- Support portal
- Evaluation Kits and partner products
u-blox Support
- Product documentation
Documentation
- About
- Sustainability
- Partners and Alliances
- Contact
About u-blox
- Investor relations
Investor relations
Nowadays the security is very important to secure personal or confidential data from unauthorized access and therefore it is important to secure the IoT devices to protect the business and the data.
In the IoT security, a weak point is a defect which is called a vulnerability and it may become a safety issue; IoT devices connects/links physical objects and so in IoT it is needed to secure of course data traffic and networks but also the network of “things” or physical objects (i.e. medical devices, infrastructure, utility meters, vehicles, etc.) must be secured.
Some definitions are needed to understand the foundations of security:
Integrity is about making sure that some pieces of data have not been altered from some “reference version”.
Authentication is about making sure that a given entity (with whom you are interacting) is who the user believes it to be.
Authenticity is a special case of integrity, where the “reference version” is defined as “whatever it was when it was under control of a specific entity”.
Confidentiality means no unauthorized access to data (i.e. encryption/cryptography).
The u-blox security solution lets secure the IoT devices from end-to-end:
Device security, the privacy of data is protected from the devices to the cloud (confidentiality, integrity and authenticity).
Data security, the devices are protected from attack, they can be trusted and controlled (identity, authenticity and firmware protection).
Access Management, it can be controlled who has access to data and products (device policies, data policies and feature authorization)
The pillars of the u-blox security are:
Unique device identity, an immutable chip ID and a robust Root-of-Trust (RoT) provides the foundational security.
Secure boot sequence and updates, only authenticated and authorized firmware and updates can run on the device.
Hardware-backed crypto functions, a Secure Client Library (SCL) generates keys and crypto functions to securely connect to the cloud.
The IoT device is secured through different steps:
Provision trust: insert Root-of-Trust at production. An immutable chip ID and hardware-based Root-of-Trust provide foundational security and a unique device identity.
Leverage trust: derive trusted keys. Secure libraries allow generation of hardware-backed crypto functions and keys that securely connect to the cloud.
Guarantee trust: use keys to secure any function. It ensures authenticity, integrity, and confidentiality to maintain control of device and data.
These AT commands maintain device integrity over the entire lifecycle.
The +USECCHIP AT command queries the immutable chip ID.
+USECCHIP | ||||||
Modules | LEXI-R10401D-00B LEXI-R10801D-00B | |||||
Attributes | Syntax | PIN required | Settings saved | Can be aborted | Response time | Error reference |
full | No | No | No | - |
Queries the chip ID of the module and returns it.
Type | Syntax | Response | Example |
---|---|---|---|
Action | AT+USECCHIP | +USECCHIP: <chip_id> OK | +USECCHIP: "12345678" OK |
Parameter | Type | Description |
---|---|---|
<chip_id> | String | Chip ID of the module. |
SSL/TLS/DTLS (where supported) provides a secure connection between two entities using TCP/UDP socket for communication (i.e. HTTP/FTP server and HTTP/FTP client).
The SSL/TLS/DTLS with digital certificates support provides different connection security aspects:
Server authentication: use of the server certificate verification against a specific trusted certificate or a trusted certificates list;
Client authentication: use of the client certificate and the corresponding private key;
Data security and integrity: data encryption and Hash Message Authentication Code (HMAC) generation.
The security aspects used in the current connection depend on the SSL/TLS/DTLS configuration and features supported by the communicating entities.
u-blox cellular modules support all the described aspects of SSL/TLS/DTLS security protocol with these AT commands:
AT+USECMNG: import, removal, list and information retrieval of certificates or private keys;
AT+USECPRF: configuration of USECMNG (u-blox SECurity MaNaGement) profiles used for an SSL/TLS/DTLS connection.
The USECMNG provides a default SSL/TLS/DTLS profile which cannot be modified. The default USECMNG profile provides the following SSL/TLS/DTLS settings:
Setting | Value | Meaning |
---|---|---|
Certificates validation level | Level 0 | The server certificate will not be checked or verified. |
Minimum SSL/TLS/DTLS version | Any | The server can use any of the TLS1.0/TLS1.1/TLS1.2/DTLS1.2 versions for the connection. |
Cipher suite | Automatic | The cipher suite will be negotiated in the handshake process. |
Trusted root certificate internal name | “” (none) | No certificate will be used for the server authentication. |
Expected server host-name | “” (none) | No server host-name is expected. |
Client certificate internal name | “” (none) | No client certificate will be used. |
Client private key internal name | “” (none) | No client private key will be used. |
Client private key password | “” (none) | No client private key password will be used. |
Pre-shared key | “” (none) | No pre-shared key will be used. |
Server certificate pinning | “” (none) | No server certificate will be used. |
Server certificate pinning level | Level 0 | No server certificate will be used. |
For the configuration of the settings listed above, see the +USECPRF AT command.
During the handshake an inactivity timer is started at every received or transmitted packet. The timeout of the inactivity timer is set to 60 s. At the timer expiration the secure connection is aborted, since the handshake has not been completed successfully.
+USECMNG | ||||||
Modules | LEXI-R10401D-00B LEXI-R10801D-00B | |||||
Attributes | Syntax | PIN required | Settings saved | Can be aborted | Response time | Error reference |
full | No | No | No | - |
Manages the X.509 certificates and private keys with the following functionalities:
Import of certificates and private keys
List and information retrieval of imported certificates and private keys
Removal of certificates and private keys
MD5 calculation of imported certificate or private key
For more details on X.509 certificates and private keys see RFC 5280 [RFC5280].
The number and the format of the certificates and the private keys accepted depend on the module series:
certificates and private keys both in DER (Distinguished Encoding Rules) and in PEM (Privacy-Enhanced Mail) format are accepted. If the provided format is PEM, the imported certificate or private key will be automatically converted in DER format for the internal storage. It is also possible to validate certificates and private keys. Up to 10 certificates or private keys can be imported.
The certificates and private keys are kept in DER format and are not retrievable (i.e. cannot be downloaded from the module); for data validation purposes an MD5 hash string of the stored certificate or private key (stored in DER format) can be retrieved.
The SSL/(D)TLS connection with Server and/or Mutual Authentication can be successfully performed using the following key size:
for Rivest-Shamir-Adleman (RSA) keys at least 1024-bits.
for Elliptic Curve Digital Signature Algorithm (ECDSA) keys at least 192-bits.
The same limitation is applied also to the keys used for the certificates generation.
