cancel
Showing results for 
Search instead for 
Did you mean: 

SPWF01xx more info on TLS handling?

mikael239955_st
Associate II
Posted on October 28, 2016 at 01:38

Hello

I'm evaluating the SPWF01SA for an industrial application especially with regard to its TLS capabilities.

Unfortunately my knowledge of TLS especially in an embedded setting is limited, and AN4683 neglects to mention how the SPWF01xx module handles a few key aspects of TLS which I think are important to understand. Specifically,

Is there any check for revoked certificates?

AN4683 mentions the server certificate is verified, but how are certificate chains processed? My understanding is that every certificate in the chain should be verified. Does the SPWF01xx do this when provided the top-most root CA certificate, but is connecting to a server several certificates down the chain?

Are there any other drawbacks or considerations worth noting?

Regards,

m
1 REPLY 1
Posted on October 31, 2016 at 09:55

Hi Mikael,

about revoked certificates: ''Each party is responsible for verifying that the other’s certificate is valid and has not expired or been revoked. In case of one-way or mutual authentication, because certificate validation requires that root CA keys are distributed independently, it is assumed that the remote end already possess root CA certificate to accomplish the validation.''

About chains, yes, SPWF01Sx have this capability.

''Usually the certificate validation isn’t made by just one CA, but instead by a certificate chain. The chain, or path, begins with the certificate of that entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by itself, it has to be considered as a trusted CA and has to be available in the application (e.g. TLS client, web browser). The signatures of all certificates in the chain have to be verified until the root CA certificate is reached. [...] In some cases it would be easier and less expensive using self-signed certificates, for example for testing purposes or when the parties know and trust each other. A self-signed certificate is a certificate that is signed by the same entity whose identity it certifies, i.e. there is no need to an external CA.''

Regards

jerry