AnsweredAssumed Answered

Problems with TLS example in SPWF04SA

Question asked by Antonio Roman on Aug 31, 2017
Latest reply on Oct 30, 2017 by Gerardo Gallucci

I am using the example certificates provided by ST (en.STSW-TLSpack.zip), specifically Example 2 for encrypted communications in One Way mode.

 

I am using the "Client_Socket" example of the SDK "STM32CubeExpansion_WIFI1_V3.0.2" in a NUCLEO-F401RE and the WIFI module SPWF04SA (X-NUCLEO-IDW04A1).

 

Using OpenSSL I have obtained the Subject Key Identifier of the file "ca_cert.pem" which is "3EF1747FD79122144BCADF4F95DF960A32823B4C", and the certificate I placed it in a char array in the SDK sample code.

 

For server testing, I am using a Raspberry Pi and OpenSSL, I have placed all the necessary files together in a directory and started the server with the following command line:

 

openssl s_server -cert server_cert.pem -key server_key.pem -tls1_2 -www -accept 4443

 

Start the NUCLEO-F401RE card next to the shield X-NUCLEO-IDW04A1 configured in USART mode, and I get the following:

 

-> OpenSSL Server on Raspberry Pi at 172.26.3.83:
Using default temp DH parameters
ACCEPT
1995769248:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 42
ACCEPT

 

 

-> Terminal log output from NUCLEO board:
>>model number is SPWF04SA
>>Setting CA certificate
>>UART TX buffer: AT+S.TLSCERT=content,2
+S.TLSCERT=content,2
-S.Clean
-S.OK
<<OK
>>UART TX buffer: AT+S.TIME=1504170338
+S.TIME=1504170338
-S.OK
<<OK

>>UART TX buffer: AT+S.TIME
+S.TIME
-S.Date:17.08.31:00
-S.Time:09.05.38
-S.OK
<<OK

>>UART TX buffer: AT+S.TLSCERT=Ca,1425
-----BEGIN CERTIFICATE-----
MIID3zCCA0igAwIBAgIJAMo2ixe4LOmpMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
ZS5vcmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE2MDcwNDA5MjE0NVoXDTI2MDUxMzA5MjE0NVowgZMxCzAJBgNVBAYTAkZSMQ8w
DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9yZzEmMCQG
A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMZ5WNHGNjSo6m6FKMzXTN4XY+F4DbLIDn+VtrMvPRyk
MdqlBXrUptVfC5wtKbaAVveBlEHFg2Zwp0bMURxvkqQPBg0DWWwzIcOS9TArdTw9
wWS87KpzPeYf/ebMZ7KwwvETFvBAEbH3J0Nw8iJim6qkkga3m9PhZrERCPx89F7r
AgMBAAGjggE3MIIBMzAdBgNVHQ4EFgQUPvF0f9eRIhRLyt9Pld+WCjKCO0wwgcgG
A1UdIwSBwDCBvYAUPvF0f9eRIhRLyt9Pld+WCjKCO0yhgZmkgZYwgZMxCzAJBgNV
BAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMG
A1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxl
Lm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDK
NosXuCzpqTAPBgNVHRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
Ly93d3cuZXhhbXBsZS5vcmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQAD
gYEAa4csCQf9JWPopeqOiMKlYcOFgF74Q0+sE3qEXb5MbSu3Z7tTVe9MNWXQ192h
djKGPTKSMEu/8q9HL8l3Zhd96UKhaAMT7Yftk4SqEb/7orbznJi2cQF8dfDqgRQY
U6mh1KIu5hMu/+aXHdw+IQav3Q5Css5WoKGoNLooN3hv1mE=
-----END CERTIFICATE-----

+S.TLSCERT=Ca,1425
-S.No SubjectKeyId
-S.OK
<<OK

>>UART TX buffer: AT+S.TLSCERT=Auth,40
3EF1747FD79122144BCADF4F95DF960A32823B4C
+S.TLSCERT=Auth,40
-S.OK
<<OK

>>UART TX buffer: AT+S.TLSCERT=content,1
+S.TLSCERT=content,1
-S.List
-S.CA:1
-S.Cert:0
-S.Key:0
-S.Id:1
-S.OK
<<OK

>>TLS set certificate OK
>>UART TX buffer: AT+S.SOCKON=172.26.7.83,4443,NULL,s
+S.SOCKON=172.26.7.83,4443,NULL,s
AT-S.Certificate Error:3
-S.ERROR:74:Failed to open socket
ERROR!
Status = 13
>>Socket connection error

 

According to the error table for SSL/TLS (http://help.fortinet.com/fweb/551/log/Content/FortiWeb/fortiweb-log/SSL_TLS_error_messages.htm) the error is as follows:

 

X509 Error 3 - Unable to get certificate CRL
Unable to get certificate CRL. The CRL of a certificate could not be found. Unused.

 

I have followed all steps described in documents AN4963, UM2114, AN4683 and STSW-TLSpack.
What am I doing wrong?

Outcomes