u-blox

Device and data security

Introduction

Nowadays the security is very important to secure personal or confidential data from unauthorized access and therefore it is important to secure the IoT devices to protect the business and the data.
In the IoT security, a weak point is a defect which is called a vulnerability and it may become a safety issue; IoT devices connects/links physical objects and so in IoT it is needed to secure of course data traffic and networks but also the network of "things" or physical objects (i.e. medical devices, infrastructure, utility meters, vehicles, etc.) must be secured.
Some definitions are needed to understand the foundations of security:
  • Integrity is about making sure that some pieces of data have not been altered from some "reference version".
  • Authentication is about making sure that a given entity (with whom you are interacting) is who the user believes it to be.
  • Authenticity is a special case of integrity, where the "reference version" is defined as "whatever it was when it was under control of a specific entity".
  • Confidentiality means no unauthorized access to data (i.e. encryption/cryptography).
The u-blox security solution lets secure the IoT devices from end-to-end:
  • Device security, the privacy of data is protected from the devices to the cloud (confidentiality, integrity and authenticity).
  • Data security, the devices are protected from attack, they can be trusted and controlled (identity, authenticity and firmware protection).
  • Access Management, it can be controlled who has access to data and products (device policies, data policies and feature authorization)
The pillars of the u-blox security are:
  • Unique device identity, an immutable chip ID and a robust Root-of-Trust (RoT) provides the foundational security.
  • Secure boot sequence and updates, only authenticated and authorized firmware and updates can run on the device.
  • Hardware-backed crypto functions, a Secure Client Library (SCL) generates keys and crypto functions to securely connect to the cloud.
The IoT device is secured through different steps:
  • Provision trust: insert Root-of-Trust at production. An immutable chip ID and hardware-based Root-of-Trust provide foundational security and a unique device identity.
  • Leverage trust: derive trusted keys. Secure libraries allow generation of hardware-backed crypto functions and keys that securely connect to the cloud.
  • Guarantee trust: use keys to secure any function. It ensures authenticity, integrity, and confidentiality to maintain control of device and data.

Device security

Introduction

These AT commands maintain device integrity over the entire lifecycle.
  • The +USECCHIP AT command queries the immutable chip ID.

Read the module chip ID +USECCHIP

+USECCHIP
Modules
All products
Attributes
Syntax
PIN required
Settings saved
Can be aborted
Response time
Error reference
full
No
No
No
-
+CME Error

Description

Queries the chip ID of the module and returns it.

Syntax

TypeSyntaxResponseExample
Action
AT+USECCHIP
+USECCHIP: <chip_id>
OK
+USECCHIP: "12345678"
OK

Defined values

ParameterTypeDescription
<chip_id>
String
Chip ID of the module.

Data security provided by secure connections (SSL/TLS/DTLS)

Introduction

SSL/TLS/DTLS (where supported) provides a secure connection between two entities using TCP/UDP socket for communication (i.e. HTTP/FTP server and HTTP/FTP client).
The SSL/TLS/DTLS with digital certificates support provides different connection security aspects:
  • Server authentication: use of the server certificate verification against a specific trusted certificate or a trusted certificates list;
  • Client authentication: use of the client certificate and the corresponding private key;
  • Data security and integrity: data encryption and Hash Message Authentication Code (HMAC) generation.
The security aspects used in the current connection depend on the SSL/TLS/DTLS configuration and features supported by the communicating entities.
u-blox cellular modules support all the described aspects of SSL/TLS/DTLS security protocol with these AT commands:
  • AT+USECMNG: import, removal, list and information retrieval of certificates or private keys;
  • AT+USECPRF: configuration of USECMNG (u-blox SECurity MaNaGement) profiles used for an SSL/TLS/DTLS connection.
The USECMNG provides a default SSL/TLS/DTLS profile which cannot be modified. The default USECMNG profile provides the following SSL/TLS/DTLS settings:
SettingValueMeaning
Certificates validation level
Level 0
The server certificate will not be checked or verified.
Minimum SSL/TLS/DTLS version
Any
The server can use any of the TLS1.0/TLS1.1/TLS1.2/DTLS1.2 versions for the connection.
Cipher suite
Automatic
The cipher suite will be negotiated in the handshake process.
Trusted root certificate internal name
"" (none)
No certificate will be used for the server authentication.
Expected server host-name
"" (none)
No server host-name is expected.
Client certificate internal name
"" (none)
No client certificate will be used.
Client private key internal name
"" (none)
No client private key will be used.
Client private key password
"" (none)
No client private key password will be used.
Pre-shared key
"" (none)
No pre-shared key will be used.
Server certificate pinning
"" (none)
No server certificate will be used.
Server certificate pinning level
Level 0
No server certificate will be used.
For the configuration of the settings listed above, see the +USECPRF AT command.
During the handshake an inactivity timer is started at every received or transmitted packet. The timeout of the inactivity timer is set to 60 s. At the timer expiration the secure connection is aborted, since the handshake has not been completed successfully.

