cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with TLS example in SPWF04SA

Antonio Roman
Associate II

Posted on August 31, 2017 at 15:05

I am using the example certificates provided by ST (en.STSW-TLSpack.zip), specifically Example 2 for encrypted communications in One Way mode.

I am using the 'Client_Socket' example of the SDK 'STM32CubeExpansion_WIFI1_V3.0.2' in a NUCLEO-F401RE and the WIFI module SPWF04SA (X-NUCLEO-IDW04A1).

Using OpenSSL I have obtained the Subject Key Identifier of the file 'ca_cert.pem' which is '3EF1747FD79122144BCADF4F95DF960A32823B4C', and the certificate I placed it in a char array in the SDK sample code.

For server testing, I am using a Raspberry Pi and OpenSSL, I have placed all the necessary files together in a directory and started the server with the following command line:

openssl s_server -cert server_cert.pem -key server_key.pem -tls1_2 -www -accept 4443

Start the NUCLEO-F401RE card next to the shield X-NUCLEO-IDW04A1 configured in USART mode, and I get the following:

-> OpenSSL Server on Raspberry Pi at 172.26.3.83:

Using default temp DH parameters

ACCEPT

1995769248:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 42

ACCEPT

-> Terminal log output from NUCLEO board:

>>model number is SPWF04SA

>>Setting CA certificate

>>UART TX buffer: AT+S.TLSCERT=content,2

+S.TLSCERT=content,2

-S.Clean

-S.OK

<<OK

>>UART TX buffer: AT+S.TIME=1504170338

+S.TIME=1504170338

-S.OK

<<OK

>>UART TX buffer: AT+S.TIME

+S.TIME

-S.Date:17.08.31:00

-S.Time:09.05.38

-S.OK

<<OK

>>UART TX buffer: AT+S.TLSCERT=Ca,1425

-----BEGIN CERTIFICATE-----

MIID3zCCA0igAwIBAgIJAMo2ixe4LOmpMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD

VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT

BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs

ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X

DTE2MDcwNDA5MjE0NVoXDTI2MDUxMzA5MjE0NVowgZMxCzAJBgNVBAYTAkZSMQ8w

DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh

bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG

A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcN

AQEBBQADgY0AMIGJAoGBAMZ5WNHGNjSo6m6FKMzXTN4XY+F4DbLIDn+VtrMvPRyk

MdqlBXrUptVfC5wtKbaAVveBlEHFg2Zwp0bMURxvkqQPBg0DWWwzIcOS9TArdTw9

wWS87KpzPeYf/ebMZ7KwwvETFvBAEbH3J0Nw8iJim6qkkga3m9PhZrERCPx89F7r

AgMBAAGjggE3MIIBMzAdBgNVHQ4EFgQUPvF0f9eRIhRLyt9Pld+WCjKCO0wwgcgG

A1UdIwSBwDCBvYAUPvF0f9eRIhRLyt9Pld+WCjKCO0yhgZmkgZYwgZMxCzAJBgNV

BAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMG

A1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxl

Lm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDK

NosXuCzpqTAPBgNVHRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6

Ly93d3cuZXhhbXBsZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQAD

gYEAa4csCQf9JWPopeqOiMKlYcOFgF74Q0+sE3qEXb5MbSu3Z7tTVe9MNWXQ192h

djKGPTKSMEu/8q9HL8l3Zhd96UKhaAMT7Yftk4SqEb/7orbznJi2cQF8dfDqgRQY

U6mh1KIu5hMu/+aXHdw+IQav3Q5Css5WoKGoNLooN3hv1mE=

-----END CERTIFICATE-----

+S.TLSCERT=Ca,1425

-S.No SubjectKeyId

-S.OK

<<OK

>>UART TX buffer: AT+S.TLSCERT=Auth,40

3EF1747FD79122144BCADF4F95DF960A32823B4C

+S.TLSCERT=Auth,40

-S.OK

<<OK

>>UART TX buffer: AT+S.TLSCERT=content,1

+S.TLSCERT=content,1

-S.List

-S.CA:1

-S.Cert:0

-S.Key:0

-S.Id:1

-S.OK

<<OK

>>TLS set certificate OK

>>UART TX buffer: AT+S.SOCKON=172.26.7.83,4443,NULL,s

+S.SOCKON=172.26.7.83,4443,NULL,s

AT-S.Certificate Error:3

-S.ERROR:74:Failed to open socket

ERROR!

