Transport Layer Security (TLS) TLS AT commands
Digi XBee3 Cellular LTE-M Global Smart Modem User Guide
100
TLS AT commands
The AT commands ATFS (File System), TL (SSL/TLS Protocol Version), IP (IP Protocol), $0 (SSL/TLS
Profile 0), $1 (SSL/TLS Profile 1), and $2 (SSL/TLS Profile 2) support TLS. The format of the $
commands is:
AT$<num>[<ca_cert>];[<client_cert>];[<client_key>]
Where:
n num: Profile index. Index zero is used for Transparent mode connections and TLS connections
using Transmit (TX) Request: IPv4 - 0x20.
n ca_cert: (optional) Filename of a file in the certs/ directory. Indicates the certificate identifying
a trusted root certificate authority (CA) to use in validating servers. If ca_cert is empty the
server certificate is notauthenticated. This must be a single root CA certificate. The modules do
not allow a non-self signed certificate to work, so intermediate CAs are not enough.
n client_cert: (optional) Filename of a file in the certs/ directory. Indicates the certificate
presented to servers when requested for client authentication. If client_cert is empty no
certificate is presented to the server should it request one. This may result in mutual
authentication failure.
n client_key: (optional) Filename of a file in the certs/ directory. Indicates the private key
matching the public key contained in client_cert. This should be a secure file uploaded with
ATFS XPUTfilename. This should always be provided if client_cert is provided and match the
certificate or client authentication will fail.
The default value is ";;". This default value preserves the legacy behavior by allowing the creation of
encrypted connections that are confidential but not authenticated.
To specify a key stored outside of certs/, you can either use a relative path, for example ../server.pem
or an absolute path starting with /flash, for example /flash/server.pem. Both examples refer to the
same file.
It is not an error at configuration time to name a file that does not yet exist. An error is generated if
an attempt to create a TLS connection is made with improper settings.
n Files specified should all be in PEM format, not DER.
n Upload private keys securely with ATFS XPUTfilename.
n Certificates can be uploaded with ATFS PUTfilename as they are not sensitive. It is not
possible to use ATFS GETfilename to GETthem if they have been securely uploaded.
To authenticate a server not participating in a public key infrastructure (PKI) using CAs, the server
must present a self-signed certificate. That certificate can be used in the ca_cert field to authenticate
that single server.
There are effectively three levels of authentication provided depending on the parameters provided
1. No authentication: None of the parameters are provided, this is the default value. With this
configuration identity is not validated and a man in the middle (MITM) attack is possible.
2. Server authentication: Only ca_cert is provided. Only the servers identity is checked
3. Mutual authentication: All items are provided and both sides are assured of the identity of their
peer
It is not possible to only have client authentication.
To Next Page
Loading...