SSL/TLS certificates and private keys manager +USECMNG

+USECMNG
Modules
All products
Attributes
Syntax
PIN required
Settings saved
Can be aborted
Response time
Error reference
full
No
No
No
-
+CME Error

Description

Manages the X.509 certificates and private keys with the following functionalities:
  • Import of certificates and private keys
  • List and information retrieval of imported certificates and private keys
  • Removal of certificates and private keys
  • MD5 calculation of imported certificate or private key
For more details on X.509 certificates and private keys see RFC 5280 [61].
The number and the format of the certificates and the private keys accepted depend on the module series:
  • certificates and private keys both in DER (Distinguished Encoding Rules) and in PEM (Privacy-Enhanced Mail) format are accepted. If the provided format is PEM, the imported certificate or private key will be automatically converted in DER format for the internal storage. It is also possible to validate certificates and private keys. Up to 10 certificates or private keys can be imported.
The certificates and private keys are kept in DER format and are not retrievable (i.e. cannot be downloaded from the module); for data validation purposes an MD5 hash string of the stored certificate or private key (stored in DER format) can be retrieved.
The SSL/(D)TLS connection with Server and/or Mutual Authentication can be successfully performed using the following key size:
  • for Rivest-Shamir-Adleman (RSA) keys at least 1024-bits.
  • for Elliptic Curve Digital Signature Algorithm (ECDSA) keys at least 192-bits.
The same limitation is applied also to the keys used for the certificates generation.
Data for certificate or private key import can be provided with a stream of byte similar to +FOPEN or from a file stored on the FS.
When using the stream of byte import functionality:
  • If the data transfer is stopped before its completion, a guard timer of 20 s will ensure the termination of the data transmission. In this case the prompt will switch back in AT command mode and an error result code will be returned.
  • If the module shuts down during the data transfer, all the bytes are discarded.
  • If any error occurs during the data transfer, all bytes are discarded.
All the imported certificates or private keys are listed if the type of the security data is omitted.
The imported certificates and private keys are:
  • PRESERVED after the module FW is upgraded using +UFWINSTALL or +NFWUPD AT commands.
  • NOT PRESERVED (deleted) after a factory reset using +UFACTORY AT command.
  • NOT PRESERVED after the module FW is upgraded using EasyFlash.
The USECMNG import command supports only X.509 certificate format.
The X.509 certificate DN (Distinguished Name) is composed of value fields which uniquely define an entity being authenticated. For security reasons some limitations (related to DN fields) described below are applied:
The USECMNG private key import command does not support private keys in PEM format with extension headers (i.e. "EC PARAMETERS").

Syntax

TypeSyntaxResponseExample
Generic syntax:
Action
AT+USECMNG=<op_code>,[<type>[,<internal_name>[,<param1>[,<param2>]]]]
OK
-
Import a certificate or private key from serial I/O:
Action
AT+USECMNG=0,<type>,<internal_name>,<data_size>[,<password>]
>
Start transfer of data …​
+USECMNG: 0,<type>,<internal_name>,<md5_string>
OK
AT+USECMNG=0,0,"AddTrustCA",1327
>-----BEGIN CERTIFICATE-----
(…​other certificate data bytes…​)
+USECMNG: 0,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"
OK
Import a certificate or private key from a file stored on FS:
Action
AT+USECMNG=1,<type>,<internal_name>,<filename>[,<password>]
+USECMNG: 1,<type>,<internal_name>,<md5_string>
OK
AT+USECMNG=1,0,"AddTrustCA","addtrust.cert"
+USECMNG: 1,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"
OK
Remove an imported certificate or private key:
Action
AT+USECMNG=2,<type>,<internal_name>
OK
AT+USECMNG=2,0,"AddTrustCA"
OK
List imported certificates or private keys:
Read
AT+USECMNG=3[,<type>]
<cert_type>,<internal_name>[,<common_name>,<expiration_date>]
…​
OK
AT+USECMNG=3
"CA","AddTrustCA","AddTrust External CA Root","2020/05/30"
"CA","GlobalSignCA","GlobalSign","2029/03/18"
"CC","JohnDoeCC","GlobalSign","2010/01/01"
"PK","JohnDoePK"
OK
Retrieve the MD5 of an imported certificate or private key:
Read
AT+USECMNG=4,<type>,<internal_name>
+USECMNG: 4,<type>,<internal_name>,<md5_string>
OK
AT+USECMNG=4,0,"AddTrustCA"
+USECMNG: 4,0,"AddTrustCA","77107370ec4db40a08a6e36a64a1435b"
OK
Test
AT+USECMNG=?
+USECMNG: (list of supported <op_code>s),(list of supported <type>s)
OK
+USECMNG: (0-4),(0-2)
OK

Defined values

ParameterTypeDescription
<op_code>
Number
Type of operation:
  • 0: import a certificate or a private key (data provided by the stream of byte)
  • 1: import a certificate or a private key (data provided from a file on FS)
  • 2: remove an imported certificate or private key
  • 3: list imported certificates or private keys
  • 4: retrieve the MD5 of an imported certificate or private key
<type>
Number
Type of the security data:
  • 0: trusted root CA (certificate authority) certificate
  • 1: client certificate
  • 2: client private key
  • 3: server certificate
  • 4: signature verification certificate
  • 5: signature verification public key
Allowed values:
  • 0, 1, 2, 3
<cert_type>
String
Type of the security data in verbose format:
  • "CA": trusted root CA (certificate authority) certificate
  • "CC": client certificate
  • "PK": client private key
  • "SC": server certificate
  • "VC": signature verification certificate
  • "PU": signature verification public key
Allowed values:
  • "CA", "CC", "PK", "SC"
<internal_name>
String
Unique identifier of an imported certificate or private key. If an existing name is used the data will be overridden.
  • The maximum length for the imported certs/keys is 30 characters. The maximum length for the preinstalled certs/keys is 60 characters.
<data_size>
Number
Size in bytes of a certificate or private key being imported.
  • The maximum allowed size is 8192 bytes.
<password>
String
Decryption password; applicable only for PKCS8 encrypted client private keys. The maximum length is 128 characters.
<filename>
String
Name of the FS file containing the certificate or private key data to be imported.
  • The maximum allowed file size is 8192 bytes.
  • The maximum filename length is 63 characters.
<md5_string>
String
MD5 formatted string.
<common_name>
String
Certificate subject (issued to) common name; applicable only for trusted root and client certificates.
<expiration_date>
String
Certificate expiration (valid to date); applicable only for trusted root and client certificates.
<param1>
Number/String
Type and supported content depend on the related <op_code> parameter; see the <op_code> specification.
<param2>
Number/String
Type and supported content depend on the related <op_code> parameter; see the <op_code> specification.