Data for certificate or private key import can be provided with a stream of byte similar to +FOPEN or from a file stored on the FS.
When using the stream of byte import functionality:
If the data transfer is stopped before its completion, a guard timer of 20 s will ensure the termination of the data transmission. In this case the prompt will switch back in AT command mode and an error result code will be returned.
If the module shuts down during the data transfer, all the bytes are discarded.
If any error occurs during the data transfer, all bytes are discarded.
All the imported certificates or private keys are listed if the type of the security data is omitted.
The imported certificates and private keys are:
PRESERVED after the module FW is upgraded using +UFWINSTALL or +NFWUPD AT commands.
NOT PRESERVED (deleted) after a factory reset using +UFACTORY AT command.
NOT PRESERVED after the module FW is upgraded using EasyFlash.
The USECMNG import command supports only X.509 certificate format.
The X.509 certificate DN (Distinguished Name) is composed of value fields which uniquely define an entity being authenticated. For security reasons some limitations (related to DN fields) described below are applied:
The USECMNG import functionality allows the following DN value fields:
commonName (http://oid-info.com/get/2.5.4.3)
serialNumber (http://oid-info.com/get/2.5.4.5)
countryName (http://oid-info.com/get/2.5.4.6)
localityName (http://oid-info.com/get/2.5.4.7)
stateOrProvinceName (http://oid-info.com/get/2.5.4.8)
organizationName (http://oid-info.com/get/2.5.4.10)
organizationalUnitName (http://oid-info.com/get/2.5.4.11)
domainComponent (http://oid-info.com/get/0.9.2342.19200300.100.1.25)
pkcs9_emailAddress (http://oid-info.com/get/1.2.840.113549.1.9.1)
pkcs9_unstructuredName (http://oid-info.com/get/1.2.840.113549.1.9.2)
The import of an X.509 certificate with DN containing other value fields (not in the above list) will result in an import error (error result code: USECMNG invalid certificate/key format).
The USECMNG private key import command does not support private keys in PEM format with extension headers (i.e. “EC PARAMETERS”).
Type | Syntax | Response | Example |
---|---|---|---|
Generic syntax: | |||
Action | AT+USECMNG=<op_code>,[<type>[,<internal_name>[,<param1>[,<param2>]]]] | OK | - |
Import a certificate or private key from serial I/O: | |||
Action | AT+USECMNG=0,<type>,<internal_name>,<data_size>[,<password>] | > Start transfer of data … +USECMNG: 0,<type>,<internal_name>,<md5_string> OK | AT+USECMNG=0,0,"AddTrustCA",1327 >-----BEGIN CERTIFICATE----- (…other certificate data bytes…) +USECMNG: 0,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b" OK |
Import a certificate or private key from a file stored on FS: | |||
Action | AT+USECMNG=1,<type>,<internal_name>,<filename>[,<password>] | +USECMNG: 1,<type>,<internal_name>,<md5_string> OK | AT+USECMNG=1,0,"AddTrustCA","addtrust.cert" +USECMNG: 1,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b" OK |
Remove an imported certificate or private key: | |||
Action | AT+USECMNG=2,<type>,<internal_name> | OK | AT+USECMNG=2,0,"AddTrustCA" OK |
List imported certificates or private keys: | |||
Read | AT+USECMNG=3[,<type>] | <cert_type>,<internal_name>[,<common_name>,<expiration_date>] … OK | AT+USECMNG=3 "CA","AddTrustCA","AddTrust External CA Root","2020/05/30" "CA","GlobalSignCA","GlobalSign","2029/03/18" "CC","JohnDoeCC","GlobalSign","2010/01/01" "PK","JohnDoePK" OK |
Retrieve the MD5 of an imported certificate or private key: | |||
Read | AT+USECMNG=4,<type>,<internal_name> | +USECMNG: 4,<type>,<internal_name>,<md5_string> OK | AT+USECMNG=4,0,"AddTrustCA" +USECMNG: 4,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b" OK |
Test | AT+USECMNG=? | +USECMNG: (list of supported <op_code>s),(list of supported <type>s) OK | +USECMNG: (0-4),(0-2) OK |
Parameter | Type | Description |
---|---|---|
<op_code> | Number | Type of operation:
|
<type> | Number | Type of the security data:
Allowed values:
|
<cert_type> | String | Type of the security data in verbose format:
Allowed values:
|
<internal_name> | String | Unique identifier of an imported certificate or private key. If an existing name is used the data will be overridden.
|
<data_size> | Number | Size in bytes of a certificate or private key being imported.
|
<password> | String | Decryption password; applicable only for PKCS8 encrypted client private keys. The maximum length is 128 characters. |
<filename> | String | Name of the FS file containing the certificate or private key data to be imported.
|
<md5_string> | String | MD5 formatted string. |
<common_name> | String | Certificate subject (issued to) common name; applicable only for trusted root and client certificates. |
<expiration_date> | String | Certificate expiration (valid to date); applicable only for trusted root and client certificates. |
<param1> | Number/String | Type and supported content depend on the related <op_code> parameter; see the <op_code> specification. |
<param2> | Number/String | Type and supported content depend on the related <op_code> parameter; see the <op_code> specification. |
The import of the following client private key formats is not supported:
PKCS1 RSA formatted not-encrypted private key
PKCS1 RSA formatted encrypted private key
PKCS8 not-encrypted private key
PKCS8 encrypted private key
The PKCS1 and PKCS8 encrypted private keys can be imported only in DER format.
The following certificates are pre-installed on the module and cannot be deleted/changed by the customer via AT commands:
Internal name | Common name | Expiration date |
---|---|---|
ubx_digicert_global_root_ca | DigiCert Global Root CA | 2031/11/10 00:00:00 |
ubx_digicert_global_root_g2 | DigiCert Global Root G2 | 2038/01/15 12:00:00 |
ubx_digicert_trusted_root_g4 | DigiCert Trusted Root G4 | 2038/01/15 12:00:00 |
ubx_digicert_eccp384_root_g5 | DigiCert TLS ECC P384 Root G5 | 2046/01/14 23:59:59 |
ubx_digicert_rsa4096_root_g5 | DigiCert TLS RSA4096 Root G5 | 2046/01/14 23:59:59 |
ubx_baltimore_cybertrust_root | Baltimore CyberTrust Root | 2025/05/12 23:59:00 |
ubx_tmo_usa_enterprise_root_ca | T-Mobile USA Enterprise Root CA | 2040/11/03 20:28:54 |
ubx_starfield_service_root_ca_g2 | Starfield Services Root Certificate Authority - G2 | 2034/06/28 17:39:16 |
Below is an example with a PEM encoded trusted root certificate.