Status = 13

>>Socket connection errorAccording to the error table for SSL/TLS (

<LINK NO LONGER ACTIVE>

) the error is as follows:

X509 Error 3 - Unable to get certificate CRL

Unable to get certificate CRL. The CRL of a certificate could not be found. Unused.

I have followed all steps described in documents AN4963, UM2114, AN4683 and STSW-TLSpack.

What am I doing wrong?

1 ACCEPTED SOLUTION

Accepted Solutions
yoann LBY
Senior
Posted on October 30, 2017 at 09:02

Hi,

i fixed my problem!

I used en.DM00345371_AN4963.pdf.

To load CA root:

AT+S.TLSCERT=ca,xxx

AT-S.No

SubjectKeyId

AT-S.OK

AT+S.TLSCERT=auth,20

AT-S.OK

With .pem format is used, Note than subject key identifier must be entered in binary format (extract S K I in txt, use transform txt in binary (windows cmd 'certutil -decodehex ski.txt ski.bin'.

Yoann

View solution in original post

5 REPLIES 5
Elio Cometti
Senior II
Posted on October 04, 2017 at 16:43

Looking at your log, you are entering the auth ID as the 40 character string '3EF1747FD79122144BCADF4F95DF960A32823B4C', whereas you should enter the 20 bytes binary sequence 0x3e 0xf1 ... 0x3b 0x4c

You might want to try the following (to be completed according to your implementation):

uint8_t client_domain[21];

client_domain[0] = 0x3e;

client_domain[1] = 0xf1;

...

client_domain[18] = 0x3b;client_domain[19] = 0x4c;

client_domain[20] = 0;

status = wifi_socket_client_security(..., ..., ..., ..., client_domain, ...);

yoann LBY
Senior
Posted on October 06, 2017 at 16:28

hi,

i have the same problem,

i'm working on nucleo F401RE and package 3.0.2 in Vcom application and tera term.

i tape AT+S.TLSCERT=ca,<size><cr> and iload ca_cert.txt (ca_cert.pem without header) with tera term:

AT+S.TLSCERT=ca,1348

AT-S.No SubjectKeyId      <- response is OK or NOK???

AT-S.OK

AT+S.TLSCERT=content,1

AT-S.List

AT-S.CA:1      <- it means certificate is stored correctly!

AT-S.Cert:0

AT-S.Key:0

AT-S.Id:0

AT-S.OK

AT+S.SOCKON=192.168.1.38,4433,,Example Certificate Authority

AT-S.ERROR:74:Failed to open socket

192.168.1.38 is the IP @ of my desktop where openssl run as server (s_server -cert server_cert.pem -key server_key.pem -CAfile ca_cert.pem -accept 4433

 4433 is the port of server

Example Certificate Authority = CN in ca_cert.pem (verfy with cmd

x509 –text –in ca_cert.pem –noout )

Where is the problem?

thks, yoann

Posted on October 29, 2017 at 13:14

If no 'AT-S.Loading:x:x' between SOCKON command and ERROR reply, well, TLS and certs are not playing the game. Problem is before TLS, at TCP connect stage.

I suggest to start with a basic TCP socket. Turn off openssl server, and turn on a netcat listen instance on 4433 port. Is this working?

yoann LBY
Senior
Posted on October 30, 2017 at 09:02

Hi,

i fixed my problem!

I used en.DM00345371_AN4963.pdf.

To load CA root:

AT+S.TLSCERT=ca,xxx

AT-S.No

SubjectKeyId

AT-S.OK

AT+S.TLSCERT=auth,20

AT-S.OK

With .pem format is used, Note than subject key identifier must be entered in binary format (extract S K I in txt, use transform txt in binary (windows cmd 'certutil -decodehex ski.txt ski.bin'.

Yoann

Posted on October 30, 2017 at 11:24

Depending on DER or PEM certificate, subject key ID can be automatically found by module. In this case, you used a PEM, so, '

AT+S.TLSCERT=auth

' is mandatory.