Device and data security

Introduction

Nowadays the security is very important to secure personal or confidential data from unauthorized access and therefore it is important to secure the IoT devices to protect the business and the data.

In the IoT security, a weak point is a defect which is called a vulnerability and it may become a safety issue; IoT devices connects/links physical objects and so in IoT it is needed to secure of course data traffic and networks but also the network of “things” or physical objects (i.e. medical devices, infrastructure, utility meters, vehicles, etc.) must be secured.

Some definitions are needed to understand the foundations of security:

  • Integrity is about making sure that some pieces of data have not been altered from some “reference version”.

  • Authentication is about making sure that a given entity (with whom you are interacting) is who the user believes it to be.

  • Authenticity is a special case of integrity, where the “reference version” is defined as “whatever it was when it was under control of a specific entity”.

  • Confidentiality means no unauthorized access to data (i.e. encryption/cryptography).

The u-blox security solution lets secure the IoT devices from end-to-end:

  • Device security, the privacy of data is protected from the devices to the cloud (confidentiality, integrity and authenticity).

  • Data security, the devices are protected from attack, they can be trusted and controlled (identity, authenticity and firmware protection).

  • Access Management, it can be controlled who has access to data and products (device policies, data policies and feature authorization)

The pillars of the u-blox security are:

  • Unique device identity, an immutable chip ID and a robust Root-of-Trust (RoT) provides the foundational security.

  • Secure boot sequence and updates, only authenticated and authorized firmware and updates can run on the device.

  • Hardware-backed crypto functions, a Secure Client Library (SCL) generates keys and crypto functions to securely connect to the cloud.

The IoT device is secured through different steps:

  • Provision trust: insert Root-of-Trust at production. An immutable chip ID and hardware-based Root-of-Trust provide foundational security and a unique device identity.

  • Leverage trust: derive trusted keys. Secure libraries allow generation of hardware-backed crypto functions and keys that securely connect to the cloud.

  • Guarantee trust: use keys to secure any function. It ensures authenticity, integrity, and confidentiality to maintain control of device and data.

Device security

Introduction

These AT commands maintain device integrity over the entire lifecycle.

  • The +USECCHIP AT command queries the immutable chip ID.

Read the module chip ID +USECCHIP

+USECCHIP

Modules

LEXI-R10401D-00B LEXI-R10801D-00B

Attributes

Syntax

PIN required

Settings saved

Can be aborted

Response time

Error reference

full

No

No

No

-

+CME Error

Description

Queries the chip ID of the module and returns it.

Syntax

TypeSyntaxResponseExample

Action

AT+USECCHIP

+USECCHIP: <chip_id>

OK

+USECCHIP: "12345678"

OK

Defined values

Parameter

Type

Description

<chip_id>

String

Chip ID of the module.

Data security provided by secure connections (SSL/TLS/DTLS)

Introduction

SSL/TLS/DTLS (where supported) provides a secure connection between two entities using TCP/UDP socket for communication (i.e. HTTP/FTP server and HTTP/FTP client).

The SSL/TLS/DTLS with digital certificates support provides different connection security aspects:

  • Server authentication: use of the server certificate verification against a specific trusted certificate or a trusted certificates list;

  • Client authentication: use of the client certificate and the corresponding private key;

  • Data security and integrity: data encryption and Hash Message Authentication Code (HMAC) generation.

The security aspects used in the current connection depend on the SSL/TLS/DTLS configuration and features supported by the communicating entities.

u-blox cellular modules support all the described aspects of SSL/TLS/DTLS security protocol with these AT commands:

  • AT+USECMNG: import, removal, list and information retrieval of certificates or private keys;

  • AT+USECPRF: configuration of USECMNG (u-blox SECurity MaNaGement) profiles used for an SSL/TLS/DTLS connection.

The USECMNG provides a default SSL/TLS/DTLS profile which cannot be modified. The default USECMNG profile provides the following SSL/TLS/DTLS settings:

Setting

Value

Meaning

Certificates validation level

Level 0

The server certificate will not be checked or verified.

Minimum SSL/TLS/DTLS version

Any

The server can use any of the TLS1.0/TLS1.1/TLS1.2/DTLS1.2 versions for the connection.

Cipher suite

Automatic

The cipher suite will be negotiated in the handshake process.

Trusted root certificate internal name

“” (none)

No certificate will be used for the server authentication.

Expected server host-name

“” (none)

No server host-name is expected.

Client certificate internal name

“” (none)

No client certificate will be used.

Client private key internal name

“” (none)

No client private key will be used.

Client private key password

“” (none)

No client private key password will be used.

Pre-shared key

“” (none)

No pre-shared key will be used.

Server certificate pinning

“” (none)

No server certificate will be used.

Server certificate pinning level

Level 0

No server certificate will be used.

For the configuration of the settings listed above, see the +USECPRF AT command.

During the handshake an inactivity timer is started at every received or transmitted packet. The timeout of the inactivity timer is set to 60 s. At the timer expiration the secure connection is aborted, since the handshake has not been completed successfully.

SSL/TLS certificates and private keys manager +USECMNG

+USECMNG

Modules

LEXI-R10401D-00B LEXI-R10801D-00B

Attributes

Syntax

PIN required

Settings saved

Can be aborted

Response time

Error reference

full

No

No

No

-

+CME Error

Description

Manages the X.509 certificates and private keys with the following functionalities:

  • Import of certificates and private keys

  • List and information retrieval of imported certificates and private keys

  • Removal of certificates and private keys

  • MD5 calculation of imported certificate or private key

For more details on X.509 certificates and private keys see RFC 5280 [RFC5280].

The number and the format of the certificates and the private keys accepted depend on the module series:

  • certificates and private keys both in DER (Distinguished Encoding Rules) and in PEM (Privacy-Enhanced Mail) format are accepted. If the provided format is PEM, the imported certificate or private key will be automatically converted in DER format for the internal storage. It is also possible to validate certificates and private keys. Up to 10 certificates or private keys can be imported.

The certificates and private keys are kept in DER format and are not retrievable (i.e. cannot be downloaded from the module); for data validation purposes an MD5 hash string of the stored certificate or private key (stored in DER format) can be retrieved.

The SSL/(D)TLS connection with Server and/or Mutual Authentication can be successfully performed using the following key size:

  • for Rivest-Shamir-Adleman (RSA) keys at least 1024-bits.

  • for Elliptic Curve Digital Signature Algorithm (ECDSA) keys at least 192-bits.

The same limitation is applied also to the keys used for the certificates generation.

Data for certificate or private key import can be provided with a stream of byte similar to +FOPEN or from a file stored on the FS.

When using the stream of byte import functionality:

  • If the data transfer is stopped before its completion, a guard timer of 20 s will ensure the termination of the data transmission. In this case the prompt will switch back in AT command mode and an error result code will be returned.

  • If the module shuts down during the data transfer, all the bytes are discarded.

  • If any error occurs during the data transfer, all bytes are discarded.

All the imported certificates or private keys are listed if the type of the security data is omitted.

