SSL/TLS Client Verify Peer - EFFS-STD

Overview

This application demonstrates how to implement SSL/TLS client-side certificate verification using Certificate Authority (CA) lists stored in the EFFS Standard on-chip embedded flash file system (EFFS-STD). The application provides both a web interface and serial debug menu for managing CA certificates and testing SSL connections.

Features

SSL/TLS Certificate Verification

Client-side verification of server certificates using uploaded CA certificates
Support for PEM-format certificate files
Dynamic loading and management of CA certificate lists
Secure storage of certificates in on-chip flash memory using EFFS-STD

Web Interface

Upload CA certificates through a web interface
View and manage stored certificates
Delete certificates with confirmation dialogs
Display certificate details and public keys
Automatic certificate scanning and loading

File System Management

Embedded Flash File System (EFFS-STD) for persistent storage
Automatic formatting and initialization
File system statistics and directory listing
Support for multiple platforms (MOD5441X, NANO54415, MODM7AE70, SB800EX, SBE70LC)

Debug and Testing

Serial console interface for debugging
Interactive SSL connection testing
System time synchronization via NTP
Comprehensive logging and error reporting

Hardware Support

The application supports multiple NetBurner platforms:

MOD5441X (32MB flash with 128KB sectors)
NANO54415 (8MB SPI flash with 4KB sectors)
MODM7AE70 (2MB flash with 8KB sectors)
SB800EX (8MB SPI flash with 4KB sectors)
SBE70LC (2MB flash with 8KB sectors)

File Structure

Core Application Files

main.cpp - Main application entry point and user interface
certificatekey.cpp - CA certificate management and SSL operations
configweb.cpp - Web interface configuration and NV settings
post.cpp - HTTP POST handlers for web interface

File System Components

effs_std.cpp - EFFS-STD initialization and operations
effsStdFlashDrv.cpp - Platform-specific flash drivers
FileSystemUtils.cpp - File system utility functions
fs_main.cpp - File system initialization

Supporting Modules

effs_time.cpp - Time management and NTP synchronization
ftp_fs.cpp - FTP server integration with file system
ramdrv_mcf.cpp - RAM drive configuration

Configuration Headers

nbfactory.h - Platform-specific factory settings
serialburnerdata.h - Configuration structures and constants
effs_std.h - EFFS-STD definitions and prototypes

Quick Start

Initial Setup

Flash the application to your NetBurner device
Connect to the device's network interface
Access the web interface at the device's IP address
The default page will be CaCert.html for certificate management

Adding CA Certificates

Navigate to the certificate management page via web interface
Upload PEM-format CA certificate files
Certificates are automatically scanned and loaded into the SSL engine
Certificate files are stored as CACertN.crt where N is an incremental number

Testing SSL Connections

Access the serial debug interface
Press 'C' to attempt an SSL connection
Enter the domain name when prompted
The application will verify the server certificate against loaded CA certificates

Debug Commands

Access the debug menu through the serial interface:

0 - Turn debug messages off
1 - Turn debug messages on
C - Attempt SSL connection test
D - Reset to factory default parameters
F - Show file system information
G - Format file system (caution: erases all data)
N - Display NV settings
T - Display system time

Certificate Management

Supported Formats

PEM-encoded X.509 certificates
Maximum certificate size: 5KB
Automatic parsing of certificate common names

Storage Details

Certificates stored in on-chip flash memory
Maximum 20 CA certificates supported
Automatic verification of certificate validity
Certificates persist across power cycles

Web Interface Operations

Upload new certificates
View certificate details and public keys
Delete certificates with confirmation
Automatic rescanning after modifications

Network Configuration

Default Settings

DHCP client enabled by default
NetBIOS name publishing
HTTPS server on port 443
NTP time synchronization

Time Management

Automatic NTP synchronization on startup
Configurable timezone support (defaults to PST8PDT)
Manual time setting capability
RTC support on compatible platforms

Error Handling

The application includes comprehensive error handling for:

File system operations
SSL/TLS connection failures
Certificate validation errors
Network connectivity issues
Memory allocation failures

Common SSL error codes:

SSL_ERROR_FAILED_NEGOTIATION - SSL handshake failed
SSL_ERROR_CERTIFICATE_UNKNOWN - Unknown certificate error
SSL_ERROR_CERTIFICATE_NAME_FAILED - Certificate name verification failed
SSL_ERROR_CERTIFICATE_VERIFY_FAILED - Certificate verification failed

Security Considerations

Certificates are validated before storage
SSL connections require valid certificate chains
Peer verification is enabled by default when CA certificates are loaded
Factory reset capability to clear all certificates
Secure storage in flash memory with verification keys

Troubleshooting

Common Issues

SSL Connection Failures: Ensure CA certificates are properly loaded and system time is correct
File System Errors: Use format command ('G') to reinitialize file system
Certificate Upload Failures: Verify certificate is in PEM format and under 5KB
Time Synchronization: Check network connectivity and DNS settings for NTP

Factory Reset

Use debug command 'D' to reset to factory defaults, which will:

Clear all user configuration
Format the file system
Remove all uploaded certificates
Reset network settings

Example Usage

The application includes github.pem as a test certificate. To test:

Upload the github.pem file through the web interface
Use the serial debug menu (command 'C')
Enter "github.com" as the test domain
Verify successful SSL connection with certificate validation