Notes

  • The import of the following client private key formats is not supported:
    • PKCS1 RSA formatted not-encrypted private key
    • PKCS1 RSA formatted encrypted private key
    • PKCS8 not-encrypted private key
    • PKCS8 encrypted private key
  • The PKCS1 and PKCS8 encrypted private keys can be imported only in DER format.
  • The following certificates are pre-installed on the module and cannot be deleted/changed by the customer via AT commands:
    Internal nameCommon nameExpiration date
    ubx_digicert_global_root_ca
    DigiCert Global Root CA
    2031/11/10 00:00:00
    ubx_digicert_global_root_g2
    DigiCert Global Root G2
    2038/01/15 12:00:00
    ubx_digicert_trusted_root_g4
    DigiCert Trusted Root G4
    2038/01/15 12:00:00
    ubx_digicert_eccp384_root_g5
    DigiCert TLS ECC P384 Root G5
    2046/01/14 23:59:59
    ubx_digicert_rsa4096_root_g5
    DigiCert TLS RSA4096 Root G5
    2046/01/14 23:59:59
    ubx_baltimore_cybertrust_root
    Baltimore CyberTrust Root
    2025/05/12 23:59:00
    ubx_tmo_usa_enterprise_root_ca
    T-Mobile USA Enterprise Root CA
    2040/11/03 20:28:54
    ubx_starfield_service_root_ca_g2
    Starfield Services Root Certificate Authority - G2
    2034/06/28 17:39:16

+USECMNG AT command example

Below is an example with a PEM encoded trusted root certificate.
CommandResponseDescription
Step 1: Import a trusted root certificate using the stream of byte similar to +FOPEN
AT+USECMNG=0,0,"ThawteCA",1516
>
Start the data transfer using the stream of byte.
PEM encoded trusted root certificate data.
+USECMNG: 1,0,"ThawteCA","8ccadc0b22cef5be72ac411a11a8d812"
OK
Input PEM formatted trusted root certificate data bytes. Output MD5 hash string of the stored trusted root certificate DER.
Step 2: List all available certificates and private keys
AT+USECMNG=3
CA, "ThawteCA","thawte Primary Root CA","2036/07/17"
OK
List all available certificates and private keys.
Step 3: Set the security profile 2 validation level to trusted root
AT+USECPRF=2,0,1
OK
Security profile 2 has the validation level set to trusted root.
Step 4: Set the security profile 2 trusted root certificate to the CA certificate imported as "ThawteCA"
AT+USECPRF=2,3,"ThawteCA"
OK
Security profile 2 will use the CA certificate imported as "ThawteCA" for server certificate validation.
Step 5: Use the configured USECMNG profile 2 with the UHTTP application
AT+UHTTP=0,1,"www.ssl_tls_test_server.com"
OK
Configure the UHTTP server name.
AT+UHTTP=0,6,1,2
OK
Enable the SSL/TLS for the UHTTP profile #0 and specify the SSL/TLS security profile 2.
AT+UHTTPC=0,1,"/","https.resp"
OK
Execute the HTTP GET command.
+UUHTTPCR: 0,1,1
HTTP GET URC response.
In the above example the following PEM encoded trusted certificate is used:
 -----BEGIN CERTIFICATE-----
  MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
  qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
  Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
  MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
  BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
  NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
  LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
  A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
  IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
  SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
  W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
  3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
  6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
  Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
  NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
  MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
  r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
  DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
  YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
  xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
  /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
  LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
  jVaMaA==
  -----END CERTIFICATE-----

Notes

Due to significant memory fingerprint of an SSL/TLS connection, the number of concurrent SSL/TLS connections is limited. The USECMNG and the underlying SSL/TLS infrastructure allows 4 concurrent SSL/TLS connections (i.e. 4 HTTPS requests or 2 HTTPS and 2 FTPS request).

SSL/TLS/DTLS security layer profile manager +USECPRF

+USECPRF
Modules
All products
Attributes
Syntax
PIN required
Settings saved
Can be aborted
Response time
Error reference
partial
No
No
No
-
+CME Error