The imported certificates and private keys are:

  • PRESERVED after the module FW is upgraded using +UFWINSTALL or +NFWUPD AT commands.

  • NOT PRESERVED (deleted) after a factory reset using +UFACTORY AT command.

  • NOT PRESERVED after the module FW is upgraded using EasyFlash.

The USECMNG import command supports only X.509 certificate format.

The X.509 certificate DN (Distinguished Name) is composed of value fields which uniquely define an entity being authenticated. For security reasons some limitations (related to DN fields) described below are applied:

The USECMNG private key import command does not support private keys in PEM format with extension headers (i.e. “EC PARAMETERS”).

Syntax

TypeSyntaxResponseExample

Generic syntax:

Action

AT+USECMNG=<op_code>,[<type>[,<internal_name>[,<param1>[,<param2>]]]]

OK

-

Import a certificate or private key from serial I/O:

Action

AT+USECMNG=0,<type>,<internal_name>,<data_size>[,<password>]

>

Start transfer of data …​

+USECMNG: 0,<type>,<internal_name>,<md5_string>

OK

AT+USECMNG=0,0,"AddTrustCA",1327

>-----BEGIN CERTIFICATE-----

(…​other certificate data bytes…​)

+USECMNG: 0,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"

OK

Import a certificate or private key from a file stored on FS:

Action

AT+USECMNG=1,<type>,<internal_name>,<filename>[,<password>]

+USECMNG: 1,<type>,<internal_name>,<md5_string>

OK

AT+USECMNG=1,0,"AddTrustCA","addtrust.cert"

+USECMNG: 1,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"

OK

Remove an imported certificate or private key:

Action

AT+USECMNG=2,<type>,<internal_name>

OK

AT+USECMNG=2,0,"AddTrustCA"

OK

List imported certificates or private keys:

Read

AT+USECMNG=3[,<type>]

<cert_type>,<internal_name>[,<common_name>,<expiration_date>]

…​

OK

AT+USECMNG=3

"CA","AddTrustCA","AddTrust External CA Root","2020/05/30"

"CA","GlobalSignCA","GlobalSign","2029/03/18"

"CC","JohnDoeCC","GlobalSign","2010/01/01"

"PK","JohnDoePK"

OK

Retrieve the MD5 of an imported certificate or private key:

Read

AT+USECMNG=4,<type>,<internal_name>

+USECMNG: 4,<type>,<internal_name>,<md5_string>

OK

AT+USECMNG=4,0,"AddTrustCA"

+USECMNG: 4,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"

OK

Test

AT+USECMNG=?

+USECMNG: (list of supported <op_code>s),(list of supported <type>s)

OK

+USECMNG: (0-4),(0-2)

OK

Defined values

ParameterTypeDescription

<op_code>

Number

Type of operation:

  • 0: import a certificate or a private key (data provided by the stream of byte)

  • 1: import a certificate or a private key (data provided from a file on FS)

  • 2: remove an imported certificate or private key

  • 3: list imported certificates or private keys

  • 4: retrieve the MD5 of an imported certificate or private key

<type>

Number

Type of the security data:

  • 0: trusted root CA (certificate authority) certificate

  • 1: client certificate

  • 2: client private key

  • 3: server certificate

  • 4: signature verification certificate

  • 5: signature verification public key

Allowed values:

  • 0, 1, 2, 3

<cert_type>

String

Type of the security data in verbose format:

  • "CA": trusted root CA (certificate authority) certificate

  • "CC": client certificate

  • "PK": client private key

  • "SC": server certificate

  • "VC": signature verification certificate

  • "PU": signature verification public key

Allowed values:

  • "CA", "CC", "PK", "SC"

<internal_name>

String

Unique identifier of an imported certificate or private key. If an existing name is used the data will be overridden.

  • The maximum length for the imported certs/keys is 30 characters. The maximum length for the preinstalled certs/keys is 60 characters.

<data_size>

Number

Size in bytes of a certificate or private key being imported.

  • The maximum allowed size is 8192 bytes.

<password>

String

Decryption password; applicable only for PKCS8 encrypted client private keys. The maximum length is 128 characters.

<filename>

String

Name of the FS file containing the certificate or private key data to be imported.

  • The maximum allowed file size is 8192 bytes.

  • The maximum filename length is 63 characters.

<md5_string>

String

MD5 formatted string.

<common_name>

String

Certificate subject (issued to) common name; applicable only for trusted root and client certificates.

<expiration_date>

String

Certificate expiration (valid to date); applicable only for trusted root and client certificates.

<param1>

Number/String

Type and supported content depend on the related <op_code> parameter; see the <op_code> specification.

<param2>

Number/String

Type and supported content depend on the related <op_code> parameter; see the <op_code> specification.

Notes

  • The import of the following client private key formats is not supported:

    • PKCS1 RSA formatted not-encrypted private key

    • PKCS1 RSA formatted encrypted private key

    • PKCS8 not-encrypted private key

    • PKCS8 encrypted private key

  • The PKCS1 and PKCS8 encrypted private keys can be imported only in DER format.

  • The following certificates are pre-installed on the module and cannot be deleted/changed by the customer via AT commands:

    Internal name

    Common name

    Expiration date

    ubx_digicert_global_root_ca

    DigiCert Global Root CA

    2031/11/10 00:00:00

    ubx_digicert_global_root_g2

    DigiCert Global Root G2

    2038/01/15 12:00:00

    ubx_digicert_trusted_root_g4

    DigiCert Trusted Root G4

    2038/01/15 12:00:00

    ubx_digicert_eccp384_root_g5

    DigiCert TLS ECC P384 Root G5

    2046/01/14 23:59:59

    ubx_digicert_rsa4096_root_g5

    DigiCert TLS RSA4096 Root G5

    2046/01/14 23:59:59

    ubx_baltimore_cybertrust_root

    Baltimore CyberTrust Root

    2025/05/12 23:59:00

    ubx_tmo_usa_enterprise_root_ca

    T-Mobile USA Enterprise Root CA

    2040/11/03 20:28:54

    ubx_starfield_service_root_ca_g2

    Starfield Services Root Certificate Authority - G2

    2034/06/28 17:39:16

+USECMNG AT command example

Below is an example with a PEM encoded trusted root certificate.

CommandResponseDescription

Step 1: Import a trusted root certificate using the stream of byte similar to +FOPEN

AT+USECMNG=0,0,"ThawteCA",1516

>

Start the data transfer using the stream of byte.

PEM encoded trusted root certificate data.

+USECMNG: 1,0,"ThawteCA","8ccadc0b22cef5be72ac411a11a8d812"

OK

Input PEM formatted trusted root certificate data bytes. Output MD5 hash string of the stored trusted root certificate DER.

Step 2: List all available certificates and private keys

AT+USECMNG=3

CA, "ThawteCA","thawte Primary Root CA","2036/07/17"

OK

List all available certificates and private keys.

Step 3: Set the security profile 2 validation level to trusted root

AT+USECPRF=2,0,1

OK

Security profile 2 has the validation level set to trusted root.

