If a network security module (such as Mocana - NanoSSL) is available, μC/TCP-IP socket security option APIs can be used to secure sockets. The port layer developed for the network security layer is responsible of securing the sockets and applying the security strategy over typical socket programming functions. From an application point of view, the usage of µC/TCP-IP network security manager is very simple. It requires few simple steps depending if the application is a server or a client. Basically, it provides APIs to install the required keying material and to set the secure flag on a specific socket:
- NetSock_CfgSecure()
- NetSock_CfgServerCertKeyInstall()
- NetSock_CfgSecureClientCommonName()
- NetSock_CfgSecureClientTrustCallBack()
The stack must have been configured to support Transport layer security in net_cfg.h, see Transport Layer Security Configuration. Obviously TLS or SSL can used only with a TCP connection. Once the socket is configured as secure and the connections is established all the data transferred using standard socket API are automatically encrypted between the client and the server .
Server Sample
In order to achieve secure handshake connections, some keying material must be installed before performing any secure socket operation. The server needs to install a public key certificare / private key pair to send the the clients that wants to connect. Certificate and key can be delivered by a Certificate Authorities or can be generated using a tool such as Open SSL.
The following example demonstrates how to secure a server using a PEM certificate from a constant buffer.
Client Sample
In order to achieve secure handshake connections, some keying material must be installed before performing any secure socket operation. The client side needs to install certificates authorities to validate the identity of the public key certificate sent by the server side. Certificates authorities can be found on the web site of Certificate authorities who delivered the Server's certificate ad key. As for the server's certificate it's possible to generate the CA certificate when generating self sign certificate-key pair using a tool such as OpenSSL.