Description

Manages security profiles for the configuration of the following SSL/TLS/DTLS connections properties:
  • Certificate validation level:
    • Level 0: no certificate validation; the server certificate will not be checked or verified. No additional certificates are needed.
    • Level 1: certificate validation against a specific or a list of imported trusted root certificates.
    • Level 2: certificate validation with an additional URL integrity check (the server certificate common name must match the server hostname).
    • Level 3: certificate validation with an additional check on the certificate validity date.
    CA certificates should be imported with the +USECMNG AT command
  • SSL/TLS version to be used:
    • Any of the TLS versions supported by the module
    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    • TLS 1.3
  • DTLS version to be used:
    • DTLS 1.2
  • Cipher suite to be configured using the following methods:
    • Legacy cipher suite to be used. See Syntax description and Table 26 for the supported cipher suites.
    • Additional cipher suite to be used with Internet Assigned Numbers Authority (IANA) enumeration set command. See Syntax description and Table 26 for the supported cipher suites.
    • List of cipher suites to be used is configured with add / remove commands and using IANA enumeration. See Syntax description and Table 26 for the supported cipher suites.
    For the applicability of cipher suite depending on the series module, see Cipher suites applicability.
    Cipher suite configuration methods are exclusive and the last configured method is used.
    The cipher suite configuration read command response is related to the selected cipher suite type, see Syntax description for more details.
  • Certificate to be used for server and mutual authentication:
    • The trusted root certificate. The CA certificate should be imported with the +USECMNG AT command.
    • The client certificate that should be imported with the +USECMNG AT command.
    • The client private key that should be imported with the +USECMNG AT command.
    • The server certificate that should be imported with the +USECMNG AT command.
  • Database selection. Accordingly to the +USECMNG AT command the certificates and keys can be imported in the user database, or can be already present in the pre-installed database. The security profile can be configured to use certificates and clients from all available databases or from a specific database.
  • Expected server hostname, when using certificate validation level 2 or 3.
  • Password for the client private key, if it is password protected.
  • Pre-shared key used for connection. Defines a pre-shared key and key-name (PSK), when a TLS_PSK_* cipher suite is used.
  • SNI (Server Name Indication). SNI is a feature of SSL/TLS which uses an additional SSL/TLS extension header to specify the server name to which the client is connecting to. The extension was introduced to support the certificate handling used with virtual hosting provided by the various SSL/TLS enabled servers mostly in cloud based infrastructures. With the SNI a server has the opportunity to present a different server certificate (or/and whole SSL/TLS configuration) based on the host indicated by the SNI extension. When SNI is not used the modules might receive a non host specific SSL/TLS configuration (version/cipher suites/certificate) when used with virtual hosts.
  • (D)TLS session resumption. The session resumption feature allows to reuse the secure session data to reestablish a SSL/(D)TLS secure session. Since the secure session data are available, the full SSL/(D)TLS handshake is not performed during the session resumption. Once the session resumption feature is enabled, the session resumption type and the secure session data (negotiated during the SSL/(D)TLS handshake) are displayed via +UUSECPRF URC message. The session resumption feature configuration and secure session data are not stored in the NVM, hence the session resumption may be performed until power cycle. Once the session data related to the session resumption via session ticket (<sess_type>=1 or <sess_type>=11) or via the session resumption via PSK-based session ticket (<sess_type>=3 or <sess_type>=13) are properly retrieved from the server, they are directly configured in the USECPRF profile and a +UUSECPRF URC message reporting the session resumption status is issued. Conversely, once the session data related to the session resumption via session ID (<sess_type>=0 or <sess_type>=10) are properly retrieved from the server, an +UUSECPRF URC message reporting the session resumption type and an +UUSECPRF URC message reporting the session resumption data are issued, furthermore the session resumption data are not stored in the USECPRF profile.
  • ZTP-provided credentials. The credentials to establish the secure connection will be provided by Zero Touch Provisioning (ZTP). In the specific case the credentials provided by the ZTP will be the CA certificate, or/and the client certificates and client private key. The CA certificate, and if applicable, the client certificate, are sent to the server during the handshake. The CA certificate and the client certificate are concatenated in a certificate chain.
  • Application Layer Protocol Name (ALPN). With ALPN the client sends the list of supported application protocols as part of the TLS ClientHello message. The server can select one protocol and send it as part of the TLS ServerHello message. The application protocol negotiation can thus be accomplished within the TLS handshake, without adding network round-trips, and allows the server to associate a different certificate according to the indicated application protocol, if desired. For more details on ALPN, Extension protocol see RFC 7301 [62].
When ZTP-provided credentials feature is enabled (<op_code>=14) for a certain USECPRF profile, the client certificate and client key set by the <op_code>=5 (client certificate internal name) and <op_code>=6 (client private key internal name) are ignored, and the underlying SSL/TLS uses the ZTP provided ones.
To set all the parameters in security profile, a set command for each <op_code> needs to be issued (e.g. certificate validation level, minimum SSL/TLS/DTLS version, …​).
To reset (set to factory-programmed value) all the parameters of a specific security profile, issue the AT+USECPRF=<profile_id> command.