Command | Response | Description |
---|---|---|
Step 1: Import a trusted root certificate using the stream of byte similar to +FOPEN | ||
AT+USECMNG=0,0,"ThawteCA",1516 | > | Start the data transfer using the stream of byte. |
+USECMNG: 1,0,"ThawteCA","8ccadc0b22cef5be72ac411a11a8d812" OK | Input PEM formatted trusted root certificate data bytes. Output MD5 hash string of the stored trusted root certificate DER. | |
Step 2: List all available certificates and private keys | ||
AT+USECMNG=3 | CA, "ThawteCA","thawte Primary Root CA","2036/07/17" OK | List all available certificates and private keys. |
Step 3: Set the security profile 2 validation level to trusted root | ||
AT+USECPRF=2,0,1 | OK | Security profile 2 has the validation level set to trusted root. |
Step 4: Set the security profile 2 trusted root certificate to the CA certificate imported as "ThawteCA" | ||
AT+USECPRF=2,3,"ThawteCA" | OK | Security profile 2 will use the CA certificate imported as "ThawteCA" for server certificate validation. |
Step 5: Use the configured USECMNG profile 2 with the UHTTP application | ||
AT+UHTTP=0,1,"www.ssl_tls_test_server.com" | OK | Configure the UHTTP server name. |
AT+UHTTP=0,6,1,2 | OK | Enable the SSL/TLS for the UHTTP profile #0 and specify the SSL/TLS security profile 2. |
AT+UHTTPC=0,1,"/","https.resp" | OK | Execute the HTTP GET command. |
+UUHTTPCR: 0,1,1 | HTTP GET URC response. |
In the above example the following PEM encoded trusted certificate is used:
-----BEGIN CERTIFICATE----- MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta 3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk 6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 jVaMaA== -----END CERTIFICATE-----
Due to significant memory fingerprint of an SSL/TLS connection, the number of concurrent SSL/TLS connections is limited. The USECMNG and the underlying SSL/TLS infrastructure allows 4 concurrent SSL/TLS connections (i.e. 4 HTTPS requests or 2 HTTPS and 2 FTPS request).
+USECPRF | ||||||
Modules | LEXI-R10401D-00B LEXI-R10801D-00B | |||||
Attributes | Syntax | PIN required | Settings saved | Can be aborted | Response time | Error reference |
partial | No | No | No | - |
Manages security profiles for the configuration of the following SSL/TLS/DTLS connections properties:
Certificate validation level:
Level 0: no certificate validation; the server certificate will not be checked or verified. No additional certificates are needed.
Level 1: certificate validation against a specific or a list of imported trusted root certificates.
Level 2: certificate validation with an additional URL integrity check (the server certificate common name must match the server hostname).
Level 3: certificate validation with an additional check on the certificate validity date.
CA certificates should be imported with the +USECMNG AT command
SSL/TLS version to be used:
Any of the TLS versions supported by the module
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
DTLS version to be used:
DTLS 1.2
Cipher suite to be configured using the following methods:
Legacy cipher suite to be used. See Syntax description and table_title for the supported cipher suites.
Additional cipher suite to be used with Internet Assigned Numbers Authority (IANA) enumeration set command. See Syntax description and table_title for the supported cipher suites.
List of cipher suites to be used is configured with add / remove commands and using IANA enumeration. See Syntax description and table_title for the supported cipher suites.
For the applicability of cipher suite depending on the series module, see Cipher suites applicability.
Cipher suite configuration methods are exclusive and the last configured method is used.
The cipher suite configuration read command response is related to the selected cipher suite type, see Syntax description for more details.
Certificate to be used for server and mutual authentication:
The trusted root certificate. The CA certificate should be imported with the +USECMNG AT command.
The client certificate that should be imported with the +USECMNG AT command.
The client private key that should be imported with the +USECMNG AT command.
The server certificate that should be imported with the +USECMNG AT command.
Database selection. Accordingly to the +USECMNG AT command the certificates and keys can be imported in the user database, or can be already present in the pre-installed database. The security profile can be configured to use certificates and clients from all available databases or from a specific database.
Expected server hostname, when using certificate validation level 2 or 3.
Password for the client private key, if it is password protected.
Pre-shared key used for connection. Defines a pre-shared key and key-name (PSK), when a TLS_PSK_* cipher suite is used.
SNI (Server Name Indication). SNI is a feature of SSL/TLS which uses an additional SSL/TLS extension header to specify the server name to which the client is connecting to. The extension was introduced to support the certificate handling used with virtual hosting provided by the various SSL/TLS enabled servers mostly in cloud based infrastructures. With the SNI a server has the opportunity to present a different server certificate (or/and whole SSL/TLS configuration) based on the host indicated by the SNI extension. When SNI is not used the modules might receive a non host specific SSL/TLS configuration (version/cipher suites/certificate) when used with virtual hosts.
(D)TLS session resumption. The session resumption feature allows to reuse the secure session data to reestablish a SSL/(D)TLS secure session. Since the secure session data are available, the full SSL/(D)TLS handshake is not performed during the session resumption. Once the session resumption feature is enabled, the session resumption type and the secure session data (negotiated during the SSL/(D)TLS handshake) are displayed via +UUSECPRF URC message. The session resumption feature configuration and secure session data are not stored in the NVM, hence the session resumption may be performed until power cycle. Once the session data related to the session resumption via session ticket (<sess_type>=1 or <sess_type>=11) or via the session resumption via PSK-based session ticket (<sess_type>=3 or <sess_type>=13) are properly retrieved from the server, they are directly configured in the USECPRF profile and a +UUSECPRF URC message reporting the session resumption status is issued. Conversely, once the session data related to the session resumption via session ID (<sess_type>=0 or <sess_type>=10) are properly retrieved from the server, an +UUSECPRF URC message reporting the session resumption type and an +UUSECPRF URC message reporting the session resumption data are issued, furthermore the session resumption data are not stored in the USECPRF profile.
ZTP-provided credentials. The credentials to establish the secure connection will be provided by Zero Touch Provisioning (ZTP). In the specific case the credentials provided by the ZTP will be the CA certificate, or/and the client certificates and client private key. The CA certificate, and if applicable, the client certificate, are sent to the server during the handshake. The CA certificate and the client certificate are concatenated in a certificate chain.
