SPWF04 - TLS anonymous negotiation

Dear,

SPWF04 supports One-way and mutual authentication modes.

Indeed, anonymous authentication is not supported.

Regards,

Elio

Hello Elio,

Can you point me in the direction of how to handle one-way authentication? I have a root ca in pem format saved in the SPWF04 memory with the file name set to <subject key identifier>.ca. Do I need additional files in the flash memory such as key files and what TLSCERT commands do I need to call or do I not need to call any?

Thanks,

-Seth

Hello Seth,

for one-way authentication, if SPWF04 acts as client then saving the root ca in the SPWF04 filesystem is enough. Please note that you have to remove all certificates and key from flash (AT+S.TLSCERT=content,2) in order to allow usage of certificates from the filesystem. There is no need of calling others TLSCERT commands.

Regards,

Elio

Elio,

Thanks!

-Seth

Elio,

I have the cacert in der format (converted from PEM using openssl tools) loaded onto the module with <subject key identifier>.ca as the file name. The device is connected to a wifi AP and I do a SOCKON command on port 443. I get a "Certificate Error:23" back. What am I doing wrong?

Thanks,

-Seth

Elio,

It may be a cert issue.... Not sure yet. I do not have access to the CA certs for the server I am attempting to communicate with so I think I may have a malformed cert.

Thanks,

-Seth

Hello,

looks like either the CA certificate could not​ be found or the .ca file is incorrect.

Please:

• be sure the .ca filename is lowercase. If it still doesn't work, please share the result of AT+S.GCFG and AT+S.STS. Please also share the ca certificate.
• as cross check, try "openssl s_client -CAfile <subject key identifier>.ca -connect <server IP>:443" from a computer connected to the server. If the connection succeeds then the certificate should be ok.

The SPWF04S also perform a time validity check, so please be sure the SPWF04 time is properly set.

Regards,

Elio

Seth,

if you can access the server from your PC then you may try to download the CA certificate​ by a browser.

Please see Appendix B for an example.

Elio

Elio,

I can access the server from my PC which is using a self signed cert. I inspect the cert per the instructions, but there is no <subject key identifier> field ergo I cannot name the file using that id since I don't have it. The cert format is .cer. Perhaps there is some openssl command I can call to extract the subject key identifier...

Seth.

Elio,

I tried to do an httpget on https://www.google.com. I inspected google's cert on my browser, downloaded the cert (as der format), copied to spwf04 and renamed to subject identifier key.ca. I then did:

AT+S.HTTPGET=www.google.com,,443,1,,,,

and the response was :

AT-S.Certificate Error:23

AT-S.Http Client Error:2

AT-S.ERROR:111:

Any further suggestions?

Thanks for your help...

Seth