Step 4: Set the security profile 2 trusted root certificate to the CA certificate imported as "ThawteCA"

AT+USECPRF=2,3,"ThawteCA"

OK

Security profile 2 will use the CA certificate imported as "ThawteCA" for server certificate validation.

Step 5: Use the configured USECMNG profile 2 with the UHTTP application

AT+UHTTP=0,1,"www.ssl_tls_test_server.com"

OK

Configure the UHTTP server name.

AT+UHTTP=0,6,1,2

OK

Enable the SSL/TLS for the UHTTP profile #0 and specify the SSL/TLS security profile 2.

AT+UHTTPC=0,1,"/","https.resp"

OK

Execute the HTTP GET command.

+UUHTTPCR: 0,1,1

HTTP GET URC response.

In the above example the following PEM encoded trusted certificate is used:

 -----BEGIN CERTIFICATE-----
  MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
  qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
  Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
  MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
  BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
  NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
  LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
  A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
  IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
  SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
  W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
  3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
  6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
  Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
  NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
  MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
  r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
  DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
  YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
  xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
  /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
  LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
  jVaMaA==
  -----END CERTIFICATE-----

Notes

Due to significant memory fingerprint of an SSL/TLS connection, the number of concurrent SSL/TLS connections is limited. The USECMNG and the underlying SSL/TLS infrastructure allows 4 concurrent SSL/TLS connections (i.e. 4 HTTPS requests or 2 HTTPS and 2 FTPS request).

SSL/TLS/DTLS security layer profile manager +USECPRF

+USECPRF

Modules

LEXI-R10401D-00B LEXI-R10801D-00B

Attributes

Syntax

PIN required

Settings saved

Can be aborted

Response time

Error reference

partial

No

No

No

-

+CME Error

Description

Manages security profiles for the configuration of the following SSL/TLS/DTLS connections properties:

  • Certificate validation level:

    • Level 0: no certificate validation; the server certificate will not be checked or verified. No additional certificates are needed.

    • Level 1: certificate validation against a specific or a list of imported trusted root certificates.

    • Level 2: certificate validation with an additional URL integrity check (the server certificate common name must match the server hostname).

    • Level 3: certificate validation with an additional check on the certificate validity date.

    CA certificates should be imported with the +USECMNG AT command

  • SSL/TLS version to be used:

    • Any of the TLS versions supported by the module

    • TLS 1.0

    • TLS 1.1

    • TLS 1.2

    • TLS 1.3

  • DTLS version to be used:

    • DTLS 1.2

  • Cipher suite to be configured using the following methods:

    • Legacy cipher suite to be used. See Syntax description and table_title for the supported cipher suites.

    • Additional cipher suite to be used with Internet Assigned Numbers Authority (IANA) enumeration set command. See Syntax description and table_title for the supported cipher suites.

    • List of cipher suites to be used is configured with add / remove commands and using IANA enumeration. See Syntax description and table_title for the supported cipher suites.

    For the applicability of cipher suite depending on the series module, see Cipher suites applicability.

    Cipher suite configuration methods are exclusive and the last configured method is used.

    The cipher suite configuration read command response is related to the selected cipher suite type, see Syntax description for more details.

  • Certificate to be used for server and mutual authentication:

    • The trusted root certificate. The CA certificate should be imported with the +USECMNG AT command.

    • The client certificate that should be imported with the +USECMNG AT command.

    • The client private key that should be imported with the +USECMNG AT command.

    • The server certificate that should be imported with the +USECMNG AT command.

  • Database selection. Accordingly to the +USECMNG AT command the certificates and keys can be imported in the user database, or can be already present in the pre-installed database. The security profile can be configured to use certificates and clients from all available databases or from a specific database.

  • Expected server hostname, when using certificate validation level 2 or 3.

  • Password for the client private key, if it is password protected.

  • Pre-shared key used for connection. Defines a pre-shared key and key-name (PSK), when a TLS_PSK_* cipher suite is used.

  • SNI (Server Name Indication). SNI is a feature of SSL/TLS which uses an additional SSL/TLS extension header to specify the server name to which the client is connecting to. The extension was introduced to support the certificate handling used with virtual hosting provided by the various SSL/TLS enabled servers mostly in cloud based infrastructures. With the SNI a server has the opportunity to present a different server certificate (or/and whole SSL/TLS configuration) based on the host indicated by the SNI extension. When SNI is not used the modules might receive a non host specific SSL/TLS configuration (version/cipher suites/certificate) when used with virtual hosts.

  • (D)TLS session resumption. The session resumption feature allows to reuse the secure session data to reestablish a SSL/(D)TLS secure session. Since the secure session data are available, the full SSL/(D)TLS handshake is not performed during the session resumption. Once the session resumption feature is enabled, the session resumption type and the secure session data (negotiated during the SSL/(D)TLS handshake) are displayed via +UUSECPRF URC message. The session resumption feature configuration and secure session data are not stored in the NVM, hence the session resumption may be performed until power cycle. Once the session data related to the session resumption via session ticket (<sess_type>=1 or <sess_type>=11) or via the session resumption via PSK-based session ticket (<sess_type>=3 or <sess_type>=13) are properly retrieved from the server, they are directly configured in the USECPRF profile and a +UUSECPRF URC message reporting the session resumption status is issued. Conversely, once the session data related to the session resumption via session ID (<sess_type>=0 or <sess_type>=10) are properly retrieved from the server, an +UUSECPRF URC message reporting the session resumption type and an +UUSECPRF URC message reporting the session resumption data are issued, furthermore the session resumption data are not stored in the USECPRF profile.

  • ZTP-provided credentials. The credentials to establish the secure connection will be provided by Zero Touch Provisioning (ZTP). In the specific case the credentials provided by the ZTP will be the CA certificate, or/and the client certificates and client private key. The CA certificate, and if applicable, the client certificate, are sent to the server during the handshake. The CA certificate and the client certificate are concatenated in a certificate chain.

  • Application Layer Protocol Name (ALPN). With ALPN the client sends the list of supported application protocols as part of the TLS ClientHello message. The server can select one protocol and send it as part of the TLS ServerHello message. The application protocol negotiation can thus be accomplished within the TLS handshake, without adding network round-trips, and allows the server to associate a different certificate according to the indicated application protocol, if desired. For more details on ALPN, Extension protocol see RFC 7301 [RFC7301].

When ZTP-provided credentials feature is enabled (<op_code>=14) for a certain USECPRF profile, the client certificate and client key set by the <op_code>=5 (client certificate internal name) and <op_code>=6 (client private key internal name) are ignored, and the underlying SSL/TLS uses the ZTP provided ones.

To set all the parameters in security profile, a set command for each <op_code> needs to be issued (e.g. certificate validation level, minimum SSL/TLS/DTLS version, …​).

To reset (set to factory-programmed value) all the parameters of a specific security profile, issue the AT+USECPRF=<profile_id> command.