Application Layer Protocol Name (ALPN). With ALPN the client sends the list of supported application protocols as part of the TLS ClientHello message. The server can select one protocol and send it as part of the TLS ServerHello message. The application protocol negotiation can thus be accomplished within the TLS handshake, without adding network round-trips, and allows the server to associate a different certificate according to the indicated application protocol, if desired. For more details on ALPN, Extension protocol see RFC 7301 [RFC7301].
When ZTP-provided credentials feature is enabled (<op_code>=14) for a certain USECPRF profile, the client certificate and client key set by the <op_code>=5 (client certificate internal name) and <op_code>=6 (client private key internal name) are ignored, and the underlying SSL/TLS uses the ZTP provided ones.
To set all the parameters in security profile, a set command for each <op_code> needs to be issued (e.g. certificate validation level, minimum SSL/TLS/DTLS version, …).
To reset (set to factory-programmed value) all the parameters of a specific security profile, issue the AT+USECPRF=<profile_id> command.
Type | Syntax | Response | Example |
---|---|---|---|
Generic syntax | |||
Set | AT+USECPRF=<profile_id>[,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]]] | OK | AT+USECPRF=0,0,0 OK |
Read | AT+USECPRF=<profile_id>,<op_code> | +USECPRF: <profile_id>,<op_code>,<param_val1> OK | AT+USECPRF=0,0 +USECPRF: 0,0,0 OK |
URC | +UUSECPRF: <profile_id>,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]] OK | +UUSECPRF: 0,13,1,0 OK | |
Certificate validation level | |||
Set | AT+USECPRF=<profile_id>,0,<validation_lvl> | OK | AT+USECPRF=0,0,2 OK |
SSL/TLS version | |||
Set | AT+USECPRF=<profile_id>,1,<tls_ver> | OK | AT+USECPRF=0,1,4 OK |
Legacy cipher suite selection | |||
Set | AT+USECPRF=<profile_id>,2,<legacy_cs> | OK | AT+USECPRF=0,2,2 OK |
Cipher suite selection using IANA enumeration | |||
Set | AT+USECPRF=<profile_id>,2,99,<iana_b1>,<iana_b2> | OK | AT+USECPRF=0,2,99,"C0","2B" OK |
Read | AT+USECPRF=<profile_id>,2 | +USECPRF: <profile_id>,2,99,<iana_b1>,<iana_b2> OK | AT+USECPRF=0,2 +USECPRF: 0,2,99,"C0","2B" OK |
Add/remove of IANA cipher suite to the configured cipher suites list | |||
Set | AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,<operation> | OK | AT+USECPRF=0,2,100,"C0","2A",0 OK |
Add an IANA cipher suite to the configured cipher suites list | |||
Set | AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,0 | OK | AT+USECPRF=0,2,100,"C0","2A",0 OK |
Remove an IANA cipher suite from the configured cipher suites list | |||
Set | AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,1 | OK | AT+USECPRF=0,2,100,"C0","2B",1 OK |
Read the list of configured cipher suites | |||
Read | AT+USECPRF=<profile_id>,2 | +USECPRF: <profile_id>,2,100,<list of configured cipher suites separated by ";"> OK | AT+USECPRF=0,2 +USECPRF: 0,2,100,"C02A;C02C" OK |
Trusted root certificate internal name | |||
Set | AT+USECPRF=<profile_id>,3,<root_cert_int_name> | OK | AT+USECPRF=0,3,"ca_iname" OK |
Expected server hostname | |||
Set | AT+USECPRF=<profile_id>,4,<srv_hostname> | OK | AT+USECPRF=0,4,"server_hostname" OK |
Client certificate internal name | |||
Set | AT+USECPRF=<profile_id>,5,<cli_cert_int_name> | OK | AT+USECPRF=0,5,"cc_iname" OK |
Client private key internal name | |||
Set | AT+USECPRF=<profile_id>,6,<cli_priv_key_int_name> | OK | AT+USECPRF=0,6,"pk_iname" OK |
Client private key password | |||
Set | AT+USECPRF=<profile_id>,7,<cli_priv_key_pwd> | OK | AT+USECPRF=0,7,"xxxxx" OK |
Pre-shared key configuration | |||
Set | AT+USECPRF=<profile_id>,8,<preshared_key>[,<preshared_key_str_type>] | OK | AT+USECPRF=0,8,"0sFpZ0AZqE0N6Ti9s0qt40ZP5Eqx" OK |
Pre-shared key identity configuration | |||
Set | AT+USECPRF=<profile_id>,9,<preshared_key_id>[,<preshared_key_id_str_type>] | OK | AT+USECPRF=0,9,"0ceEZ0AZqP0K60i9o04xz0ZP8zyu0Eqx" OK |
SNI Server Name Indication | |||
Set | AT+USECPRF=<profile_id>,10,<SNI> | OK | AT+USECPRF=0,10,"server_sni" OK |
PSK and PSK key identity generated by RoT (Root of trust) | |||
Set | AT+USECPRF=<profile_id>,11,<PSK_val> | OK | AT+USECPRF=0,11,0 OK |
Server certificate pinning | |||
Set | AT+USECPRF=<profile_id>,12,<server_certificate>,<pinning_level> | OK | AT+USECPRF=0,12,"my_srv_cert",0 OK |
(D)TLS session resumption generic syntax | |||
Set | AT+USECPRF=<profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>] | OK | AT+USECPRF=0,13,0,1 OK |
Read | AT+USECPRF=<profile_id>,13,<sess_tag> | +USECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>] OK | AT+USECPRF=0,13,0 +USECPRF: 0,13,0,1 OK |
URC | +UUSECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>] OK | +UUSECPRF: 0,13,1,0 OK | |
(D)TLS session resumption status | |||
Set | AT+USECPRF=<profile_id>,13,0,<sess_status> | OK | AT+USECPRF=0,13,0,1 OK |
Read | AT+USECPRF=<profile_id>,13,0 | +USECPRF: <profile_id>,13,0,<sess_status> OK | AT+USECPRF=0,13,0 +USECPRF: 0,13,0,1 OK |
URC | +UUSECPRF: <profile_id>,13,0,<sess_status> | +UUSECPRF: 0,13,0,2 | |
(D)TLS session resumption session type | |||
Set | AT+USECPRF=<profile_id>,13,1,<sess_type> | OK | AT+USECPRF=0,13,1,0 OK |
Read | AT+USECPRF=<profile_id>,13,1 | +USECPRF: <profile_id>,13,1,<sess_type> OK | AT+USECPRF=0,13,1 +USECPRF: 0,13,1,0 OK |
URC | +UUSECPRF: <profile_id>,13,1,<sess_type> | +UUSECPRF: 0,13,1,0 | |
(D)TLS session resumption session data having session ID as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,2,<session_id_b64>,<master_secret_b64> | OK | AT+USECPRF=0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo" OK |
Read | AT+USECPRF=<profile_id>,13,2 | +USECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64> OK | AT+USECPRF=0,13,2 +USECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo" OK |
URC | +UUSECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64> | +UUSECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo" | |
(D)TLS session resumption session data having session ticket as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,3,<session_data_b64>,<session_data_b64_size> | OK | AT+USECPRF=0,13,3,"MIHOAgECAgMAzKgEMDZV […] NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332 OK |
Read | AT+USECPRF=<profile_id>,13,3 | +USECPRF: <profile_id>,13,3,<session_data_b64>,<session_data_b64_size> OK | AT+USECPRF=0,13,3 +USECPRF: 0,13,3,"MIHOAgECAgMAzKgEMDZV […] NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332 OK |
