CC3220: Creating CA Certificate for CC3220 using m2m.eclipse broker in TLS mode, error -456 in connecting to the server

Mohammed TAOUG

Part Number: CC3220

I’m struggling with the CA certificate to set up an secured mqtt TLS communication on CC3220. I know I have a valid CA certificate got from certificate register in windows "DST ROOT CA X3" and saved in mqtt_cert.der/ or .mqtt_cert.Pem" format, those copies were both tested using MQTT.fx to connect to m2m.eclipse.org broker in secured TLS mode and it works perfectly.

however storing this certificate in the CC3220 launchpad caused an issue when trying to set up a secure socket and connect to this socket (look at code below) :

//Step 6: connecting to the server
iStatus = sl_Connect(SSockID, (SlSockAddr_t *) &sAddr, iAddrSize); --> error iStatus =-456 which means:

#define SL_ERROR_BSD_ESECBADCAFILE (-456L) /* error secure level bad CA file */

I think it has something to do with how/where I am storing the certs in the example projects ?!!! Do you have any idea about this issue ??

I respect the documentation that tells how to flash Certs using Uniflash but i have no idea why i'm having this issue ?

/******************************************
* connect to broker Secured mode using TLS
******************************************/

#define mqtt_TLSport          8883
#define SL_TLS_CA_CERT_FILE_NAME    "mqtt_cert.der"
#define SERVER_NAME               "m2m.eclipse.org"

int connectToBroker_TLSmode()
{
SlSockAddrIn_t sAddr;

int iAddrSize;
int iStatus;

    //TODO: to be updated by broker info
    //filling the TCP server socket address
    g_ulDestinationIp_ = IP_ADDRS;
    sAddr.sin_family = SL_AF_INET;
    sAddr.sin_port = sl_Htons((unsigned short) mqtt_TLSport);
    sAddr.sin_addr.s_addr = sl_Htonl((unsigned int) g_ulDestinationIp_);
    iAddrSize = sizeof(SlSockAddrIn_t);

    //    certificates.PrivateKey = SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME; // mapping private key, 0 file not exist
    //    certificates.Certificate = SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME; // mapping certificate, 0 file not exist
    //    certificates.CA = SL_SO_SECURE_FILES_CA_FILE_NAME/*129*/; // mapping CA, 0 file not exist
    //    certificates.DH = SL_SO_SECURE_FILES_PEER_CERT_OR_DH_KEY_FILE_NAME; // mapping certificate, 0 file not exist
    certificates->SecureFiles[0]=0;
    certificates->SecureFiles[1]=0;
    certificates->SecureFiles[2]=SL_SO_SECURE_FILES_CA_FILE_NAME;
    certificates->SecureFiles[3]=0;

    //Step 1: Set time of the device for certificate verification.
    //Set Current Time in the Device (required)
    iStatus = set_time();
    if(iStatus < 0)
    {
        UART_PRINT("Unable to set time in the device");
        return iStatus;
    }

    //Step 1Bis: Get Host Name
//    unsigned int uiIP;
//    iStatus = sl_NetAppDnsGetHostByName(g_Host, strlen((const char *)g_Host),(unsigned long*)&uiIP, SL_AF_INET);
//
//    if(iStatus < 0)
//    {
//        UART_PRINT("Device couldn't retreive the host name \n\r");
//        return iStatus;
//    }
//
//   sAddr.sin_family = SL_AF_INET;
//   sAddr.sin_port = sl_Htons(mqtt_TLSport);
//   sAddr.sin_addr.s_addr = sl_Htonl(uiIP);
//   iAddrSize = sizeof(SlSockAddrIn_t);

    //Step 2:Open Secure Socket (required)
    //A secure socket must be opened by the CC3220 device.
    //The sl_Socket() function may be used with the "Protocol" parameter set to SL_SEC_SOCKET (value=100).
    SSockID = sl_Socket(SL_AF_INET, SL_SOCK_STREAM, SL_SEC_SOCKET);
    if (SSockID < 0)
    {
        UART_PRINT("Device unable to create secure socket \n\r");
        ASSERT_ON_ERROR(SOCKET_CREATE_ERROR);
    }

   //Step 3:Force specific method (optional)
   //By default, SSL 3.0 and TLS 1.2 are enabled. A specific method can be forced by using the sl_SetSockOpt() function.
   /* unsigned char    ucmethod = SL_SO_SEC_METHOD_SSLV3;
    iStatus = sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECMETHOD, &ucmethod, sizeof(ucmethod));
    if (iStatus < 0) {
        UART_PRINT("Device couldn't set socket options \n\r");
        return iStatus;
    }
     */
    //Step 4:Force specific cipher (optional)
    //By default, the CC3220 will pick the most secure cipher suite that both sides of the connection can support.
    //A specific cipher can be forced by using the sl_SetSockOpt() function.
    /*unsigned int uiCipher = SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA;

    iStatus = sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECURE_MASK, &uiCipher, sizeof(uiCipher));
    if (iStatus < 0) {
        UART_PRINT("Device couldn't set socket options \n\r");
        return iStatus;
    }
     */