Syntax

TypeSyntaxResponseExample

Generic syntax

Set

AT+USECPRF=<profile_id>[,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]]]

OK

AT+USECPRF=0,0,0

OK

Read

AT+USECPRF=<profile_id>,<op_code>

+USECPRF: <profile_id>,<op_code>,<param_val1>

OK

AT+USECPRF=0,0

+USECPRF: 0,0,0

OK

URC

+UUSECPRF: <profile_id>,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]]

OK

+UUSECPRF: 0,13,1,0

OK

Certificate validation level

Set

AT+USECPRF=<profile_id>,0,<validation_lvl>

OK

AT+USECPRF=0,0,2

OK

SSL/TLS version

Set

AT+USECPRF=<profile_id>,1,<tls_ver>

OK

AT+USECPRF=0,1,4

OK

Legacy cipher suite selection

Set

AT+USECPRF=<profile_id>,2,<legacy_cs>

OK

AT+USECPRF=0,2,2

OK

Cipher suite selection using IANA enumeration

Set

AT+USECPRF=<profile_id>,2,99,<iana_b1>,<iana_b2>

OK

AT+USECPRF=0,2,99,"C0","2B"

OK

Read

AT+USECPRF=<profile_id>,2

+USECPRF: <profile_id>,2,99,<iana_b1>,<iana_b2>

OK

AT+USECPRF=0,2

+USECPRF: 0,2,99,"C0","2B"

OK

Add/remove of IANA cipher suite to the configured cipher suites list

Set

AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,<operation>

OK

AT+USECPRF=0,2,100,"C0","2A",0

OK

Add an IANA cipher suite to the configured cipher suites list

Set

AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,0

OK

AT+USECPRF=0,2,100,"C0","2A",0

OK

Remove an IANA cipher suite from the configured cipher suites list

Set

AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,1

OK

AT+USECPRF=0,2,100,"C0","2B",1

OK

Read the list of configured cipher suites

Read

AT+USECPRF=<profile_id>,2

+USECPRF: <profile_id>,2,100,<list of configured cipher suites separated by ";">

OK

AT+USECPRF=0,2

+USECPRF: 0,2,100,"C02A;C02C"

OK

Trusted root certificate internal name

Set

AT+USECPRF=<profile_id>,3,<root_cert_int_name>

OK

AT+USECPRF=0,3,"ca_iname"

OK

Expected server hostname

Set

AT+USECPRF=<profile_id>,4,<srv_hostname>

OK

AT+USECPRF=0,4,"server_hostname"

OK

Client certificate internal name

Set

AT+USECPRF=<profile_id>,5,<cli_cert_int_name>

OK

AT+USECPRF=0,5,"cc_iname"

OK

Client private key internal name

Set

AT+USECPRF=<profile_id>,6,<cli_priv_key_int_name>

OK

AT+USECPRF=0,6,"pk_iname"

OK

Client private key password

Set

AT+USECPRF=<profile_id>,7,<cli_priv_key_pwd>

OK

AT+USECPRF=0,7,"xxxxx"

OK

Pre-shared key configuration

Set

AT+USECPRF=<profile_id>,8,<preshared_key>[,<preshared_key_str_type>]

OK

AT+USECPRF=0,8,"0sFpZ0AZqE0N6Ti9s0qt40ZP5Eqx"

OK

Pre-shared key identity configuration

Set

AT+USECPRF=<profile_id>,9,<preshared_key_id>[,<preshared_key_id_str_type>]

OK

AT+USECPRF=0,9,"0ceEZ0AZqP0K60i9o04xz0ZP8zyu0Eqx"

OK

SNI Server Name Indication

Set

AT+USECPRF=<profile_id>,10,<SNI>

OK

AT+USECPRF=0,10,"server_sni"

OK

PSK and PSK key identity generated by RoT (Root of trust)

Set

AT+USECPRF=<profile_id>,11,<PSK_val>

OK

AT+USECPRF=0,11,0

OK

Server certificate pinning

Set

AT+USECPRF=<profile_id>,12,<server_certificate>,<pinning_level>

OK

AT+USECPRF=0,12,"my_srv_cert",0

OK

(D)TLS session resumption generic syntax

Set

AT+USECPRF=<profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]

OK

AT+USECPRF=0,13,0,1

OK

Read

AT+USECPRF=<profile_id>,13,<sess_tag>

+USECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]

OK

AT+USECPRF=0,13,0

+USECPRF: 0,13,0,1

OK

URC

+UUSECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]

OK

+UUSECPRF: 0,13,1,0

OK

(D)TLS session resumption status

Set

AT+USECPRF=<profile_id>,13,0,<sess_status>

OK

AT+USECPRF=0,13,0,1

OK

Read

AT+USECPRF=<profile_id>,13,0

+USECPRF: <profile_id>,13,0,<sess_status>

OK

AT+USECPRF=0,13,0

+USECPRF: 0,13,0,1

OK

URC

+UUSECPRF: <profile_id>,13,0,<sess_status>

+UUSECPRF: 0,13,0,2

(D)TLS session resumption session type

Set

AT+USECPRF=<profile_id>,13,1,<sess_type>

OK

AT+USECPRF=0,13,1,0

OK

Read

AT+USECPRF=<profile_id>,13,1

+USECPRF: <profile_id>,13,1,<sess_type>

OK

AT+USECPRF=0,13,1

+USECPRF: 0,13,1,0

OK

URC

+UUSECPRF: <profile_id>,13,1,<sess_type>

+UUSECPRF: 0,13,1,0

(D)TLS session resumption session data having session ID as session resumption type

Set

AT+USECPRF=<profile_id>,13,2,<session_id_b64>,<master_secret_b64>

OK

AT+USECPRF=0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"

OK

Read

AT+USECPRF=<profile_id>,13,2

+USECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64>

OK

AT+USECPRF=0,13,2

+USECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"

OK

URC

+UUSECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64>

+UUSECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"

(D)TLS session resumption session data having session ticket as session resumption type

Set

AT+USECPRF=<profile_id>,13,3,<session_data_b64>,<session_data_b64_size>

OK

AT+USECPRF=0,13,3,"MIHOAgECAgMAzKgEMDZV

[…​]

NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332

OK

Read

AT+USECPRF=<profile_id>,13,3

+USECPRF: <profile_id>,13,3,<session_data_b64>,<session_data_b64_size>

OK

AT+USECPRF=0,13,3

+USECPRF: 0,13,3,"MIHOAgECAgMAzKgEMDZV

[…​]

NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332

OK

(D)TLS session resumption session data having PSK-based session ticket as session resumption type

Set

AT+USECPRF=<profile_id>,13,5,<session_data_b64_size>

>

<session_data_b64>

OK

AT+USECPRF=0,13,5,2320

>

NjQwM0IwMDEzMDgyMDFB0QzAyMDEwMTAyMDEwMDAy0MDEwMTAyMDIxQzIwMDIw

[…​]

MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAyMDIxMzAy

OK

Read

AT+USECPRF=<profile_id>,13,5

+USECPRF: <profile_id>,13,5,<session_data_b64>,<session_data_b64_size>

OK

AT+USECPRF=0,13,5

+USECPRF: 0,13,5,"Nj0QwM0IwMDEzMDgyMDFBQz0AyMDEwMTAyMDEwMDAyMD

[…​]