(D)TLS session resumption session data having PSK-based session ticket as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,5,<session_data_b64_size> > <session_data_b64> | OK | AT+USECPRF=0,13,5,2320 > NjQwM0IwMDEzMDgyMDFB0QzAyMDEwMTAyMDEwMDAy0MDEwMTAyMDIxQzIwMDIw […] MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAyMDIxMzAy OK |
Read | AT+USECPRF=<profile_id>,13,5 | +USECPRF: <profile_id>,13,5,<session_data_b64>,<session_data_b64_size> OK | AT+USECPRF=0,13,5 +USECPRF: 0,13,5,"Nj0QwM0IwMDEzMDgyMDFBQz0AyMDEwMTAyMDEwMDAyMD […] AwMDAwMDAwMDAwMDAwMD0AwMDAwMDAwMDAwMDAwMD0AwMDAyMDIxMzAy",2320 OK |
(D)TLS session resumption session data having encrypted session ID with local encryption as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size> | OK | AT+USECPRF=0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156 OK |
Read | AT+USECPRF=<profile_id>,13,12 | +USECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size> OK | AT+USECPRF=0,13,12 +USECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156 OK |
URC | +UUSECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size> | +UUSECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156 | |
(D)TLS session resumption session data having encrypted session ticket with local encryption as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size> | OK | AT+USECPRF=0,13,13,"MIHOAgECAgMAzKwsa64L […] dQE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364 OK |
Read | AT+USECPRF=<profile_id>,13,13 | +USECPRF: <profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size> OK | AT+USECPRF=0,13,13 +USECPRF: 0,13,13,"MIHOAgECAgMAzKwsa64L […] QE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364 OK |
(D)TLS session resumption session data having PSK-based session ticket with local encryption as session resumption type | |||
Set | AT+USECPRF=<profile_id>,13,15,<enc_session_data_b64_size> > <enc_session_data_b64> | OK | AT+USECPRF=0,13,15,2408 > MDBGMDRCREYwODYwREYw0RDFDNjk1NUU5OUY5NjAw0MDA1QjlCN0QxMUYzM0Qy […] Njg4MkEzQzJCRjA5NEFF0QzJFQUFFOTNBNjY2RkNE0QzM3RDJERTYyRDIxNQ== OK |
Read | AT+USECPRF=<profile_id>,13,15 | +USECPRF: <profile_id>,13,15,<enc_session_data_b64>,<enc_session_data_b64_size> OK | AT+USECPRF=0,13,15 +USECPRF: 0,13,15,"M0DBGMDRCREYwODYwREYwR0DFDNjk1NUU5OUY5NjAwM […] EzQzJCRjA5NEFFQzJFQU0FFOTNBNjY2RkNEQzM3RD0JERTYyRDIxNQ==",2408 OK |
ZTP-provided credentials | |||
Set | AT+USECPRF=<profile_id>,14,<ZTP_tag> | OK | AT+USECPRF=0,14,0 OK |
Read | AT+USECPRF=<profile_id>,14 | +USECPRF: <profile_id>,14,<ZTP_tag> OK | AT+USECPRF=0,14 +USECPRF: 0,14,2 OK |
ALPN extension protocol | |||
Set | AT+USECPRF=<profile_id>,15,<ALPN_string_type> | OK | AT+USECPRF=0,15,"FTP" OK |
Read | AT+USECPRF=<profile_id>,15 | +USECPRF: <profile_id>,15,<ALPN_string_type> OK | AT+USECPRF=0,15 +USECPRF: 0,15,"FTP" OK |
Database selection | |||
Set | AT+USECPRF=<profile_id>,16,<db_to_use> | OK | AT+USECPRF=0,16,1 OK |
Read | AT+USECPRF=<profile_id>,16 | +USECPRF: <profile_id>,16,<db_to_use> OK | AT+USECPRF=0,16 +USECPRF: 0,16,2 OK |
Test | AT+USECPRF=? | +USECPRF: (list of supported <profile_id>s),(list of supported <op_code>s) OK | +USECPRF: (0-4),(0-16) OK |
Parameter | Type | Description |
---|---|---|
<profile_id> | Number | USECMNG security profile identifier, in range 0-4; if it is not followed by other parameters the profile settings will be reset (set to factory-programmed value). |
<op_code> | Number |
Allowed values:
|
<validation_lvl> | Number | certificate validation level:
The factory-programmed value is:
|
<tls_ver> | Number | SSL/TLS version to use; allowed values:
The factory-programmed value is:
|
<legacy_cs> | Number | Legacy cipher suite enumeration. legacy cipher suites are listed in table_title. The factory-programmed value is 0. For <legacy_cs>=0 a list of default cipher suites is proposed at the beginning of handshake process, and a cipher suite will be negotiated among the cipher suites proposed in the list. For <legacy_cs>=99 the cipher suite selection is performed with IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see table_title. For <legacy_cs>=100 the list of cipher suites is configured using IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see table_title. The cipher suite configuration read command response is related to the selected cipher suite type. In the case of <legacy_cs>=99 the configured <byte_1> and <byte_2> are reported in the information text response to the read command. In the case of <legacy_cs>=100 a ";" separated list with configured cipher suites is reported in the information text response to the read command. For <legacy_cs>=100, when all added cipher suites are removed the cipher suite is automatically set to 0 (factory-programmed value). For the applicability of default cipher suite lists depending on the series module, see Cipher suites applicability. |
<iana_b1> | String | First byte of IANA cipher suite enumeration |
<iana_b2> | String | Second byte of IANA cipher suite enumeration |
<operation> | Number | Operation to execute when using <legacy_cs>=100 configuration using a list of IANA enumeration. Allowed values for <operation>:
|
<root_cert_int_name> | String | Internal name identifying a trusted root certificate; the maximum length is 200 characters. The factory-programmed value is an empty string. |
<srv_hostname> | String | Hostname of the server, used when certificate validation level is set to Level 2; the maximum length is 256 characters. The factory-programmed value is an empty string. |
<cli_cert_int_name> | String | Internal name identifying a client certificate to be sent to the server; the maximum length is 200 characters. The factory-programmed value is an empty string. |
<cli_priv_key_int_name> | String | Internal name identifying a private key to be used; the maximum length is 200 characters. The factory-programmed value is an empty string. |
<cli_priv_key_pwd> | String | Password for the client private key if it is password protected; the maximum length is 128 characters. The factory-programmed value is an empty string. |
<preshared_key> | String | Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_str_type> value. |
<preshared_key_str_type> | Number | Defines the type and the maximum length of the <preshared_key> string. Allowed values:
|
<preshared_key_id> | String | Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_id_str_type> value. |
