FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SPWF04 - TLS anonymous negotiation

Maciejowski.Seth
Associate II

‎2018-09-10 07:54 PM

On the SPWF01 module TLS anonymous negotiation was possible (ie no client copy of the server certificate required). Is this possible on the SPWF04? The documentation alludes to anonymous negotiation in AN4963 Section 1.1 - TLS sub Protocols on page 8, but I can't seem to find any way to make this happen with out putting a root ca certificate on the client. Any help would be much appreciated as it would save me a lot of time to create a ca cert and load onto each client module.

Thanks....

0 Kudos
14 REPLIES 14
Elio Cometti
Senior II

‎2018-09-11 01:27 AM

Dear,

SPWF04 supports One-way and mutual authentication modes.

Indeed, anonymous authentication is not supported.

Regards,

Elio

0 Kudos
Maciejowski.Seth
Associate II

‎2018-09-13 08:09 AM

Hello Elio,

Can you point me in the direction of how to handle one-way authentication? I have a root ca in pem format saved in the SPWF04 memory with the file name set to <subject key identifier>.ca. Do I need additional files in the flash memory such as key files and what TLSCERT commands do I need to call or do I not need to call any?

Thanks,

-Seth

0 Kudos
Elio Cometti
Senior II

‎2018-09-13 09:03 AM

Hello Seth,

for one-way authentication, if SPWF04 acts as client then saving the root ca in the SPWF04 filesystem is enough. Please note that you have to remove all certificates and key from flash (AT+S.TLSCERT=content,2) in order to allow usage of certificates from the filesystem. There is no need of calling others TLSCERT commands.

Regards,

Elio

0 Kudos
Maciejowski.Seth
Associate II

‎2018-09-13 09:40 AM

Elio,

Thanks!

-Seth

0 Kudos
Maciejowski.Seth
Associate II

‎2018-09-13 09:46 AM

Elio,

I have the cacert in der format (converted from PEM using openssl tools) loaded onto the module with <subject key identifier>.ca as the file name. The device is connected to a wifi AP and I do a SOCKON command on port 443. I get a "Certificate Error:23" back. What am I doing wrong?

Thanks,

-Seth

0 Kudos
Maciejowski.Seth
Associate II

‎2018-09-13 10:11 AM

Elio,

It may be a cert issue.... Not sure yet. I do not have access to the CA certs for the server I am attempting to communicate with so I think I may have a malformed cert.

Thanks,

-Seth

0 Kudos
Elio Cometti
Senior II

‎2018-09-13 10:11 AM

Hello,

looks like either the CA certificate could not​ be found or the .ca file is incorrect.

Please:

  • be sure the .ca filename is lowercase. If it still doesn't work, please share the result of AT+S.GCFG and AT+S.STS. Please also share the ca certificate.
  • as cross check, try "openssl s_client -CAfile <subject key identifier>.ca -connect <server IP>:443" from a computer connected to the server. If the connection succeeds then the certificate should be ok.

The SPWF04S also perform a time validity check, so please be sure the SPWF04 time is properly set.

Regards,

Elio

0 Kudos
Elio Cometti
Senior II

‎2018-09-13 10:15 AM

Seth,

if you can access the server from your PC then you may try to download the CA certificate​ by a browser.

Please see Appendix B for an example.

Elio

0 Kudos
Maciejowski.Seth
Associate II

‎2018-09-13 10:59 AM

Elio,

I can access the server from my PC which is using a self signed cert. I inspect the cert per the instructions, but there is no <subject key identifier> field ergo I cannot name the file using that id since I don't have it. The cert format is .cer. Perhaps there is some openssl command I can call to extract the subject key identifier...

Seth.

0 Kudos
Top