AwMDAwMDAwMDAwMDAwMD0AwMDAwMDAwMDAwMDAwMD0AwMDAyMDIxMzAy",2320

OK

(D)TLS session resumption session data having encrypted session ID with local encryption as session resumption type

Set

AT+USECPRF=<profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>

OK

AT+USECPRF=0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156

OK

Read

AT+USECPRF=<profile_id>,13,12

+USECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>

OK

AT+USECPRF=0,13,12

+USECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156

OK

URC

+UUSECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>

+UUSECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156

(D)TLS session resumption session data having encrypted session ticket with local encryption as session resumption type

Set

AT+USECPRF=<profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size>

OK

AT+USECPRF=0,13,13,"MIHOAgECAgMAzKwsa64L

[…​]

dQE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364

OK

Read

AT+USECPRF=<profile_id>,13,13

+USECPRF: <profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size>

OK

AT+USECPRF=0,13,13

+USECPRF: 0,13,13,"MIHOAgECAgMAzKwsa64L

[…​]

QE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364

OK

(D)TLS session resumption session data having PSK-based session ticket with local encryption as session resumption type

Set

AT+USECPRF=<profile_id>,13,15,<enc_session_data_b64_size>

>

<enc_session_data_b64>

OK

AT+USECPRF=0,13,15,2408

>

MDBGMDRCREYwODYwREYw0RDFDNjk1NUU5OUY5NjAw0MDA1QjlCN0QxMUYzM0Qy

[…​]

Njg4MkEzQzJCRjA5NEFF0QzJFQUFFOTNBNjY2RkNE0QzM3RDJERTYyRDIxNQ==

OK

Read

AT+USECPRF=<profile_id>,13,15

+USECPRF: <profile_id>,13,15,<enc_session_data_b64>,<enc_session_data_b64_size>

OK

AT+USECPRF=0,13,15

+USECPRF: 0,13,15,"M0DBGMDRCREYwODYwREYwR0DFDNjk1NUU5OUY5NjAwM

[…​]

EzQzJCRjA5NEFFQzJFQU0FFOTNBNjY2RkNEQzM3RD0JERTYyRDIxNQ==",2408

OK

ZTP-provided credentials

Set

AT+USECPRF=<profile_id>,14,<ZTP_tag>

OK

AT+USECPRF=0,14,0

OK

Read

AT+USECPRF=<profile_id>,14

+USECPRF: <profile_id>,14,<ZTP_tag>

OK

AT+USECPRF=0,14

+USECPRF: 0,14,2

OK

ALPN extension protocol

Set

AT+USECPRF=<profile_id>,15,<ALPN_string_type>

OK

AT+USECPRF=0,15,"FTP"

OK

Read

AT+USECPRF=<profile_id>,15

+USECPRF: <profile_id>,15,<ALPN_string_type>

OK

AT+USECPRF=0,15

+USECPRF: 0,15,"FTP"

OK

Database selection

Set

AT+USECPRF=<profile_id>,16,<db_to_use>

OK

AT+USECPRF=0,16,1

OK

Read

AT+USECPRF=<profile_id>,16

+USECPRF: <profile_id>,16,<db_to_use>

OK

AT+USECPRF=0,16

+USECPRF: 0,16,2

OK

Test

AT+USECPRF=?

+USECPRF: (list of supported <profile_id>s),(list of supported <op_code>s)

OK

+USECPRF: (0-4),(0-16)

OK

Defined values

ParameterTypeDescription

<profile_id>

Number

USECMNG security profile identifier, in range 0-4; if it is not followed by other parameters the profile settings will be reset (set to factory-programmed value).

<op_code>

Number

  • 0: certificate validation level

  • 1: SSL/TLS version to use

  • 2: cipher suite

  • 3: trusted root certificate internal name

  • 4: expected server hostname

  • 5: client certificate internal name

  • 6: client private key internal name

  • 7: client private key password

  • 8: pre-shared key

  • 9: pre-shared key identity

  • 10: SNI (Server Name Indication)

  • 11: PSK key and PSK key identity generated by RoT (Root of trust)

  • 12: server certificate pinning

  • 13: (D)TLS session resumption;

  • 14: ZTP-provided credentials

  • 15: Application-Layer Protocol Negotiation (ALPN)

  • 16: database selection

Allowed values:

  • 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 15, 16

<validation_lvl>

Number

certificate validation level:

  • 0: level 0 - No validation; the server certificate will not be checked or verified. The server in this case is not authenticated.

  • 1: level 1 - Root certificate validation without URL integrity check. The server certificate will be verified with a specific trusted certificates or with each of the imported trusted root certificates.

  • 2: level 2 - Root certificate validation with URL integrity check. Level 1 validation with an additional URL integrity check.

  • 3: level 3 - Root certificate validation with check of certificate validity date. Level 2 validation with an additional check of certificate validity date.

The factory-programmed value is:

  • 1

<tls_ver>

Number

SSL/TLS version to use; allowed values:

  • 0: any; the server can use any TLS version, which is supported by the module, for the connection. For more details on the supported TLS versions, see Notes.

  • 1: TLS v1.0; connection allowed only to TLS/SSL servers which support TLS v1.0

  • 2: TLS v1.1; connection allowed only to TLS/SSL servers which support TLS v1.1

  • 3: TLS v1.2; connection allowed only to TLS/SSL servers which support TLS v1.2

  • 4: TLS v1.3; connection allowed only to TLS/SSL servers which support TLS v1.3

The factory-programmed value is:

  • 0

<legacy_cs>

Number

Legacy cipher suite enumeration. legacy cipher suites are listed in table_title. The factory-programmed value is 0. For <legacy_cs>=0 a list of default cipher suites is proposed at the beginning of handshake process, and a cipher suite will be negotiated among the cipher suites proposed in the list. For <legacy_cs>=99 the cipher suite selection is performed with IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see table_title. For <legacy_cs>=100 the list of cipher suites is configured using IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see table_title.

The cipher suite configuration read command response is related to the selected cipher suite type. In the case of <legacy_cs>=99 the configured <byte_1> and <byte_2> are reported in the information text response to the read command. In the case of <legacy_cs>=100 a ";" separated list with configured cipher suites is reported in the information text response to the read command.

For <legacy_cs>=100, when all added cipher suites are removed the cipher suite is automatically set to 0 (factory-programmed value).

For the applicability of default cipher suite lists depending on the series module, see Cipher suites applicability.

<iana_b1>

String

First byte of IANA cipher suite enumeration

<iana_b2>

String

Second byte of IANA cipher suite enumeration

<operation>

Number

Operation to execute when using <legacy_cs>=100 configuration using a list of IANA enumeration. Allowed values for <operation>:

  • 0: add cipher suite defined by <iana_b1> and <iana_b2> to the list

  • 1: remove cipher suite defined by <iana_b1> and <iana_b2> from the list

<root_cert_int_name>

String

Internal name identifying a trusted root certificate; the maximum length is 200 characters. The factory-programmed value is an empty string.

