• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 383 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: Connection with MQTT and X.509 - Bad ECC Curve

Igor Sverma
Prodigy 245 points
Part Number: CC3220SF


Hello,
I am just trying to use the MQTT client provided by TI.

My code looks like this: 

#define CLIENT_NUM_SECURE_FILES  4

char *Mqtt_Client_secure_files[CLIENT_NUM_SECURE_FILES] = {"key.pem","cert.pem","cacert.crt", NULL};

MQTTClient_ConnParams Mqtt_ClientCtx =
{
	MQTTCLIENT_NETCONN_URL | MQTTCLIENT_NETCONN_SEC,
	SERVER_ADDRESS,  //SERVER_ADDRESS,
        SECURED_PORT_NUMBER, //  PORT_NUMBER
	SLNETSOCK_SEC_METHOD_TLSV1_2,
	SLNETSOCK_SEC_CIPHER_FULL_LIST,
        CLIENT_NUM_SECURE_FILES,
        Mqtt_Client_secure_files
};

When I try to call MQTTClient_connect(), I am getting error -751, which corresponds to a SL_ERROR_BSD_ESEC_ECC_CURVE_ERROR (-751L) /* Bad ECC Curve */

My certificate is generated with secp256r1, which I would like to use. Below, there is a communication between the device and mqtt broker. 

Client Hello

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 113
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 109
            Version: TLS 1.2 (0x0303)
            Random: 4f7ad9fde5ac9a81c601ea9f9cdd2d16b753d9c78e2d8964…
            Session ID Length: 0
            Cipher Suites Length: 46
            Cipher Suites (23 suites)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 22
            Extension: signature_algorithms (len=18)

Server hello

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 3945
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 70
            Version: TLS 1.2 (0x0303)
            Random: 5d5149adb65aebc8ba4141a9107d24f77351ef3c2ea1f2dc…
            Session ID Length: 32
            Session ID: b01600006a33c59c0a4b7c632ffa0fa8a8b6bce19872828b…
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Compression Method: null (0)
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3535
            Certificates Length: 3532
            Certificates (3532 bytes)
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 296
            EC Diffie-Hellman Server Params
                Curve Type: named_curve (0x03)
                Named Curve: x25519 (0x001d)
                Pubkey Length: 32
                Pubkey: 4c653138ad3b343d4891d4035085527875972b609b0c4462…
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                Signature Length: 256
                Signature: 6634fe74ecfa7ab26196a5782ae30eba374ba5dc95d3e884…
        Handshake Protocol: Certificate Request
        Handshake Protocol: Server Hello Done

Then the CC3220 calls (FIN, ACK) and returns the error. I believe, the main issue is Named Curve: x25519 from the Server Hello. I tried a different client on different platform, but using same certificates and I can see, that different platform is having in the Client Hello some sort of supported curves. 

Extension: supported_groups (len=18)
                Type: supported_groups (10)
                Length: 18
                Supported Groups List Length: 16
                Supported Groups (8 groups)
                    Supported Group: secp256r1 (0x0017)
                    .....

Is it possible to set something similar on CC3220? Or do you think there is another issue in that? 

Thanks for the ideas!