<preshared_key_id_str_type> | Number | Defines the type and the maximum length of the <preshared_key_id> string. Allowed values:
|
<SNI> | String | Value for the additional negotiation header SNI (Server Name Indication) used in SSL/TLS connection negotiation; the maximum length is 128 characters. The factory-programmed value is an empty string.. |
<PSK_val> | Number | PSK key and PSK key identity generated by RoT (Root of trust); allowed values:
|
<server_certificate> | String | Internal name identifying a certificate configured to be used for server certificate pinning; the maximum length is 200 characters. The factory-programmed value is an empty string. |
<pinning_level> | String | Certificate pinning information level. Allowed values:
|
<sess_tag> | Number | Configures the (D)TLS session resumption. Allowed values:
Allowed values:
|
<sess_status> | Number | (D)TLS session resumption status. Allowed values:
Allowed values:
|
<sess_type> | Number | (D)TLS session resumption type. Allowed values:
Allowed values:
|
<session_id_b64> | String | Base64 encoded session ID value. The maximum length is 44 characters. |
<master_secret_b64> | String | Base64 encoded session master key. The maximum length is 64 characters. |
<session_data_b64_size> | Number | Length of base64 encoded session data value. The maximum size is 8192. |
<session_data_b64> | String | Base64 encoded session data value. The string length is determined by <session_data_b64_size>. |
<enc_session_data_b64> | String | Base64 encoded session data value encrypted with local encryption. The string length is determined by <enc_session_data_b64_size> |
<enc_session_data_b64_size> | Number | Length of base64 encoded session data value encrypted with local encryption. The maximum size is 8192. |
<ZTP_tag> | Number | ZTP-provided credentials level. Allowed values for:
|
<ALPN_string_type> | String | value for the protocol name to be added in the Application Layer Protocol Negotiation Extension used in SSL/TLS connection negotiation; the maximum length is 255 characters. It is possible to set a protocol IDs listed at https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids or a custom string. The factory-programmed value is an empty string. |
<db_to_use> | Number | Database to use, from where to retrieve the certificates and keys to establish the secure connection. Allowed values for:
|
<param_val1> | String | Type and supported content depend on related <op_code> (details are given above). |
<param_val2> | String | Type and supported content depend on related <op_code> (details are given above). |
<param_val3> | String | Type and supported content depend on related <op_code> (details are given above). |
TLS v1.3 is not supported, therefore if <op_code>=1 (SSL/TLS version to use), <param_val1>=4 (TLS v1.3) is not supported.
If <op_code>=1 (SSL/TLS version) and <param_val1>=0 (default) the server can use only TLS v1.2 for the connection.
If <op_code>=2 (cipher suite) the <legacy_cs>=100 (cipher suite list configuration using IANA enumeration) is not supported.
If <op_code>=9 (pre-shared key identity) the <string_type> parameter is not supported. The <preshared_key_id> parameter is an ASCII string (maximum length 128 characters).
If <op_code>=2 (cipher suite) the <legacy_cs>=10,11,12,15,16 are not supported.
Cipher suite IANA code | Cipher suite name | Legacy cipher suite configuration | IANA enumeration cipher suite configuration | |
---|---|---|---|---|
<legacy_cs> | <iana_b1> | <iana_b2> | ||
0x0000 | TLS_NULL_WITH_NULL_NULL | “00” | “00” | |
0x000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA | 5 | “00” | “0A” |
0x0013 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | “00” | “13” | |
0x0015 | TLS_DHE_RSA_WITH_DES_CBC_SHA | “00” | “15” | |
0x0016 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | “00” | “16” | |
0x001A | TLS_DH_anon_WITH_DES_CBC_SHA | “00” | “1A” | |
0x001B | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | “00” | “1B” | |
0x002F | TLS_RSA_WITH_AES_128_CBC_SHA | 1 | “00” | “2F” |
0x0032 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA | “00” | “32” | |
0x0033 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | “00” | “33” | |
0x0034 | TLS_DH_anon_WITH_AES_128_CBC_SHA | “00” | “34” | |
0x0035 | TLS_RSA_WITH_AES_256_CBC_SHA | 3 | “00” | “35” |
0x0039 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | “00” | “39” | |
0x003A | TLS_DH_anon_WITH_AES_256_CBC_SHA | “00” | “3A” | |
0x003C | TLS_RSA_WITH_AES_128_CBC_SHA256 | 2 | “00” | “3C” |
0x003D | TLS_RSA_WITH_AES_256_CBC_SHA256 | 4 | “00” | “3D” |
0x0040 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | “00” | “40” | |
0x0041 | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | “00” | “41” | |
0x0045 | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | “00” | “45” | |
0x0067 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | “00” | “67” | |
0x006B | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | “00” | “6B” | |
0x006C | TLS_DH_anon_WITH_AES_128_CBC_SHA256 | “00” | “6C” | |
0x006D | TLS_DH_anon_WITH_AES_256_CBC_SHA256 | “00” | “6D” | |
0x0084 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | “00” | “84” | |
0x0088 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | “00” | “88” | |
0x008A | TLS_PSK_WITH_RC4_128_SHA | “00” | “8A” | |
0x008B | TLS_PSK_WITH_3DES_EDE_CBC_SHA | 8 | “00” | “8B” |
0x008C | TLS_PSK_WITH_AES_128_CBC_SHA | 6 | “00” | “8C” |
0x008D | TLS_PSK_WITH_AES_256_CBC_SHA | 7 | “00” | “8D” |
0x008E | TLS_DHE_PSK_WITH_RC4_128_SHA | “00” | “8E” | |
0x008F | TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA | “00” | “8F” | |
0x0090 | TLS_DHE_PSK_WITH_AES_128_CBC_SHA | “00” | “90” | |
0x0091 | TLS_DHE_PSK_WITH_AES_256_CBC_SHA | “00” | “91” | |
0x0092 | TLS_RSA_PSK_WITH_RC4_128_SHA | “00” | “92” | |
0x0093 | TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA | 11 | “00” | “93” |
0x0094 | TLS_RSA_PSK_WITH_AES_128_CBC_SHA | 9 | “00” | “94” |
0x0095 | TLS_RSA_PSK_WITH_AES_256_CBC_SHA | 10 | “00” | “95” |
0x009C | TLS_RSA_WITH_AES_128_GCM_SHA256 | “00” | “9C” | |
0x009D | TLS_RSA_WITH_AES_256_GCM_SHA384 | “00” | “9D” | |
0x009E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | “00” | “9E” | |
0x009F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | “00” | “9F” | |
0x00A8 | TLS_PSK_WITH_AES_128_GCM_SHA256 | 16 | “00” | “A8” |
0x00A9 | TLS_PSK_WITH_AES_256_GCM_SHA384 | 17 | “00” | “A9” |
