• State Resolved
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 1378 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220MODA: HTTPS server not responding

Joseph Kralicky
Intellectual 660 points

Part Number: CC3220MODA
Other Parts Discussed in Thread: UNIFLASH

Hello,

I'm trying to enable the HTTPS server on the CC3220.  I've added a custom index.html file using UniFlash (see attached).
The custom index.html file works fine in unsecure (HTTP) mode, but when I try to enable HTTPS, I get no response from the server.

I'm using the provisioning example as a basis for my application, and it's calling ConfigureHttpsServer and it's able to start the server (sl_NetAppStart) with return code 0, as far as I can tell.

What could be causing this behavior?

Thanks!

Joe K.

  • 0
    TI__Guru 63006 points
    Hi Joe,

    Are you using browser to connect to the server? (which one?)
    As you are using the dummy certificate for the server, it will fail the authentication on the browser.
    In some cases, the browsers allow you to proceed after they issue a security alert.
    In some cases, you will be able to add the dummy-root-CA to your browser's catalog (if you do this, delete the dummy-root-ca immediately after the test is done.
    In a product you must use a real TSL/SSL certificate.
    The provisioning application is designed to perform the authentication using the dummy-root-CA.

    Just to make sure this is indeed your problem (in case it is not solved), please provide error code (or screen shot) of the client when it fails to connect.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Intellectual 660 points
    Hi Kobi,
    Thanks for the reply.
    I'm using Chrome browser on my Android phone. It works fine with the non-ssl web server. When enabling HTTPS, the browser reports "This site can't be reached", so it's not even getting to the point where it would check the certificate.
    I'm using the dummy-root-ca for now.

    What else should I check?
    Regards,
    Joe
  • 0 in reply to Joseph Kralicky
    TI__Guru 63006 points

    This is strange, if it works with http, you should be able to pass the initial connection using HTTPS. Make sure the PC and the Simplelink device are still on the same network.

    You can also  try the local OTA example.

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 660 points

    Hi Kobi,

    They are definitely on the same network, so like you, I'm confused as to why it doesn't work.

    Is there anything special I have to do in UniFlash?

    Is there a way to query the status of the web server?

    Thanks,

    Joe

  • 0 in reply to Joseph Kralicky
    TI__Guru 63006 points
    I saw that you installed all the dummy certificate chain but not the key (dummy-root-ca-cert-key) using Uniflash. It is mandatory for the server configuration.

    If you use the ConfigureHttpsServer this should have raised an error message in your terminal (as SSL_SERVER_KEY file will not be found). Please go through the ConfigureHttpsServer command and see that it completes successfully.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Intellectual 660 points

    Hi Kobi,

    Just add it to the user files like so?

    How about this page?  See highlighted:

    Thanks,

    Joe

  • 0 in reply to Joseph Kralicky
    Intellectual 660 points
    Hi Kobi,
    I added the key to the users file (first screenshot in previous message), and it was able to connect properly. Thank you!

    What's the best approach to use so the web browser doesn't flag the certificate as a potential security issue?
    I realize I will have to purchase a cert, but how does it work if I just connect to the device via IP address? Aren't SSL certificates linked to a specific domain name? I could use a domain name that just goes to the device - would that work?

    I'm using this for provisioning an IOT device (without using an app). The user will enter their network password through the browser, which I don't want to broadcast over an unsecure connection. Would it be best to secure the device's AP mode, or leave the AP unsecure and just secure the http connection between the phone and the device?

    Thanks in advance for your thoughts.
    Best,
    Joe K.
  • 0 in reply to Joseph Kralicky
    Intellectual 660 points
    Hi Kobi,
    Any thoughts on my question above?
    Thanks!
    Joe K.
  • 0 in reply to Joseph Kralicky
    TI__Guru 63006 points

    Hi Joe,

    Using a certificate that is purchased from a known CA should solve the security warning. 

    You can set the domain to local url and/or use wildcards to support multiple domains.

    It is recommended to use secured channel  (i.e. the HTTP server) during the provisioning as demonstrated in our provisioning example  (you don't want that the AP credentials can be sniffed).

    Br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Intellectual 660 points
    Hi Kobi,
    Thank you for the info.
    Would it be just as good to just secure the AP on the CC3220, so when the user connects to the network they are asked for a password?
    This would be easier for me since I wouldn't have to go out and get a certificate.
    Thanks,
    Joe
  • 0 in reply to Joseph Kralicky
    TI__Guru 63006 points
    It's supposed to be good enough.

    br,
    Kobi