<srv_hostname>

String

Hostname of the server, used when certificate validation level is set to Level 2; the maximum length is 256 characters. The factory-programmed value is an empty string.

<cli_cert_int_name>

String

Internal name identifying a client certificate to be sent to the server; the maximum length is 200 characters. The factory-programmed value is an empty string.

<cli_priv_key_int_name>

String

Internal name identifying a private key to be used; the maximum length is 200 characters. The factory-programmed value is an empty string.

<cli_priv_key_pwd>

String

Password for the client private key if it is password protected; the maximum length is 128 characters. The factory-programmed value is an empty string.

<preshared_key>

String

Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_str_type> value.

<preshared_key_str_type>

Number

Defines the type and the maximum length of the <preshared_key> string. Allowed values:

  • 0 (default value): <preshared_key> is an ASCII string and its maximum length is 64 characters

  • 1: <preshared_key> is an hexadecimal string and its maximum length is 128 characters

<preshared_key_id>

String

Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_id_str_type> value.

<preshared_key_id_str_type>

Number

Defines the type and the maximum length of the <preshared_key_id> string. Allowed values:

  • 0 (default value): <preshared_key_id> is an ASCII string and its maximum length is 128 characters

  • 1: <preshared_key_id> is an hexadecimal string and its maximum length is 256 characters

<SNI>

String

Value for the additional negotiation header SNI (Server Name Indication) used in SSL/TLS connection negotiation; the maximum length is 128 characters. The factory-programmed value is an empty string..

<PSK_val>

Number

PSK key and PSK key identity generated by RoT (Root of trust); allowed values:

  • 0 (factory-programmed value): OFF - The PSK and PSK key ID are NOT generated by RoT

  • 1: ON - The PSK and PSK key ID are generated by RoT in the process of SSL/TLS connection negotiation

<server_certificate>

String

Internal name identifying a certificate configured to be used for server certificate pinning; the maximum length is 200 characters. The factory-programmed value is an empty string.

<pinning_level>

String

Certificate pinning information level. Allowed values:

  • 0: pinning based on information comparison of received and configured certificate public key

  • 1: pinning based on binary comparison of received and configured certificate public key

  • 2: pinning based on binary comparison of received and configured certificate

<sess_tag>

Number

Configures the (D)TLS session resumption. Allowed values:

  • 0: session resumption status

  • 1: session resumption type

  • 2: session resumption data when the session resumption type is session ID

  • 3: session resumption data when the session resumption type is session ticket.

  • 5: session resumption data when the session resumption type is PSK-based session ticket. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4).

  • 12: session resumption data when the session resumption type is encrypted session ID with local encryption

  • 13: session resumption data when the session resumption type is encrypted session ticket with local encryption

  • 15: session resumption data when the session resumption type is encrypted PSK-based session ticket with local encryption. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4).

Allowed values:

  • 0, 1, 3

<sess_status>

Number

(D)TLS session resumption status. Allowed values:

  • 0 (factory-programmed value): disabled

  • 1: enabled

  • 2: session data configured

Allowed values:

  • 0, 1, 2

<sess_type>

Number

(D)TLS session resumption type. Allowed values:

  • 0: session ID

  • 1: session ticket

  • 3: PSK-based session ticket. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4)

  • 10: encrypted session ID with local encryption

  • 11: encrypted session ticket with local encryption

  • 13: encrypted PSK-based session ticket with local encryption. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4)

Allowed values:

  • 1

<session_id_b64>

String

Base64 encoded session ID value. The maximum length is 44 characters.

<master_secret_b64>

String

Base64 encoded session master key. The maximum length is 64 characters.

<session_data_b64_size>

Number

Length of base64 encoded session data value. The maximum size is 8192.

<session_data_b64>

String

Base64 encoded session data value. The string length is determined by <session_data_b64_size>.

<enc_session_data_b64>

String

Base64 encoded session data value encrypted with local encryption. The string length is determined by <enc_session_data_b64_size>

<enc_session_data_b64_size>

Number

Length of base64 encoded session data value encrypted with local encryption. The maximum size is 8192.

<ZTP_tag>

Number

ZTP-provided credentials level. Allowed values for:

  • 0: no credentials are obtained via ZTP

  • 1: CA certificate and client certificate/key are obtained via ZTP. The CA certificate and client certificate will be concatenated together in a certificate chain and provided to the server

  • 2: client certificate/key are provided via ZTP. The client certificate will be provided to the server

<ALPN_string_type>

String

value for the protocol name to be added in the Application Layer Protocol Negotiation Extension used in SSL/TLS connection negotiation; the maximum length is 255 characters. It is possible to set a protocol IDs listed at https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids or a custom string. The factory-programmed value is an empty string.

<db_to_use>

Number

Database to use, from where to retrieve the certificates and keys to establish the secure connection. Allowed values for:

  • 0 (factory-programmed value): all available databases are used

  • 1: only user database is used

  • 2: only pre-installed database is used

<param_val1>

String

Type and supported content depend on related <op_code> (details are given above).

<param_val2>

String

Type and supported content depend on related <op_code> (details are given above).

<param_val3>

String

Type and supported content depend on related <op_code> (details are given above).

Notes

  • TLS v1.3 is not supported, therefore if <op_code>=1 (SSL/TLS version to use), <param_val1>=4 (TLS v1.3) is not supported.

  • If <op_code>=1 (SSL/TLS version) and <param_val1>=0 (default) the server can use only TLS v1.2 for the connection.

  • If <op_code>=2 (cipher suite) the <legacy_cs>=100 (cipher suite list configuration using IANA enumeration) is not supported.

  • If <op_code>=9 (pre-shared key identity) the <string_type> parameter is not supported. The <preshared_key_id> parameter is an ASCII string (maximum length 128 characters).

  • If <op_code>=2 (cipher suite) the <legacy_cs>=10,11,12,15,16 are not supported.

List of the supported cipher suites

Cipher suite IANA code

Cipher suite name

Legacy cipher suite configuration

IANA enumeration cipher suite configuration

<legacy_cs>

<iana_b1>

<iana_b2>

0x0000

TLS_NULL_WITH_NULL_NULL

“00”

“00”

0x000A

TLS_RSA_WITH_3DES_EDE_CBC_SHA

5

“00”

“0A”

0x0013

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

“00”

“13”

0x0015

TLS_DHE_RSA_WITH_DES_CBC_SHA

“00”

“15”

0x0016

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

“00”

“16”

0x001A

TLS_DH_anon_WITH_DES_CBC_SHA

“00”

“1A”

0x001B

TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

“00”

“1B”

0x002F

TLS_RSA_WITH_AES_128_CBC_SHA

1

“00”

“2F”

0x0032

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

“00”

“32”

0x0033

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

“00”

“33”

0x0034

TLS_DH_anon_WITH_AES_128_CBC_SHA

“00”

“34”

0x0035

TLS_RSA_WITH_AES_256_CBC_SHA

3

“00”

“35”

0x0039

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

“00”

