Technical information
Chapter 2: AT+i Commands Reference
May 31, 2008 AT+i Commands Reference Manual 2-95
Secure Socket Protocol Theory of Operation
Introduction
W24 implements an SSL3/TLS1 client socket connection. When connecting to an SSL3/TLS1
server, W24 negotiates an SSL3/TLS1 secure connection. During the negotiation process, the
server identifies itself to the client (W24) by sending a certificate. The certificate's main purpose
is to allow W24 to determine that the server is indeed the server it claims to be.
To fulfill its purpose, the certificate contains the server's ID information (name, address,
description, etc.) and its public key. It also contains a digital signature, signed by a third-party
called a Certificate Authority (CA), which authenticates this information. The client must trust
the CA in order to accept its signature on a certificate. Furthermore, the trust relationship between
the client and the CA must be established prior to the communication session and preferably
using alternate methods. W24's CA parameter is used to store the CA's certificate. Once a trusted
CA's certificate is stored on W24, it will accept certificates signed by that CA from SSL3/TLS1
servers it connects to.
Generating Certificates for Use with Servers
The most common way to obtain a certificate is to buy one from a commercial certificate
authority. This results in a public key that has been digitally signed by a trusted third-party. Any
clients receiving this certificate can be sure they are communicating with an authentic entity.
However, in a trusted environment, it is possible to create an in-house CA and to self-sign the
certificate.
Commercial CA's are usually preferred when connecting to multiple unknown servers. However,
in distributed system configurations where not more than a handful of secure servers are
deployed; an in-house CA is probably more appropriate and just as secure.
Several free software packages are available for generating certificates. The following sections
describe how to use the standard OpenSSL package to generate certificates. They contain
instructions on how to obtain your own certificates suitable for use with servers to which W24
will connect. Furthermore, most FTP servers that support SSL3 include a certificate generation
utility that may be used to generate self-signed certificates. The self-signed certificate is part of
the FTP server's configuration and may also be loaded into W24 to allow it to connect to that FTP
server using SSL3 secure sockets.
Using the OpenSSL Package to Create Certificates
OpenSSL is a widely used SSL toolkit available for free download at http://www.openssl.org.
The SSL toolkit contains source code that can be compiled for Unix, Linux, or Windows.
Pre-compiled binaries are also available for these platforms. OpenSSL comes with a command
line utility for generating keys, creating CA's, and creating certificates.
The following instructions assume the OpenSSL package has been installed and configured
properly on your machine. The instructions walk you through using OpenSSL to create an
in-house Certificate Authority, sign your own certificates, and generate the proper requests in
order to receive a signed certificate from a commercial CA. The signed certificates can then be
installed on servers to which W24 will connect in a secure (SSL3/TLS1) manner.