0x00AA | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | “00” | “AA” | |
0x00AB | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | “00” | “AB” | |
0x00AC | TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 | 18 | “00” | “AC” |
0x00AD | TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 | 19 | “00” | “AD” |
0x00AE | TLS_PSK_WITH_AES_128_CBC_SHA256 | 12 | “00” | “AE” |
0x00AF | TLS_PSK_WITH_AES_256_CBC_SHA384 | 13 | “00” | “AF” |
0x00B2 | TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 | “00” | “B2” | |
0x00B3 | TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 | “00” | “B3” | |
0x00B6 | TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 | 14 | “00” | “B6” |
0x00B7 | TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 | 15 | “00” | “B7” |
0x00BA | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 | “00” | “BA” | |
0x00BE | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | “00” | “BE” | |
0x00C0 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | “00” | “C0” | |
0x00C4 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | “00” | “C4” | |
0xC002 | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | “C0” | “02” | |
0xC003 | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | “C0” | “03” | |
0xC004 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | “C0” | “04” | |
0xC005 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | “C0” | “05” | |
0xC007 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | “C0” | “07” | |
0xC008 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 20 | “C0” | “08” |
0xC009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 21 | “C0” | “09” |
0xC00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 22 | “C0” | “0A” |
0xC00C | TLS_ECDH_RSA_WITH_RC4_128_SHA | “C0” | “0C” | |
0xC00D | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | “C0” | “0D” | |
0xC00E | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | “C0” | “0E” | |
0xC00F | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | “C0” | “0F” | |
0xC010 | TLS_ECDHE_RSA_WITH_NULL_SHA | “C0” | “10” | |
0xC011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA | “C0” | “11” | |
0xC012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 23 | “C0” | “12” |
0xC013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 24 | “C0” | “13” |
0xC014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 25 | “C0” | “14” |
0xC017 | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | “C0” | “17” | |
0xC018 | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | “C0” | “18” | |
0xC019 | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | “C0” | “19” | |
0xC023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 26 | “C0” | “23” |
0xC024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 27 | “C0” | “24” |
0xC025 | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | “C0” | “25” | |
0xC026 | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | “C0” | “26” | |
0xC027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 28 | “C0” | “27” |
0xC028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 29 | “C0” | “28” |
0xC029 | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | “C0” | “29” | |
0xC02A | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | “C0” | “2A” | |
0xC02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 30 | “C0” | “2B” |
0xC02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 31 | “C0” | “2C” |
0xC02D | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | “C0” | “2D” | |
0xC02E | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | “C0” | “2E” | |
0xC02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 32 | “C0” | “2F” |
0xC030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 33 | “C0” | “30” |
0xC031 | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | “C0” | “31” | |
0xC032 | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | “C0” | “32” | |
0xC033 | TLS_ECDHE_PSK_WITH_RC4_128_SHA | “C0” | “33” | |
0xC034 | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA | “C0” | “34” | |
0xC035 | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | “C0” | “35” | |
0xC036 | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | “C0” | “36” | |
0xC037 | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 | “C0” | “37” | |
0xC038 | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 | “C0” | “38” | |
0xC072 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “72” | |
0xC073 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “73” | |
0xC074 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “74” | |
0xC075 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “75” | |
0xC076 | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “76” | |
0xC077 | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “77” | |
0xC078 | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “78” | |
0xC079 | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “79” | |
0xC07A | TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “7A” | |
0xC07B | TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “7B” | |
0xC07C | TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “7C” | |
0xC07D | TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “7D” | |
0xC086 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “86” | |
0xC087 | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “87” | |
0xC088 | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “88” | |
0xC089 | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “89” | |
0xC08A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “8A” | |
0xC08B | TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “8B” | |
0xC08C | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “8C” | |
0xC08D | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “8D” | |
0xC08E | TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “8E” | |
0xC08F | TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “8F” | |
0xC090 | TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “90” | |
0xC091 | TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “91” | |
0xC092 | TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 | “C0” | “92” | |
0xC093 | TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 | “C0” | “93” | |
0xC094 | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “94” | |
0xC095 | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “95” | |
0xC096 | TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “96” | |
0xC097 | TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “97” | |
