Unable to initiate TLS Connection using SPWF01SA.11 wit FW V3.4

mhemetsberger9 · ‎2015-08-10

Posted on August 10, 2015 at 10:55

Dear Community,

I have generated RSA signed certificates using OpenSSL as described in application note AN4683.

I also started a server using openssl command and the generated certificates as described on page 20 of AN4683.

Then I used:

AT+S.TLSCERT2=clean,all

->resppnse of WIFI module: OK

AT+S.SETTIME=<seconds>

->resppnse of WIFI module: OK

AT+S.TLSCERT=f_ca,<size><CR><data>

->resppnse of WIFI module: OK

AT+S.TLSDOMAIN=f_domain,<server domain>

->resppnse of WIFI module: OK

AT+S.SOCKON=<host-ip>,<port>,s,ind

->response of WIFI module: ERROR: Unable to load CA certificate

Does anybody know what am I doing wrong? Thanks for you help, regards Michael!

#tls-spwf01sa.11

Gerardo GALLUCCI · ‎2015-08-10

Posted on August 10, 2015 at 12:12

Hi Michael,

that error means that loaded certificate is not valid for the module. I don't know why.

Just to be sure: is it in PEM format? X509 includes a lot of formats, but only PEM can be used here.

Regards

jerry

mhemetsberger9 · ‎2015-08-10

Posted on August 10, 2015 at 12:40

Hi Jerry,

of course I generated a certificate in PEM format.

openssl genpkey -out ca_key.pem -outform PEM -algorithm rsa ....

openssl req -new -key ca_key.pem .... -out ca_cert.pem -x509

This is the certificate I tried to use:

-----BEGIN CERTIFICATE-----

MIIDojCCAoqgAwIBAgICBFcwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCQVQx

FDASBgNVBAgMC1VwZXJhdXN0cmlhMRUwEwYDVQQHDAxWb2Vja2xhYnJ1Y2sxDTAL

BgNVBAoMBEFHUlAxDDAKBgNVBAsMA1ImRDESMBAGA1UEAwwJQ0EgZG9tYWluMB4X

DTE1MDcyMzA1MzAxNFoXDTMzMDUwOTA1MzAxNFowazELMAkGA1UEBhMCQVQxFDAS

BgNVBAgMC1VwZXJhdXN0cmlhMRUwEwYDVQQHDAxWb2Vja2xhYnJ1Y2sxDTALBgNV

BAoMBEFHUlAxDDAKBgNVBAsMA1ImRDESMBAGA1UEAwwJQ0EgZG9tYWluMIIBIjAN

BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2MFrEFGtuUQmVxbObXFR+AJmTNLb

Crpoug+KX4RLBFKD4+ellgxt7mtXqBm3GfrCX1DjJME7i1zRLzCwm5UVzt93mSiO

nzXQevih9vGGzRjBdui21gRQcbOAQgY5z0LRMddQfkcB82Vy0Pn9TYod/KbKMknV

fsBazRsPgLh7xbSXEsGkiRVz7MW0eSNuW/la68l5aPeU5/d9XPc1QUUGmt2WB339

+SWNZoKADV4oUUgK3eP0M3krn/GeeAN3gOvF7txC7Dz9FGV5TsqayBaMTWgKrZ0O

Os8JOeq3ADbrKb2n4WpfmgkydfH+KeWc7XSor6phDAzyRboDHoRvui5nnQIDAQAB

o1AwTjAdBgNVHQ4EFgQURA1sqpIbGtyE+bN6fjYQpmD7lB4wHwYDVR0jBBgwFoAU

RA1sqpIbGtyE+bN6fjYQpmD7lB4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF

AAOCAQEACk+bPLmr/iris1Q3bcdHY9HrCiyFxHhMWddWL2gLe/jy0pzuaL9gky3Y

ZzbtlznTAxXBNuDtHQ9a9LX5hcYJfGf49jUPYscXwcELb/kLj3K8LTo5KuqASUgz

CDgC5C3bH01cCBna5fPH1pT1EU9R0v2SGqiTuOPSDDNgu4DRbNpnIRzlNjCXHHJb

39pqSrCVEVM89XwN54U4bHLnaiSq6mjkhPYxh0nX0m62XR+c2gSY0d8MjSf1ubo3

MwzQtBQJgXUF3Ovq6NmkU+97wIQNyxASGPMTO9qGgzwQvaMzSxz6uqw8/MhEBxcz

Q+kyrfSZyHvBJ6jZ8RYNbj+wcG7AJw==

-----END CERTIFICATE-----

Regards, Michael

Gerardo GALLUCCI · ‎2015-08-10

Posted on August 10, 2015 at 13:56

A couple of checks:

- Is it working the anonymous negotiation (no certificates)?

- power off the module (reset is not enough). This way date/time are reset.

- run settime command (with parameter, seconds since 1970)

- run settime command (without parameters). Is Date/Time ok?