“39”

0x003A

TLS_DH_anon_WITH_AES_256_CBC_SHA

“00”

“3A”

0x003C

TLS_RSA_WITH_AES_128_CBC_SHA256

2

“00”

“3C”

0x003D

TLS_RSA_WITH_AES_256_CBC_SHA256

4

“00”

“3D”

0x0040

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

“00”

“40”

0x0041

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

“00”

“41”

0x0045

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

“00”

“45”

0x0067

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

“00”

“67”

0x006B

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

“00”

“6B”

0x006C

TLS_DH_anon_WITH_AES_128_CBC_SHA256

“00”

“6C”

0x006D

TLS_DH_anon_WITH_AES_256_CBC_SHA256

“00”

“6D”

0x0084

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

“00”

“84”

0x0088

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

“00”

“88”

0x008A

TLS_PSK_WITH_RC4_128_SHA

“00”

“8A”

0x008B

TLS_PSK_WITH_3DES_EDE_CBC_SHA

8

“00”

“8B”

0x008C

TLS_PSK_WITH_AES_128_CBC_SHA

6

“00”

“8C”

0x008D

TLS_PSK_WITH_AES_256_CBC_SHA

7

“00”

“8D”

0x008E

TLS_DHE_PSK_WITH_RC4_128_SHA

“00”

“8E”

0x008F

TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA

“00”

“8F”

0x0090

TLS_DHE_PSK_WITH_AES_128_CBC_SHA

“00”

“90”

0x0091

TLS_DHE_PSK_WITH_AES_256_CBC_SHA

“00”

“91”

0x0092

TLS_RSA_PSK_WITH_RC4_128_SHA

“00”

“92”

0x0093

TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA

11

“00”

“93”

0x0094

TLS_RSA_PSK_WITH_AES_128_CBC_SHA

9

“00”

“94”

0x0095

TLS_RSA_PSK_WITH_AES_256_CBC_SHA

10

“00”

“95”

0x009C

TLS_RSA_WITH_AES_128_GCM_SHA256

“00”

“9C”

0x009D

TLS_RSA_WITH_AES_256_GCM_SHA384

“00”

“9D”

0x009E

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

“00”

“9E”

0x009F

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

“00”

“9F”

0x00A8

TLS_PSK_WITH_AES_128_GCM_SHA256

16

“00”

“A8”

0x00A9

TLS_PSK_WITH_AES_256_GCM_SHA384

17

“00”

“A9”

0x00AA

TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

“00”

“AA”

0x00AB

TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

“00”

“AB”

0x00AC

TLS_RSA_PSK_WITH_AES_128_GCM_SHA256

18

“00”

“AC”

0x00AD

TLS_RSA_PSK_WITH_AES_256_GCM_SHA384

19

“00”

“AD”

0x00AE

TLS_PSK_WITH_AES_128_CBC_SHA256

12

“00”

“AE”

0x00AF

TLS_PSK_WITH_AES_256_CBC_SHA384

13

“00”

“AF”

0x00B2

TLS_DHE_PSK_WITH_AES_128_CBC_SHA256

“00”

“B2”

0x00B3

TLS_DHE_PSK_WITH_AES_256_CBC_SHA384

“00”

“B3”

0x00B6

TLS_RSA_PSK_WITH_AES_128_CBC_SHA256

14

“00”

“B6”

0x00B7

TLS_RSA_PSK_WITH_AES_256_CBC_SHA384

15

“00”

“B7”

0x00BA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

“00”

“BA”

0x00BE

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

“00”

“BE”

0x00C0

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

“00”

“C0”

0x00C4

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256

“00”

“C4”

0xC002

TLS_ECDH_ECDSA_WITH_RC4_128_SHA

“C0”

“02”

0xC003

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

“C0”

“03”

0xC004

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

“C0”

“04”

0xC005

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

“C0”

“05”

0xC007

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

“C0”

“07”

0xC008

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

20

“C0”

“08”

0xC009

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

21

“C0”

“09”

0xC00A

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

22

“C0”

“0A”

0xC00C

TLS_ECDH_RSA_WITH_RC4_128_SHA

“C0”

“0C”

0xC00D

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

“C0”

“0D”

0xC00E

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

“C0”

“0E”

0xC00F

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

“C0”

“0F”

0xC010

TLS_ECDHE_RSA_WITH_NULL_SHA

“C0”

“10”

0xC011

TLS_ECDHE_RSA_WITH_RC4_128_SHA

“C0”

“11”

0xC012

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

23

“C0”

“12”

0xC013

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

24

“C0”

“13”

0xC014

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

25

“C0”

“14”

0xC017

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

“C0”

“17”

0xC018

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

“C0”

“18”

0xC019

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

“C0”

“19”

0xC023

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

26

“C0”

“23”

0xC024

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

27

“C0”

“24”

0xC025

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

“C0”

“25”

0xC026

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

“C0”

“26”

0xC027

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

28

“C0”

“27”

0xC028

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

29

“C0”

“28”

0xC029

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

“C0”

“29”

0xC02A

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

“C0”

“2A”

0xC02B

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

30

“C0”

“2B”

0xC02C

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

31

“C0”

“2C”

0xC02D

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

“C0”

“2D”

0xC02E

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

“C0”

“2E”

0xC02F

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

32

“C0”

“2F”

0xC030

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

33

“C0”

“30”

0xC031

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

“C0”

“31”

0xC032

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

“C0”

“32”

0xC033

TLS_ECDHE_PSK_WITH_RC4_128_SHA

“C0”

“33”

0xC034

TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA

“C0”

“34”

0xC035

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA

“C0”

“35”

0xC036

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA

“C0”

“36”

0xC037

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

“C0”

“37”

0xC038

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384

“C0”

“38”

0xC072

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“72”

0xC073

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“73”

0xC074

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“74”

0xC075

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“75”

0xC076

TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“76”

0xC077

TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“77”

0xC078

TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“78”

0xC079

TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“79”

0xC07A

TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“7A”

0xC07B

TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“7B”

0xC07C

TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“7C”

0xC07D

TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“7D”

0xC086

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“86”

0xC087

TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“87”

0xC088

TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“88”

0xC089

TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“89”

0xC08A

TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“8A”

0xC08B

TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“8B”

0xC08C

TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“8C”

0xC08D

TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“8D”

0xC08E

TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“8E”

0xC08F

TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“8F”

0xC090

TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“90”

0xC091

TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“91”

0xC092

TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256

“C0”

“92”

0xC093

TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384

“C0”

“93”

0xC094

TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“94”

0xC095

TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“95”

0xC096

TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“96”

0xC097

TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“97”

0xC098

TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“98”

0xC099

TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“99”

0xC09A

TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

“C0”

“9A”

0xC09B

TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384

“C0”

“9B”

0xC09C

TLS_RSA_WITH_AES_128_CCM

“C0”

“9C”

0xC09D

TLS_RSA_WITH_AES_256_CCM

“C0”

“9D”

0xC09E

TLS_DHE_RSA_WITH_AES_128_CCM

“C0”

“9E”