Syntax

TypeSyntaxResponseExample
Generic syntax
Set
AT+USECPRF=<profile_id>[,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]]]
OK
AT+USECPRF=0,0,0
OK
Read
AT+USECPRF=<profile_id>,<op_code>
+USECPRF: <profile_id>,<op_code>,<param_val1>
OK
AT+USECPRF=0,0
+USECPRF: 0,0,0
OK
URC
+UUSECPRF: <profile_id>,<op_code>[,<param_val1>[,<param_val2>[,<param_val3>]]]
OK
+UUSECPRF: 0,13,1,0
OK
Certificate validation level
Set
AT+USECPRF=<profile_id>,0,<validation_lvl>
OK
AT+USECPRF=0,0,2
OK
SSL/TLS version
Set
AT+USECPRF=<profile_id>,1,<tls_ver>
OK
AT+USECPRF=0,1,4
OK
Legacy cipher suite selection
Set
AT+USECPRF=<profile_id>,2,<legacy_cs>
OK
AT+USECPRF=0,2,2
OK
Cipher suite selection using IANA enumeration
Set
AT+USECPRF=<profile_id>,2,99,<iana_b1>,<iana_b2>
OK
AT+USECPRF=0,2,99,"C0","2B"
OK
Read
AT+USECPRF=<profile_id>,2
+USECPRF: <profile_id>,2,99,<iana_b1>,<iana_b2>
OK
AT+USECPRF=0,2
+USECPRF: 0,2,99,"C0","2B"
OK
Add/remove of IANA cipher suite to the configured cipher suites list
Set
AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,<operation>
OK
AT+USECPRF=0,2,100,"C0","2A",0
OK
Add an IANA cipher suite to the configured cipher suites list
Set
AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,0
OK
AT+USECPRF=0,2,100,"C0","2A",0
OK
Remove an IANA cipher suite from the configured cipher suites list
Set
AT+USECPRF=<profile_id>,2,100,<iana_b1>,<iana_b2>,1
OK
AT+USECPRF=0,2,100,"C0","2B",1
OK
Read the list of configured cipher suites
Read
AT+USECPRF=<profile_id>,2
+USECPRF: <profile_id>,2,100,<list of configured cipher suites separated by ";">
OK
AT+USECPRF=0,2
+USECPRF: 0,2,100,"C02A;C02C"
OK
Trusted root certificate internal name
Set
AT+USECPRF=<profile_id>,3,<root_cert_int_name>
OK
AT+USECPRF=0,3,"ca_iname"
OK
Expected server hostname
Set
AT+USECPRF=<profile_id>,4,<srv_hostname>
OK
AT+USECPRF=0,4,"server_hostname"
OK
Client certificate internal name
Set
AT+USECPRF=<profile_id>,5,<cli_cert_int_name>
OK
AT+USECPRF=0,5,"cc_iname"
OK
Client private key internal name
Set
AT+USECPRF=<profile_id>,6,<cli_priv_key_int_name>
OK
AT+USECPRF=0,6,"pk_iname"
OK
Client private key password
Set
AT+USECPRF=<profile_id>,7,<cli_priv_key_pwd>
OK
AT+USECPRF=0,7,"xxxxx"
OK
Pre-shared key configuration
Set
AT+USECPRF=<profile_id>,8,<preshared_key>[,<preshared_key_str_type>]
OK
AT+USECPRF=0,8,"0sFpZ0AZqE0N6Ti9s0qt40ZP5Eqx"
OK
Pre-shared key identity configuration
Set
AT+USECPRF=<profile_id>,9,<preshared_key_id>[,<preshared_key_id_str_type>]
OK
AT+USECPRF=0,9,"0ceEZ0AZqP0K60i9o04xz0ZP8zyu0Eqx"
OK
SNI Server Name Indication
Set
AT+USECPRF=<profile_id>,10,<SNI>
OK
AT+USECPRF=0,10,"server_sni"
OK
PSK and PSK key identity generated by RoT (Root of trust)
Set
AT+USECPRF=<profile_id>,11,<PSK_val>
OK
AT+USECPRF=0,11,0
OK
Server certificate pinning
Set
AT+USECPRF=<profile_id>,12,<server_certificate>,<pinning_level>
OK
AT+USECPRF=0,12,"my_srv_cert",0
OK
(D)TLS session resumption generic syntax
Set
AT+USECPRF=<profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]
OK
AT+USECPRF=0,13,0,1
OK
Read
AT+USECPRF=<profile_id>,13,<sess_tag>
+USECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]
OK
AT+USECPRF=0,13,0
+USECPRF: 0,13,0,1
OK
URC
+UUSECPRF: <profile_id>,13,<sess_tag>,<param_val1>[,<param_val2>]
OK
+UUSECPRF: 0,13,1,0
OK
(D)TLS session resumption status
Set
AT+USECPRF=<profile_id>,13,0,<sess_status>
OK
AT+USECPRF=0,13,0,1
OK
Read
AT+USECPRF=<profile_id>,13,0
+USECPRF: <profile_id>,13,0,<sess_status>
OK
AT+USECPRF=0,13,0
+USECPRF: 0,13,0,1
OK
URC
+UUSECPRF: <profile_id>,13,0,<sess_status>
+UUSECPRF: 0,13,0,2
(D)TLS session resumption session type
Set
AT+USECPRF=<profile_id>,13,1,<sess_type>
OK
AT+USECPRF=0,13,1,0
OK
Read
AT+USECPRF=<profile_id>,13,1
+USECPRF: <profile_id>,13,1,<sess_type>
OK
AT+USECPRF=0,13,1
+USECPRF: 0,13,1,0
OK
URC
+UUSECPRF: <profile_id>,13,1,<sess_type>
+UUSECPRF: 0,13,1,0
(D)TLS session resumption session data having session ID as session resumption type
Set
AT+USECPRF=<profile_id>,13,2,<session_id_b64>,<master_secret_b64>
OK
AT+USECPRF=0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"
OK
Read
AT+USECPRF=<profile_id>,13,2
+USECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64>
OK
AT+USECPRF=0,13,2
+USECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"
OK
URC
+UUSECPRF: <profile_id>,13,2,<session_id_b64>,<master_secret_b64>
+UUSECPRF: 0,13,2,"VWY5UENs0Hh3VWR1MjB2WTVMYVZ5TTdE0WpMeWZWeHo=","SHVSODByUit0My9OMEtIT2ZsVVFRcUsyTkdvaz0nWVFhRzdQZUpndG9IMzN4ZTBo"
(D)TLS session resumption session data having session ticket as session resumption type
Set
AT+USECPRF=<profile_id>,13,3,<session_data_b64>,<session_data_b64_size>
OK
AT+USECPRF=0,13,3,"MIHOAgECAgMAzKgEMDZV
[…​]
NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332
OK
Read
AT+USECPRF=<profile_id>,13,3
+USECPRF: <profile_id>,13,3,<session_data_b64>,<session_data_b64_size>
OK
AT+USECPRF=0,13,3
+USECPRF: 0,13,3,"MIHOAgECAgMAzKgEMDZV
[…​]
NuPf3pFw4tJjU2gjKg2ipCBW0rTrfTyQ==",332
OK
(D)TLS session resumption session data having PSK-based session ticket as session resumption type
Set
AT+USECPRF=<profile_id>,13,5,<session_data_b64_size>
>
<session_data_b64>
OK
AT+USECPRF=0,13,5,2320
>
NjQwM0IwMDEzMDgyMDFB0QzAyMDEwMTAyMDEwMDAy0MDEwMTAyMDIxQzIwMDIw
[…​]
MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAwMDAwMDAw0MDAwMDAwMDAyMDIxMzAy
OK
Read
AT+USECPRF=<profile_id>,13,5
+USECPRF: <profile_id>,13,5,<session_data_b64>,<session_data_b64_size>
OK
AT+USECPRF=0,13,5
+USECPRF: 0,13,5,"Nj0QwM0IwMDEzMDgyMDFBQz0AyMDEwMTAyMDEwMDAyMD
[…​]
AwMDAwMDAwMDAwMDAwMD0AwMDAwMDAwMDAwMDAwMD0AwMDAyMDIxMzAy",2320
OK
(D)TLS session resumption session data having encrypted session ID with local encryption as session resumption type
Set
AT+USECPRF=<profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>
OK
AT+USECPRF=0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156
OK
Read
AT+USECPRF=<profile_id>,13,12
+USECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>
OK
AT+USECPRF=0,13,12
+USECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156
OK
URC
+UUSECPRF: <profile_id>,13,12,<enc_session_data_b64>,<enc_session_data_b64_size>
+UUSECPRF: 0,13,12,"AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh/Ljgstf1cLaEO2D8IMbxHcQlGfhVxC0in6aGVlSJGBWCAAKJo6Qw5Q+ugXaRZFquG0O69WeHnPRBkcwY2SN4bwnDbyR+709i0pt2nlaYMSCL77MAA=",156
(D)TLS session resumption session data having encrypted session ticket with local encryption as session resumption type
Set
AT+USECPRF=<profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size>
OK
AT+USECPRF=0,13,13,"MIHOAgECAgMAzKwsa64L
[…​]
dQE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364
OK
Read
AT+USECPRF=<profile_id>,13,13
+USECPRF: <profile_id>,13,13,<enc_session_data_b64>,<enc_session_data_b64_size>
OK
AT+USECPRF=0,13,13
+USECPRF: 0,13,13,"MIHOAgECAgMAzKwsa64L
[…​]
QE2VcxYvD0VcrR2jKg2ipCBW0rTrfTyQ==",364
OK
(D)TLS session resumption session data having PSK-based session ticket with local encryption as session resumption type
Set
AT+USECPRF=<profile_id>,13,15,<enc_session_data_b64_size>
>
<enc_session_data_b64>
OK
AT+USECPRF=0,13,15,2408
>
MDBGMDRCREYwODYwREYw0RDFDNjk1NUU5OUY5NjAw0MDA1QjlCN0QxMUYzM0Qy
[…​]
Njg4MkEzQzJCRjA5NEFF0QzJFQUFFOTNBNjY2RkNE0QzM3RDJERTYyRDIxNQ==
OK
Read
AT+USECPRF=<profile_id>,13,15
+USECPRF: <profile_id>,13,15,<enc_session_data_b64>,<enc_session_data_b64_size>
OK
AT+USECPRF=0,13,15
+USECPRF: 0,13,15,"M0DBGMDRCREYwODYwREYwR0DFDNjk1NUU5OUY5NjAwM
[…​]
EzQzJCRjA5NEFFQzJFQU0FFOTNBNjY2RkNEQzM3RD0JERTYyRDIxNQ==",2408
OK
ZTP-provided credentials
Set
AT+USECPRF=<profile_id>,14,<ZTP_tag>
OK
AT+USECPRF=0,14,0
OK
Read
AT+USECPRF=<profile_id>,14
+USECPRF: <profile_id>,14,<ZTP_tag>
OK
AT+USECPRF=0,14
+USECPRF: 0,14,2
OK
ALPN extension protocol
Set
AT+USECPRF=<profile_id>,15,<ALPN_string_type>
OK
AT+USECPRF=0,15,"FTP"
OK
Read
AT+USECPRF=<profile_id>,15
+USECPRF: <profile_id>,15,<ALPN_string_type>
OK
AT+USECPRF=0,15
+USECPRF: 0,15,"FTP"
OK
Database selection
Set
AT+USECPRF=<profile_id>,16,<db_to_use>
OK
AT+USECPRF=0,16,1
OK
Read
AT+USECPRF=<profile_id>,16
+USECPRF: <profile_id>,16,<db_to_use>
OK
AT+USECPRF=0,16
+USECPRF: 0,16,2
OK
Test
AT+USECPRF=?
+USECPRF: (list of supported <profile_id>s),(list of supported <op_code>s)
OK
+USECPRF: (0-4),(0-16)
OK