- load certificates. From previous customer's issues: be sure about <CR>/<LF> bytes. If they are part of the payload, certificate becomes wrong.

- run TLSCERT command using ''f_content,0'' as parameters. Are certificates (and domain name) correctly loaded?

- if anonymous negotiation is ok, try one-way authentication: I see ''The maximum allowed size for files uploaded to module is approximately 1.3 KB'' warning into AN4683. If error is still there, can you give a try with a smaller certificate?

- in case of mutual authentication, max overall size is 3Kb. If issue is still there, I can send you the linux-based script I use for certificates generation.

j

mhemetsberger9 · ‎2015-08-10

Posted on August 11, 2015 at 08:18

Dear Jerry,

- date/time is OK

- anonymous negotiation works

- one way authentication doesn't work

- mutual authentication doesn't work

I have generated a new set of (RSA signed) certicifates and keys like described on page 28 in AN4683. The size of the CA certificate is less than 1kB. But the module still reports ''Unable to load CA certificate''.

When running the command AT+S.TLSCERT=f_content,0 the module repiles following mesage:

# TLS loaded CERTs:<\r><\n>

# CA Cert: YES<\r><\n>

# Client Cert: NO<\r><\n>

# Client Key: NO<\r><\n>

# Domain Name: YES - CA domain<\r><\n>

<\r><\n>

OK<\r><\n>

I have tested the certificates and keys by using openssl s_server and s_client and the mutual authentication works fine...

Thanks for your help, regards Michael

Gerardo GALLUCCI · ‎2015-08-11

Posted on August 11, 2015 at 10:15

Hi Mic,

unfortunatelly I'm on vacation, and, so, far from the office. I cannot perform tests.

I hope someone other can share his experience with TLS over SPWF01S.

I read

OpenSSL-1.0.1i on the application note. Is it the same are you using?

Sorry for this tricky setup...

jerry

Nickname3786_O · ‎2015-08-11

Posted on August 11, 2015 at 16:27

Hi Michael,

as a double check, do you have any possibility to generate your CA_cert using the attached script? The script automatically creates a folder with the CA_cert (the script have to be executed on the SSL/TLS server machine and then you can upload the content of rootca_of_server.pem into the module with the related AT command).

In any case, you can use the script as a reference for RSA 1024-one way auth.

Regards,

Salvo

________________

Attachments :

RSA1024_oneway-auth.sh : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006I1CB&d=%2Fa%2F0X0000000bmj%2Fw9H1xvjg4iWS11q8oJHJpMIfv15YCS83SVQ0s9nkS7s&asPdf=false

mhemetsberger9 · ‎2015-08-13

Posted on August 13, 2015 at 10:10

Hi Salvo,

I have generated the new certs on my SSL/TLS server machine using the attached script. The size of the rootca_of_server.pem certificate is 908 byte (I have removed any line breaks in the PEM file).

Then I used the terminal program HTERM for uploading the rootca_of_server.pem to the WiFi module as shown bellow:

AT+S.SETTIME=14394516689<\r>

AT+S.TLSCERT2=clean,all<\r>

AT+S.TLSCERT=f_ca,908<\r>

-----BEGIN CERTIFICATE-----MIIC.....1Qr4=-----END CERTIFICATE-----<\r>

AT+S.TLSDOMAIN=f_domain,server<\r>

Then I run the command AT+S.TLSCERT=f_content,0 and got the response:

# TLS loaded CERTs:<\r><\n>

# CA Cert: YES<\r><\n>

# Client Cert: NO<\r><\n>

# Client Key: NO<\r><\n>

# Domain Name: YES - server<\r><\n>

<\r><\n>

OK<\r><\n>

However when initiating a secure connection:

AT+S.SOCKON=192.168.1.92,4433,s,ind<\r>

the module reports:

ERROR: Unable to load CA certificate<\r><\n>

I don't konw what I am doing wrong? Do I have to edit the certificate in any way?

Should I use an other setup than HTERM to upload the certificate?

If have read (in the user manual) that max. command length is 512 characters. The size of the certificate is 908 characters. Could that cause the problem?

Is there a chnace to read the stored certificate (e.g. AT+S.FSP=ca<\r>) ??

Thanks for any hint,

regards Michael

Nickname3786_O · ‎2015-08-13

Posted on August 13, 2015 at 13:10

Hi Michael,

you have not to modify the certificate. You have only to check the size (in linux: sizes=`cat cert.pem | wc -c`) and send the AT command (AT+S.TLSCERT=ca,$sizes + cert content) waiting for the OK.

Did you already try a different terminal (such as Tera Term)? Which OpenSSL version are you using (openssl -v)?

Regards,

Salvo

mhemetsberger9 · ‎2015-08-13

Posted on August 13, 2015 at 14:30

Dear Salvo,

thanks for the hint with the unedited cert-file. I thought that I have to remove all <\r> from the cert-file becuase the <\r> character is always terminating an AT command. Uploading of the original cert-file works fine.

Thank you very much for your support,

best regards Michael