   //Step 5:Configure SecureFiles for TLS/SSL
   //The CC3220 uses files specific to TLS/SSL that may be defined by the user at the application level.
   //The files needed are listed below based on the connection type, and must be expressed in the DER format.
   //TODO : ADD certificate
     // Add certificate: we will test with google certificate at the beginning
    //if (certificates != NULL) {
        iStatus = sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, SL_TLS_CA_CERT_FILE_NAME, sizeof(SlSockSecureFiles_t));

        if(iStatus < 0)
        {
            UART_PRINT("Device couldn't set socket options \n\r");
            return iStatus;
        }
        //Step 5Bis: verify.....
        iStatus = sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECURE_DOMAIN_NAME_VERIFICATION, g_Host, strlen((const char *)g_Host));
        if( iStatus < 0 )
        {
            UART_PRINT("Device couldn't set socket options \n\r");
            return iStatus;
        }
    //}

    //Step 6: connecting to the server
    iStatus = sl_Connect(SSockID, (SlSockAddr_t *) &sAddr, iAddrSize);
    if (iStatus < 0)
    {
        // error
        UART_PRINT("Step 6 \n\r");
        UART_PRINT("Device couldn't connect to server \n\r");
        sl_Close(SSockID);
        ASSERT_ON_ERROR(CONNECT_ERROR);
    }

return SUCCESS;
}

over 5 years ago

0 Michael Reymond over 5 years ago

TI__Mastermind 40965 points

Hi Mohammed,

Error -456 indicates that the NWP could not find a valid certificate file at the specified filename. Usually this means that the certificate file is corrupt or otherwise incorrectly formatted, but in your case it is most likely due to how the filename of the cert file is not parsed properly due to the an incorrect sl API call. Specifically, for the sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME,...) call, the last argument should be the strlen() of the SL_TLS_CA_CERT_FILE_NAME, not the size of the SlSockSecureFiles_t struct.

Please correct that call to:

iStatus = sl_SetSockOpt(SSockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, SL_TLS_CA_CERT_FILE_NAME, strlen(SL_TLS_CA_CERT_FILE_NAME));

For additional info on how secured sockets work on the CC3220, please take a look at the secured sockets SimpleLink Academy available here:

http://dev.ti.com/tirex/#/?link=Software%2FSimpleLink%20CC32xx%20SDK%2FSimpleLink%20Academy%2FWi-Fi%2FWi-Fi%20Secure%20Sockets

Let me know if that doesn't fix your issue, or if you have any further questions.

Regards,
Michael

0 Mohammed TAOUG over 5 years ago in reply to Michael Reymond

Prodigy 30 points

Hi Michael,

Thank you very much for your help, the issue is resolved and the secured socket is perfectly set.

Regards,
Mohammed.

0 Mohammed TAOUG over 5 years ago in reply to Mohammed TAOUG

Prodigy 30 points

Hi Michael,

after setting a secure socket, i'm trying to send a data using this socket, our implmentation is based on Paho library (look at the bottom please) and it works perfectly in MQTT clear mode.

in our case, the send data process is performed using a secure socket but when i subscribe on topic using a clear mode broker(port 1883 without CA) i also receive the data ?! which should not be allowed ?!

is there a special thing should be done in send command ? or after configuration of secure socket ??

Code:

#ifdef SECURE_SOCKET

connectToBroker_TLSmode();

#else

connectToBroker();

#endif //SECURE_SOCKET

// publish message using MQTT

MQTTPacket_connectData data = MQTTPacket_connectData_initializer;

unsigned char buf[200];

MQTTString topicString = MQTTString_initializer;

/*char* payload = "mypayload";

int payloadlen = strlen(payload);**/

int messagelen = strlen(message);

int buflen = sizeof(buf);

data.clientID.cstring = "me";

data.keepAliveInterval = 20;

data.cleansession = 1;

int len = MQTTSerialize_connect(buf, buflen, &data); /* 1 */

topicString.cstring = "muco";

len += MQTTSerialize_publish(buf + len, buflen - len, 0, 0, 0, 0,

topicString, (unsigned char*) message,

messagelen); /* 2 */

len += MQTTSerialize_disconnect(buf + len, buflen - len); /* 3 */

call send data inside mqtt while

SendData(buf, len);

UART_PRINT(

"\n\r Publish MQTT Message to Broker is Performed successfully \n\r");

Best Regards,

Mohammed.

0 Michael Reymond over 5 years ago in reply to Mohammed TAOUG

TI__Mastermind 40965 points

Hi Mohammed,

How are you checking to see that the connection you make on port 1883 is non-secure? If you try to connect using a secured socket to a server that does not support secure connections, then you should get a SL_OTHER_SIDE_CLOSE_SSL_DATA_NOT_ENCRYPTED async event.

Perhaps your server also supports TLS connections on port 1883? If you use a PC to connect and monitor the connection with wireshark, do you see the TLS handshake occurring?

Regards,
Michael

Wi-Fi

Wi-Fi forum

CC3220: Creating CA Certificate for CC3220 using m2m.eclipse broker in TLS mode, error -456 in connecting to the server