• State Resolved
  • Locked Locked
  • Replies 8 replies
  • Subscribers 41 subscribers
  • Views 299 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3100: Slow tls connection establishment

Aleksandar Karalejic
Prodigy 100 points
Part Number: CC3100
Other Parts Discussed in Thread: UNIFLASH, CC3200

Hi All,

I am having CC3100 (SDK 1.3.0) connected over SPI to the host MCU (Arm M4). When I try to connect to any server over secure socket, it takes between 1 - 2 seconds. Release notes for the SDK 1.3.0 says that minimum tls/ssl connection time is 130 ms (for RSA) and 1.3s (for ECC). However, no matter what cipher is used, I am getting max 2 seconds for establishing tls connections (I have tested it on pure sockets and with httpcli library). Question: is this 1 - 2 seconds expected time for tls/ssl connection establishment or... can you point to some parameter, flag... that can be used for reducing this time?

Thanks,

Aleks  

  • 0
    Guru 79905 points

    Hi Aleks,

    Do you have uploaded latest ServicePack inside CC3100 device? Be aware TLS/SSL connection establishing time depends on opposite side as well. You should use Wireshark or other network sniffer do determine if culprit is a CC100 device.

    Jan

  • 0 in reply to Jan D
    Prodigy 100 points

    Hi Jan,

    I am attaching wireshark part for the https with google - appx 1.3 seconds taken for entire handshake. What is interesting is 1 sec taken for 18th packet. Do you see something from the wireshark that can be help me with connection time reduction?

    As for SP I am having the version 1.3.0.

    Regards,

    Aleks 

  • 0 in reply to Aleksandar Karalejic
    Guru 79905 points

    Hi Aleks,

    You should check at server responses what cipher suite was was negotiated. Cumulative response time from sever side is around 180ms, from this reason  you cannot expect lower connection time. I think your issue is due to negotiated cipher suite or missing ServicePack inside device.

    It looks that you complete forgotten that you need to upload ServicePack into device. ServicePack for CC3100 devices is separate from SDK and need to be uploaded into serial flash using Uniflash software or host API for filesystem. Latest ServicePack (1.0.1.14-2.12.2.8) can be downloaded from CC3100 SDK webpage. You can use latest ServicePack (1.0.1.15-2.13.0.2) for CC3200 which can be downloaded from CC3200 SDK webpage. ServiecPack for CC3200 is compatible with CC3100 device.

    Jan

  • 0 in reply to Jan D
    Prodigy 100 points

    Hi Jan,

    As per your suggestion, I have downloaded newest version of SP, used host API and burnt it. Here is the output:

    This is a CC3100R device
    NWP 2.10.0.0
    MAC 31.1.5.0.2
    PHY 1.0.3.37


    Openning ServicePack file
    Programming ServicePack file

    Closing ServicePack file
    ServicePack successfuly programmed

    Restarting CC3100... simplelink stop
    shutdown commands
    simplelink start

    This is a CC3100R device
    NWP 2.12.2.8
    MAC 31.1.5.0.10
    PHY 1.0.3.37

    Unfortunately, this didn't solve my problem (still similar results). 

    As for your suggestion about cipher suit - how can use information about used cipher suit on the CC3100?

    I mean, for some private https servers, I can "negotiate" with admins to use proper cipher suit, but what about publicly available servers?

    Regards,

    Aleks   

  • 0 in reply to Aleksandar Karalejic
    Guru 79905 points

    Hi Aleks,

    Both sides needs to negotiate cipher suite and selected cipher suite you can see at "Server Hello" packet. At secured socket settings (socket options) you can mask particular cipher suites. But public server are not under your control and with masked cipher suites you will not be able connect likely. If public server requires ECDHE cipher suites you have not much options. You can try to determine what are supported cipher suites and set lowest cipher suite at CC3100. But if something change at server side at the future, you have a problem...

    Jan

  • 0 in reply to Jan D
    Prodigy 100 points

    Hi Jan,

    Certainly, negotiation is what will happen, I tried with methods and masks from the very first beginning. When I asked for cipher suits usage, I thought on some fine tuning. So, with methods and masks everything is the same, even worse if I try to connect to the servers that use sha256ECDSA as a signature algorithm. In this case it takes appx 4 seconds to connect to it. Are there any results, that you can share with me, about average tls connection establishment time for different signature algorithms? 

    Regards,

    Aleks

  • 0 in reply to Aleksandar Karalejic
    Guru 79905 points

    Hi Aleks,

    I am not aware about any document than you stated above.

    I don't see much opportunity to some "fine tuning" of cipher suites because this depends on opposite side which is not under your control. You have options "slow establishing of connection" or "no connection". Not much to choice here... In case of server is under your full control, it make sense play with cipher suites settings at CC3100 side.

    Jan

  • 0 in reply to Jan D
    Prodigy 100 points

    Hi Jan,

    I played around with different cipher suits, and I can tell that chip behaves really fast in the "RSA case" (authentication + key exchange) but when I engage ECC, performance drops significantly (compared to the RSA).

    Thanks for your help.

    Regards,

    Aleks