0xC09F

TLS_DHE_RSA_WITH_AES_256_CCM

“C0”

“9F”

0xC0A0

TLS_RSA_WITH_AES_128_CCM_8

“C0”

“A0”

0xC0A1

TLS_RSA_WITH_AES_256_CCM_8

“C0”

“A1”

0xC0A2

TLS_DHE_RSA_WITH_AES_128_CCM_8

“C0”

“A2”

0xC0A3

TLS_DHE_RSA_WITH_AES_256_CCM_8

“C0”

“A3”

0xC0A4

TLS_PSK_WITH_AES_128_CCM

“C0”

“A4”

0xC0A5

TLS_PSK_WITH_AES_256_CCM

“C0”

“A5”

0xC0A6

TLS_DHE_PSK_WITH_AES_128_CCM

“C0”

“A6”

0xC0A7

TLS_DHE_PSK_WITH_AES_256_CCM

“C0”

“A7”

0xC0A8

TLS_PSK_WITH_AES_128_CCM_8

“C0”

“A8”

0xC0A9

TLS_PSK_WITH_AES_256_CCM_8

“C0”

“A9”

0xC0AA

TLS_PSK_DHE_WITH_AES_128_CCM_8

“C0”

“AA”

0xC0AB

TLS_PSK_DHE_WITH_AES_256_CCM_8

“C0”

“AB”

0xC0AC

TLS_ECDHE_ECDSA_WITH_AES_128_CCM

“C0”

“AC”

0xC0AD

TLS_ECDHE_ECDSA_WITH_AES_256_CCM

“C0”

“AD”

0xC0AE

TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

“C0”

“AE”

0xC0AF

TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8

“C0”

“AF”

0xCCA8

TLS_ECDHE_RSA_WITH_CHACHA20_POL1305_SHA256

“CC”

“A8”

0xCCA9

TLS_ECDHE_ECDSA_WITH_CHACHA20_POL1305_SHA256

“CC”

“A9”

0xCCAA

TLS_DHE_RSA_WITH_CHACHA20_POL1305_SHA256

“CC”

“AA”

0xCCAB

TLS_PSK_WITH_CHACHA20_POL1305_SHA256

“CC”

“AB”

0xCCAC

TLS_ECDHE_PSK_WITH_CHACHA20_POL1305_SHA256

“CC”

“AC”

0xCCAD

TLS_DHE_PSK_WITH_CHACHA20_POL1305_SHA256

“CC”

“AD”

0xCCAE

TLS_RSA_PSK_WITH_CHACHA20_POL1305_SHA256

“CC”

“AE”

0x1301

TLS_AES_128_GCM_SHA256

“13”

“01”

0x1302

TLS_AES_256_GCM_SHA384

“13”

“02”

0x1303

TLS_CHACHA20_POLY1305_SHA256

“13”

“03”

0x1304

TLS_AES_128_CCM_SHA256

“13”

“04”

0x1305

TLS_AES_128_CCM_8_SHA256

“13”

“05”

Supported cipher suite

Cipher suite applicability

Cipher suite applicability accordingly to the modules

This section provides a list of cipher suites that are available on the series modules. The allowed cipher suites can be selected when <op_code>=2 (cipher suite) with:

  • The <legacy_cs> parameter

  • The <legacy_cs>=99 specifying <iana_b1> and <iana_b2> parameters

  • The <legacy_cs>=100 specifying <iana_b1> and <iana_b2> parameters

For proper <legacy_cs> value, see the +USECPRF AT command.

The cipher suites marked with (D) are the default cipher suites that are proposed to the server when <op_code>=2 (cipher suite) and <legacy_cs>=0. The secure connection will be established if the server supports at least one of the proposed cipher suites.

The available cipher suites are presented in the following list:

  • (0x000A) TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • (0x002F) TLS_RSA_WITH_AES_128_CBC_SHA

  • (0x0035) TLS_RSA_WITH_AES_256_CBC_SHA

  • (0x003C) TLS_RSA_WITH_AES_128_CBC_SHA256

  • (0x003D) TLS_RSA_WITH_AES_256_CBC_SHA256

  • (0x008B) TLS_PSK_WITH_3DES_EDE_CBC_SHA

  • (0x008C) TLS_PSK_WITH_AES_128_CBC_SHA

  • (0x008D) TLS_PSK_WITH_AES_256_CBC_SHA

  • (0x009C) TLS_RSA_WITH_AES_128_GCM_SHA256 (D)

  • (0x009D) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)

  • (0x009E) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (D)

  • (0x009F) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)

  • (0x00A8) TLS_PSK_WITH_AES_128_GCM_SHA256 (D)

  • (0x00A9) TLS_PSK_WITH_AES_256_GCM_SHA384 (D)

  • (0x00AA) TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (D)

  • (0x00AB) TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (D)

  • (0x00AC) TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (D)

  • (0x00AD) TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (D)

  • (0x00AE) TLS_PSK_WITH_AES_128_CBC_SHA256 (D)

  • (0x00AF) TLS_PSK_WITH_AES_256_CBC_SHA384 (D)

  • (0xC003) TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

  • (0xC004) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

  • (0xC005) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

  • (0xC008) TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

  • (0xC009) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • (0xC00A) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • (0xC00D) TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

  • (0xC00E) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

  • (0xC00F) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

  • (0xC012) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  • (0xC013) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • (0xC014) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • (0xC023) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (D)

  • (0xC024) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • (0xC025) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

  • (0xC026) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

  • (0xC027) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • (0xC028) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • (0xC029) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

  • (0xC02A) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

  • (0xC02B) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (D)

  • (0xC02C) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (D)

  • (0xC02D) TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (D)

  • (0xC02F) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (D)

  • (0xC030) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (D)

  • (0xC031) TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

  • (0xC032) TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

  • (0xC037) TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (D)

  • (0xC038) TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (D)

  • (0xC09C) TLS_RSA_WITH_AES_128_CCM (D)

  • (0xC0A1) TLS_RSA_WITH_AES_256_CCM_8 (D)

  • (0xC0A4) TLS_PSK_WITH_AES_128_CCM (D)

  • (0xC0A5) TLS_PSK_WITH_AES_256_CCM (D)

  • (0xC0A6) TLS_DHE_PSK_WITH_AES_128_CCM (D)

  • (0xC0A7) TLS_DHE_PSK_WITH_AES_256_CCM (D)

  • (0xC0A8) TLS_PSK_WITH_AES_128_CCM_8 (D)

  • (0xC0A9) TLS_PSK_WITH_AES_256_CCM_8 (D)

  • (0xC0AA) TLS_PSK_DHE_WITH_AES_128_CCM_8 (D)

  • (0xC0AB) TLS_PSK_DHE_WITH_AES_256_CCM_8 (D)

  • (0xC0AC) TLS_ECDHE_ECDSA_WITH_AES_128_CCM (D)

  • (0xC0AD) TLS_ECDHE_ECDSA_WITH_AES_256_CCM (D)

  • (0xC0AE) TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (D)

  • (0xC0AF) TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (D)