Defined values

ParameterTypeDescription
<profile_id>
Number
USECMNG security profile identifier, in range 0-4; if it is not followed by other parameters the profile settings will be reset (set to factory-programmed value).
<op_code>
Number
  • 0: certificate validation level
  • 1: SSL/TLS version to use
  • 2: cipher suite
  • 3: trusted root certificate internal name
  • 4: expected server hostname
  • 5: client certificate internal name
  • 6: client private key internal name
  • 7: client private key password
  • 8: pre-shared key
  • 9: pre-shared key identity
  • 10: SNI (Server Name Indication)
  • 11: PSK key and PSK key identity generated by RoT (Root of trust)
  • 12: server certificate pinning
  • 13: (D)TLS session resumption;
  • 14: ZTP-provided credentials
  • 15: Application-Layer Protocol Negotiation (ALPN)
  • 16: database selection
Allowed values:
  • 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 15, 16
<validation_lvl>
Number
certificate validation level:
  • 0: level 0 - No validation; the server certificate will not be checked or verified. The server in this case is not authenticated.
  • 1: level 1 - Root certificate validation without URL integrity check. The server certificate will be verified with a specific trusted certificates or with each of the imported trusted root certificates.
  • 2: level 2 - Root certificate validation with URL integrity check. Level 1 validation with an additional URL integrity check.
  • 3: level 3 - Root certificate validation with check of certificate validity date. Level 2 validation with an additional check of certificate validity date.
The factory-programmed value is:
  • 1
<tls_ver>
Number
SSL/TLS version to use; allowed values:
  • 0: any; the server can use any TLS version, which is supported by the module, for the connection. For more details on the supported TLS versions, see Notes.
  • 1: TLS v1.0; connection allowed only to TLS/SSL servers which support TLS v1.0
  • 2: TLS v1.1; connection allowed only to TLS/SSL servers which support TLS v1.1
  • 3: TLS v1.2; connection allowed only to TLS/SSL servers which support TLS v1.2
  • 4: TLS v1.3; connection allowed only to TLS/SSL servers which support TLS v1.3
The factory-programmed value is:
  • 0
<legacy_cs>
Number
Legacy cipher suite enumeration. legacy cipher suites are listed in Table 26. The factory-programmed value is 0. For <legacy_cs>=0 a list of default cipher suites is proposed at the beginning of handshake process, and a cipher suite will be negotiated among the cipher suites proposed in the list. For <legacy_cs>=99 the cipher suite selection is performed with IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see Table 26. For <legacy_cs>=100 the list of cipher suites is configured using IANA enumeration, <iana_b1> and <iana_b2> are strings containing the 2 bytes that compose the IANA enumeration, see Table 26.
The cipher suite configuration read command response is related to the selected cipher suite type. In the case of <legacy_cs>=99 the configured <byte_1> and <byte_2> are reported in the information text response to the read command. In the case of <legacy_cs>=100 a ";" separated list with configured cipher suites is reported in the information text response to the read command.
For <legacy_cs>=100, when all added cipher suites are removed the cipher suite is automatically set to 0 (factory-programmed value).
For the applicability of default cipher suite lists depending on the series module, see Cipher suites applicability.
<iana_b1>
String
First byte of IANA cipher suite enumeration
<iana_b2>
String
Second byte of IANA cipher suite enumeration
<operation>
Number
Operation to execute when using <legacy_cs>=100 configuration using a list of IANA enumeration. Allowed values for <operation>:
  • 0: add cipher suite defined by <iana_b1> and <iana_b2> to the list
  • 1: remove cipher suite defined by <iana_b1> and <iana_b2> from the list
<root_cert_int_name>
String
Internal name identifying a trusted root certificate; the maximum length is 200 characters. The factory-programmed value is an empty string.
<srv_hostname>
String
Hostname of the server, used when certificate validation level is set to Level 2; the maximum length is 256 characters. The factory-programmed value is an empty string.
<cli_cert_int_name>
String
Internal name identifying a client certificate to be sent to the server; the maximum length is 200 characters. The factory-programmed value is an empty string.
<cli_priv_key_int_name>
String
Internal name identifying a private key to be used; the maximum length is 200 characters. The factory-programmed value is an empty string.
<cli_priv_key_pwd>
String
Password for the client private key if it is password protected; the maximum length is 128 characters. The factory-programmed value is an empty string.
<preshared_key>
String
Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_str_type> value.
<preshared_key_str_type>
Number
Defines the type and the maximum length of the <preshared_key> string. Allowed values:
  • 0 (default value): <preshared_key> is an ASCII string and its maximum length is 64 characters
  • 1: <preshared_key> is an hexadecimal string and its maximum length is 128 characters
<preshared_key_id>
String
Pre-shared key used for connection; the factory-programmed value is an empty string. The accepted string type and length depends on the <preshared_key_id_str_type> value.
<preshared_key_id_str_type>
Number
Defines the type and the maximum length of the <preshared_key_id> string. Allowed values:
  • 0 (default value): <preshared_key_id> is an ASCII string and its maximum length is 128 characters
  • 1: <preshared_key_id> is an hexadecimal string and its maximum length is 256 characters
<SNI>
String
Value for the additional negotiation header SNI (Server Name Indication) used in SSL/TLS connection negotiation; the maximum length is 128 characters. The factory-programmed value is an empty string..
<PSK_val>
Number
PSK key and PSK key identity generated by RoT (Root of trust); allowed values:
  • 0 (factory-programmed value): OFF - The PSK and PSK key ID are NOT generated by RoT
  • 1: ON - The PSK and PSK key ID are generated by RoT in the process of SSL/TLS connection negotiation
<server_certificate>
String
Internal name identifying a certificate configured to be used for server certificate pinning; the maximum length is 200 characters. The factory-programmed value is an empty string.
<pinning_level>
String
Certificate pinning information level. Allowed values:
  • 0: pinning based on information comparison of received and configured certificate public key
  • 1: pinning based on binary comparison of received and configured certificate public key
  • 2: pinning based on binary comparison of received and configured certificate
<sess_tag>
Number
Configures the (D)TLS session resumption. Allowed values:
  • 0: session resumption status
  • 1: session resumption type
  • 2: session resumption data when the session resumption type is session ID
  • 3: session resumption data when the session resumption type is session ticket.
  • 5: session resumption data when the session resumption type is PSK-based session ticket. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4).
  • 12: session resumption data when the session resumption type is encrypted session ID with local encryption
  • 13: session resumption data when the session resumption type is encrypted session ticket with local encryption
  • 15: session resumption data when the session resumption type is encrypted PSK-based session ticket with local encryption. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4).
Allowed values:
  • 0, 1, 3
<sess_status>
Number
(D)TLS session resumption status. Allowed values:
  • 0 (factory-programmed value): disabled
  • 1: enabled
  • 2: session data configured
Allowed values:
  • 0, 1, 2
<sess_type>
Number
(D)TLS session resumption type. Allowed values:
  • 0: session ID
  • 1: session ticket
  • 3: PSK-based session ticket. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4)
  • 10: encrypted session ID with local encryption
  • 11: encrypted session ticket with local encryption
  • 13: encrypted PSK-based session ticket with local encryption. TLS v1.3 must be enabled (+USECPRF: <profile_id>,1,4)
Allowed values:
  • 1
<session_id_b64>
String
Base64 encoded session ID value. The maximum length is 44 characters.
<master_secret_b64>
String
Base64 encoded session master key. The maximum length is 64 characters.
<session_data_b64_size>
Number
Length of base64 encoded session data value. The maximum size is 8192.
<session_data_b64>
String
Base64 encoded session data value. The string length is determined by <session_data_b64_size>.
<enc_session_data_b64>
String
Base64 encoded session data value encrypted with local encryption. The string length is determined by <enc_session_data_b64_size>
<enc_session_data_b64_size>
Number
Length of base64 encoded session data value encrypted with local encryption. The maximum size is 8192.
<ZTP_tag>
Number
ZTP-provided credentials level. Allowed values for:
  • 0: no credentials are obtained via ZTP
  • 1: CA certificate and client certificate/key are obtained via ZTP. The CA certificate and client certificate will be concatenated together in a certificate chain and provided to the server
  • 2: client certificate/key are provided via ZTP. The client certificate will be provided to the server
<ALPN_string_type>
String
value for the protocol name to be added in the Application Layer Protocol Negotiation Extension used in SSL/TLS connection negotiation; the maximum length is 255 characters. It is possible to set a protocol IDs listed at https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids or a custom string. The factory-programmed value is an empty string.
<db_to_use>
Number
Database to use, from where to retrieve the certificates and keys to establish the secure connection. Allowed values for:
  • 0 (factory-programmed value): all available databases are used
  • 1: only user database is used
  • 2: only pre-installed database is used
<param_val1>
String
Type and supported content depend on related <op_code> (details are given above).
<param_val2>
String
Type and supported content depend on related <op_code> (details are given above).
<param_val3>
String
Type and supported content depend on related <op_code> (details are given above).

