlen(SL_SSL_CA_CERT));
    if(retVal < 0)
    {
        return retVal;
    }


    retVal = sl_Connect(g_SockID, ( SlSockAddr_t *)&sAddr, addrSize);
    if( retVal < 0 ) {
        sl_Close(g_SockID);
        return retVal;

    }

    return retVal;
}

I am rather new in network programming and have never used TLS/SSL, so please could some one help me?

Thanks in advance!

  • 0
    TI__Mastermind 45606 points
    Hi Caspar,

    The certs must be loaded into serial flash. Please see the previous E2E post about this topic:

    e2e.ti.com/.../573671

    This post will probably bring you to the Production Line guide for writing files to the Serial Flash from the Host:

    processors.wiki.ti.com/.../CC3100_Production_Line_Guide

    Then for correctly mapping the certs and opening TLSv1 see the CC3100 SSL example within the CC3100 SDK. Wiki page below:

    processors.wiki.ti.com/.../CC3200_SSL_Demo_Application

    Hope this helps,
    Kevin
  • 0 in reply to Kevin Allen18
    Prodigy 170 points
    Kevin,

    Yes I have looked at all these documents and I understand how the FS API works and I understand the steps I have to take to accomplish a secured connection.
    The problem I have is that there is no example code or documentation on what to do with the .der file (certificate) before I can even use the FS API. I implied I just had to write a code which would transform the file to a hexadecimal byte array and just copy it to my code.

    I hoped someone here would have experience uploading certificates using the FS API.
  • 0 in reply to Caspar Verver
    TI__Mastermind 45606 points
    Hi Caspar,

    I think I'm misunderstanding where you are along the certificate verification process.

    Being that you are not using uniflash you are receiving the certificate OTA (over-the-air) correct? The file you are receiving should be in the .der format and you shouldn't be needing to convert it into another format.

    If you need help with the OTA part, see the SDK example at the below directory:

    C:\ti\CC3100SDK_1.2.0\cc3100-sdk\examples\ota_sample_app

    Have you been successful in writing the certificate to the serial flash?

    See the "Serial Flash File System" section of http://www.ti.com/lit/swru368 for info on creating files and writing to the file system.

    Example code of writing to the file system can be found in the SDK example below:

    C:\ti\CC3100SDK_1.2.0\cc3100-sdk\examples\file_operations

    Hope this helps,
    Kevin
  • 0 in reply to Kevin Allen18
    Prodigy 170 points
    Hi Kevin,

    Thanks for replying again. I am using the file system api for uploaden the certificate, not the OTA api.

    No, I do not know if I have uploaded the certificate correct. I have converted the certificate to a .der file . But i don't know how to correctly use the file system API. The example only describes how to create a file on the CC3100 and fill it with text in an array... Not the uploading of a file on your desktop.
    So what I did was take the .der file, and used a self written C application to convert it to an array of hexadecimal numbers and pasted this long string of hexadecimal bytes into an array. Then uploaded this array to the CC3100 (hoping this would be transfer the file properly).

    I have no absolute idea if this is the correct way. I've read all available documentation but couldn't find anything. So could you please tell me, step by step, how to correctly use the api to transfer a certificate.der which is on my computer to the cc3100 using the file system API?

    Thanks in advance

    Caspar
  • 0 in reply to Caspar Verver
    TI__Mastermind 45606 points

    Hi Caspar,

    Is your CC3100 serial flash already formatted and is the Servicepack flashed properly? see the Product Line Wiki section "Formatting Using Host UART connection" for how to do this if not, http://processors.wiki.ti.com/index.php/CC3100_Production_Line_Guide

    The procedure will be similar to the Service Pack example in the Product Line Wiki section "Writing Files to the Serial Flash from the Host".

    Your .der certificate will need to be converted to a C-array as you've stated and stored on your host processor. Then you will need to open/create a user file allocating the necessary amount of space (You can't increase this later).

    retVal = sl_FsOpen("certName.dir",
       FS_MODE_OPEN_CREATE(SIZE_xx_bytes,_FS_FILE_OPEN_FLAG_COMMIT|_FS_FILE_PUBLIC_WRITE| etc...),
       &Token, &fileHandle);

    Then you'll write the cert array to the file you just created:

       /* program the cert */
   remainingLen = sizeof(certArray);
   movingOffset = 0;
   chunkLen = (_u32)find_min(1024 /*CHUNK_LEN*/, remainingLen);
   /* Flashing is done in 1024 bytes chunks because of a bug resolved in later patches */
   
   do
   {
   retVal = sl_FsWrite(fileHandle, movingOffset, (_u8 *)&certArray[movingOffset], chunkLen);
   
       if (retVal < 0)
       {
           /* cannot program cert */
           return -1;
       }
   
       remainingLen -= chunkLen;
       movingOffset += chunkLen;
       chunkLen = (_u32)find_min(1024 /*CHUNK_LEN*/, remainingLen);
   
   }while (chunkLen > 0);

    Then close the file:

       /* close the cert file */
   retVal = sl_FsClose(fileHandle, 0, 0, 0);
   
   if (retVal < 0)
   {
       /* cannot close Service Pack file */
       return -1;
   }

    Your certificate should then be stored on the serial flash.

    Hope this helps,

    Kevin

  • 0 in reply to Kevin Allen18
    Prodigy 170 points
    Hi Kevin,

    No I have not formatted the CC3100. I didn't know this was necessary. Any example code from TI to format the Flash?

    Good to know i was on the right track with flashing the certificate. I will try to format the CC3100 and flash the certificate afterwards

    cheers,

    Caspar
  • 0 in reply to Caspar Verver
    TI__Mastermind 45606 points

    Hi Caspar,

    Formatting of the serial flash can be performed in uniflash or by the host processor.

    The steps are explained in http://processors.wiki.ti.com/index.php/CC3100_Production_Line_Guide. See the following sections:

    1. Programming the CC3100 QFN in the Production Line

    2. Formatting Using Host UART connection (If using the Host Processor to format)

    Best,

    Kevin