0xC098 | TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “98” | |
0xC099 | TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “99” | |
0xC09A | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 | “C0” | “9A” | |
0xC09B | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 | “C0” | “9B” | |
0xC09C | TLS_RSA_WITH_AES_128_CCM | “C0” | “9C” | |
0xC09D | TLS_RSA_WITH_AES_256_CCM | “C0” | “9D” | |
0xC09E | TLS_DHE_RSA_WITH_AES_128_CCM | “C0” | “9E” | |
0xC09F | TLS_DHE_RSA_WITH_AES_256_CCM | “C0” | “9F” | |
0xC0A0 | TLS_RSA_WITH_AES_128_CCM_8 | “C0” | “A0” | |
0xC0A1 | TLS_RSA_WITH_AES_256_CCM_8 | “C0” | “A1” | |
0xC0A2 | TLS_DHE_RSA_WITH_AES_128_CCM_8 | “C0” | “A2” | |
0xC0A3 | TLS_DHE_RSA_WITH_AES_256_CCM_8 | “C0” | “A3” | |
0xC0A4 | TLS_PSK_WITH_AES_128_CCM | “C0” | “A4” | |
0xC0A5 | TLS_PSK_WITH_AES_256_CCM | “C0” | “A5” | |
0xC0A6 | TLS_DHE_PSK_WITH_AES_128_CCM | “C0” | “A6” | |
0xC0A7 | TLS_DHE_PSK_WITH_AES_256_CCM | “C0” | “A7” | |
0xC0A8 | TLS_PSK_WITH_AES_128_CCM_8 | “C0” | “A8” | |
0xC0A9 | TLS_PSK_WITH_AES_256_CCM_8 | “C0” | “A9” | |
0xC0AA | TLS_PSK_DHE_WITH_AES_128_CCM_8 | “C0” | “AA” | |
0xC0AB | TLS_PSK_DHE_WITH_AES_256_CCM_8 | “C0” | “AB” | |
0xC0AC | TLS_ECDHE_ECDSA_WITH_AES_128_CCM | “C0” | “AC” | |
0xC0AD | TLS_ECDHE_ECDSA_WITH_AES_256_CCM | “C0” | “AD” | |
0xC0AE | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | “C0” | “AE” | |
0xC0AF | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 | “C0” | “AF” | |
0xCCA8 | TLS_ECDHE_RSA_WITH_CHACHA20_POL1305_SHA256 | “CC” | “A8” | |
0xCCA9 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POL1305_SHA256 | “CC” | “A9” | |
0xCCAA | TLS_DHE_RSA_WITH_CHACHA20_POL1305_SHA256 | “CC” | “AA” | |
0xCCAB | TLS_PSK_WITH_CHACHA20_POL1305_SHA256 | “CC” | “AB” | |
0xCCAC | TLS_ECDHE_PSK_WITH_CHACHA20_POL1305_SHA256 | “CC” | “AC” | |
0xCCAD | TLS_DHE_PSK_WITH_CHACHA20_POL1305_SHA256 | “CC” | “AD” | |
0xCCAE | TLS_RSA_PSK_WITH_CHACHA20_POL1305_SHA256 | “CC” | “AE” | |
0x1301 | TLS_AES_128_GCM_SHA256 | “13” | “01” | |
0x1302 | TLS_AES_256_GCM_SHA384 | “13” | “02” | |
0x1303 | TLS_CHACHA20_POLY1305_SHA256 | “13” | “03” | |
0x1304 | TLS_AES_128_CCM_SHA256 | “13” | “04” | |
0x1305 | TLS_AES_128_CCM_8_SHA256 | “13” | “05” |
Supported cipher suite
This section provides a list of cipher suites that are available on the series modules. The allowed cipher suites can be selected when <op_code>=2 (cipher suite) with:
The <legacy_cs> parameter
The <legacy_cs>=99 specifying <iana_b1> and <iana_b2> parameters
The <legacy_cs>=100 specifying <iana_b1> and <iana_b2> parameters
For proper <legacy_cs> value, see the +USECPRF AT command.
The cipher suites marked with (D) are the default cipher suites that are proposed to the server when <op_code>=2 (cipher suite) and <legacy_cs>=0. The secure connection will be established if the server supports at least one of the proposed cipher suites.
The available cipher suites are presented in the following list:
(0x000A) TLS_RSA_WITH_3DES_EDE_CBC_SHA
(0x002F) TLS_RSA_WITH_AES_128_CBC_SHA
(0x0035) TLS_RSA_WITH_AES_256_CBC_SHA
(0x003C) TLS_RSA_WITH_AES_128_CBC_SHA256
(0x003D) TLS_RSA_WITH_AES_256_CBC_SHA256
(0x008B) TLS_PSK_WITH_3DES_EDE_CBC_SHA
(0x008C) TLS_PSK_WITH_AES_128_CBC_SHA
(0x008D) TLS_PSK_WITH_AES_256_CBC_SHA
(0x009C) TLS_RSA_WITH_AES_128_GCM_SHA256 (D)
(0x009D) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)
(0x009E) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (D)
(0x009F) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)
(0x00A8) TLS_PSK_WITH_AES_128_GCM_SHA256 (D)
(0x00A9) TLS_PSK_WITH_AES_256_GCM_SHA384 (D)
(0x00AA) TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (D)
(0x00AB) TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (D)
(0x00AC) TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (D)
(0x00AD) TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (D)
(0x00AE) TLS_PSK_WITH_AES_128_CBC_SHA256 (D)
(0x00AF) TLS_PSK_WITH_AES_256_CBC_SHA384 (D)
(0xC003) TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
(0xC004) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
(0xC005) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
(0xC008) TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
(0xC009) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
(0xC00A) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
(0xC00D) TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
(0xC00E) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
(0xC00F) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
(0xC012) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
(0xC013) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(0xC014) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xC023) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (D)
(0xC024) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(0xC025) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
(0xC026) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
(0xC027) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(0xC028) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xC029) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
(0xC02A) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
(0xC02B) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (D)
(0xC02C) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (D)
(0xC02D) TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (D)
(0xC02F) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (D)
(0xC030) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (D)
(0xC031) TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
(0xC032) TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
(0xC037) TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (D)
(0xC038) TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (D)
(0xC09C) TLS_RSA_WITH_AES_128_CCM (D)
(0xC0A1) TLS_RSA_WITH_AES_256_CCM_8 (D)
(0xC0A4) TLS_PSK_WITH_AES_128_CCM (D)
(0xC0A5) TLS_PSK_WITH_AES_256_CCM (D)
(0xC0A6) TLS_DHE_PSK_WITH_AES_128_CCM (D)
(0xC0A7) TLS_DHE_PSK_WITH_AES_256_CCM (D)
(0xC0A8) TLS_PSK_WITH_AES_128_CCM_8 (D)
(0xC0A9) TLS_PSK_WITH_AES_256_CCM_8 (D)
(0xC0AA) TLS_PSK_DHE_WITH_AES_128_CCM_8 (D)
(0xC0AB) TLS_PSK_DHE_WITH_AES_256_CCM_8 (D)
(0xC0AC) TLS_ECDHE_ECDSA_WITH_AES_128_CCM (D)
(0xC0AD) TLS_ECDHE_ECDSA_WITH_AES_256_CCM (D)
(0xC0AE) TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (D)
(0xC0AF) TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (D)