Trusted Root-Certificate Catalog
99
SWRU455A – February 2017 – Revised March 2017
Copyright © 2017, Texas Instruments Incorporated
Secure Socket
•
Use STARTTLS to upgrade a regular connected TCP socket to a secured one (used mainly for SMTP
port 587), according to the following flow:
1. sl_Socket(SL_AF_INET, SL_SOCK_STREAM,0) – Opens a regular TCP socket.
2. Use sl_Accept (in server mode) or sl_Connect to establish a connection.
3. May transfer unsecured data using sl_Send and sl_Recv.
4. Upgrade a socket to STARTTLS using sl_SetSockOpt with the SL_SO_STARTTLS option.
When the connection is established, it is possible to use sl_Recv and sl_Send to transact data between
the peers, exactly like in an unsecured TCP socket.
NOTE:
Some dedicated SSL configurations (performed by calling sl_SetSockOpt) must be applied
after opening the socket, and not after sl_Connect in client mode or sl_Listen in server mode,
as described in
7.4
Trusted Root-Certificate Catalog
The trusted root-certificate catalog is a file, provided by TI, containing a list of known and trusted root CAs
by TI. The certificate store holds the common trusted root CAs in the market, such as VeriSign, GoDaddy,
GeoTrust, and so forth.
The trusted root-certificate catalog also holds a list of revoked certificates known to TI. The trusted root-
certificate catalog is used only in client mode. Servers use a proprietary root CA to authenticate clients,
and therefore cannot use the certificate store. The trusted root-certificate catalog gives the user the
confidence that the CA is trusted and known. When a root CA does not exist in the catalog, the
sl_Connect command returns the error SL_ERROR_BSD_ESECUNKNOWNROOTCA, which means the
connection is successfully done, but the root CA used to verify the server chain of trust is unknown. When
a revoked certificate is received during the SSL connection (all of the certificate chain is checked) or if the
root CA set by the user is revoked, the handshake fails, and the error
SL_ERROR_BSD_ESECCERTIFICATEREVOKED returns from the sl_Connect command.
7.5
Options and Features Use
Options are used to enable or disable features, or to set some configurations to the SSL socket. To
change the options, use the BSD sl_SetSockOpt with unique options.
If no options were set, the following defaults take effect:
•
All SSL versions are enabled (handshake starts with the highest – TLS1.2, but the server could peek
lower versions).
•
All cipher suites are enabled.
•
Files which are required for the SSL connection (in server mode, some of the files are mandatory to
complete the handshake) remain blank.
•
Trusted root-certificate catalog is used by default.
The socket settings (specified in
) must be called before the sl_Connect or sl_Listen
commands to take effect. In server mode, those settings are inherited to the child socket, and cannot be
applied directly on the child socket.
NOTE:
Setting the server certificate and private key are mandatory when opening an SSL server.
7.5.1 Set SSL Version
Set specific SSL versions for the socket. This should be called before sl_Connect or sl_Listen.
•
SL_SO_SEC_METHOD_SSLV3
•
SL_SO_SEC_METHOD_TLSV1
•
SL_SO_SEC_METHOD_TLSV1_1
•
SL_SO_SEC_METHOD_TLSV1_2