4

This topic seems to pop up everywhere but, without a conclusion as to how to get MQTT-TLS for CC3200 running. So, here goes one more.

Goal

Connect TI CC3200 board to AWS IoT broker via TLS.

Steps

Get certificates

To get the keys and certificates for TLS with AWS IoT, I used AWS CLI as shown here:

aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile cert.crt --private-key-outfile private.key --public-key-outfile public.key --region us-east-1

The root CA is downloaded as so:

wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem -O rootCA.pem

Change format

Based on the TI wiki, the board requires these files to be in DER format. Therefore, I used openssl on an AWS EC2 instance to convert the certificates as shown below. This link was helpful to arrive at the commands.

openssl rsa -inform pem -in private.key -outform der -out private.der
openssl x509 -in cert.crt -outform der -out cert.der
openssl x509 -in rootCA.pem -outform der -out rootCA.der

Flash the certificates

The .der files need to renamed as <someId>.der where <someId> will be provided as input to a structure. See here for the discussion. Thus, the following renaming was done:

  • private.der to 126.der
  • cert.der to 127.der
  • rootCA.der to 128.der

All of the .der files were flashed at /cert/ location on the board.

MQTT TLS

In the Paho Embedded-C project, source code is available for the TI CC3200 module. This module will be used to make a TLS connection with this method int TLSConnectNetwork(Network *n, char* addr, int port, SlSockSecureFiles_t* certificates, unsigned char sec_method, unsigned int cipher, char server_verify) where, SlSockSecureFiles_t is the argument of interest for TLS. This argument is defined in socket.h from TI as an array of _u8. (I could see this locally in the zipped file of documentation.)

typedef struct sock_secureFiles
 {
     _u8                     secureFiles[4];
 } SlSockSecureFiles_t;

The array is created as shown below.

SlSockSecureFiles_t secure_file;
secure_file.secureFiles[0] = 126;
secure_file.secureFiles[1] = 127;
secure_file.secureFiles[2] = 128;
secure_file.secureFiles[3] = 0;

The numbers are the ID of the files under /cert folder.

Other arguments for TLSNetworkConnect() are set as follows:

  • SL_SO_SEC_METHOD_TLSV1_2 for security method for TLS v1.2.
  • SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for cipher suite.
  • 0 for server_verify

Results

The TLS connection does not happen.

Error

The connection to broker keeps failing with error code for Bad CA file.

SSL session

I tried an openssl session with the .der files and connection seems to go through fine.

openssl s_client -connect xxxx.iot.us-east-1.amazonaws.com:8883 -CAfile rootCA.pem -key private.der -keyform der -cert cert.der -certform DER
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot.us-east-1.amazonaws.com
verify return:1
140493918627480:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42
140493918627480:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGjCCBQKgAwIBAgIQLnQIWjfERfw1k/3WWKINNTANBgkqhkiG9w0BAQsFADB+
.......
05vnq6DeWRLXoQYZoJm9ysbfVsRx9QB3YRy0C79Cie5bvmO7ib2sQ0OdfB42eg+v
I9KM/MH7QgMiCeHVBnoxdysrLBF9cyGt3MJHwzVi
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-1.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3387 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5B23B08B6883D21....62AD324D2DD
    Session-ID-ctx: 
    Master-Key: F5EBEA2F775C5E6....A79E48373756C75207B0D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1529065611
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
cogitoergosum
  • 1,091
  • 7
  • 18

0 Answers0