Notes

  • TLS v1.3 is not supported, therefore if <op_code>=1 (SSL/TLS version to use), <param_val1>=4 (TLS v1.3) is not supported.
  • If <op_code>=1 (SSL/TLS version) and <param_val1>=0 (default) the server can use only TLS v1.2 for the connection.
  • If <op_code>=2 (cipher suite) the <legacy_cs>=100 (cipher suite list configuration using IANA enumeration) is not supported.
  • If <op_code>=9 (pre-shared key identity) the <string_type> parameter is not supported. The <preshared_key_id> parameter is an ASCII string (maximum length 128 characters).
  • If <op_code>=2 (cipher suite) the <legacy_cs>=10,11,12,15,16 are not supported.

List of the supported cipher suites

Table 26. Supported cipher suite
Cipher suite IANA codeCipher suite nameLegacy cipher suite configurationIANA enumeration cipher suite configuration
<legacy_cs>
<iana_b1>
<iana_b2>
0x0000
TLS_NULL_WITH_NULL_NULL
"00"
"00"
0x000A
TLS_RSA_WITH_3DES_EDE_CBC_SHA
5
"00"
"0A"
0x0013
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
"00"
"13"
0x0015
TLS_DHE_RSA_WITH_DES_CBC_SHA
"00"
"15"
0x0016
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
"00"
"16"
0x001A
TLS_DH_anon_WITH_DES_CBC_SHA
"00"
"1A"
0x001B
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
"00"
"1B"
0x002F
TLS_RSA_WITH_AES_128_CBC_SHA
1
"00"
"2F"
0x0032
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
"00"
"32"
0x0033
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
"00"
"33"
0x0034
TLS_DH_anon_WITH_AES_128_CBC_SHA
"00"
"34"
0x0035
TLS_RSA_WITH_AES_256_CBC_SHA
3
"00"
"35"
0x0039
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
"00"
"39"
0x003A
TLS_DH_anon_WITH_AES_256_CBC_SHA
"00"
"3A"
0x003C
TLS_RSA_WITH_AES_128_CBC_SHA256
2
"00"
"3C"
0x003D
TLS_RSA_WITH_AES_256_CBC_SHA256
4
"00"
"3D"
0x0040
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
"00"
"40"
0x0041
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
"00"
"41"
0x0045
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
"00"
"45"
0x0067
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
"00"
"67"
0x006B
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
"00"
"6B"
0x006C
TLS_DH_anon_WITH_AES_128_CBC_SHA256
"00"
"6C"
0x006D
TLS_DH_anon_WITH_AES_256_CBC_SHA256
"00"
"6D"
0x0084
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
"00"
"84"
0x0088
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
"00"
"88"
0x008A
TLS_PSK_WITH_RC4_128_SHA
"00"
"8A"
0x008B
TLS_PSK_WITH_3DES_EDE_CBC_SHA
8
"00"
"8B"
0x008C
TLS_PSK_WITH_AES_128_CBC_SHA
6
"00"
"8C"
0x008D
TLS_PSK_WITH_AES_256_CBC_SHA
7
"00"
"8D"
0x008E
TLS_DHE_PSK_WITH_RC4_128_SHA
"00"
"8E"
0x008F
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
"00"
"8F"
0x0090
TLS_DHE_PSK_WITH_AES_128_CBC_SHA
"00"
"90"
0x0091
TLS_DHE_PSK_WITH_AES_256_CBC_SHA
"00"
"91"
0x0092
TLS_RSA_PSK_WITH_RC4_128_SHA
"00"
"92"
0x0093
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
11
"00"
"93"
0x0094
TLS_RSA_PSK_WITH_AES_128_CBC_SHA
9
"00"
"94"
0x0095
TLS_RSA_PSK_WITH_AES_256_CBC_SHA
10
"00"
"95"
0x009C
TLS_RSA_WITH_AES_128_GCM_SHA256
"00"
"9C"
0x009D
TLS_RSA_WITH_AES_256_GCM_SHA384
"00"
"9D"
0x009E
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
"00"
"9E"
0x009F
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
"00"
"9F"
0x00A8
TLS_PSK_WITH_AES_128_GCM_SHA256
16
"00"
"A8"
0x00A9
TLS_PSK_WITH_AES_256_GCM_SHA384
17
"00"
"A9"
0x00AA
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
"00"
"AA"
0x00AB
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
"00"
"AB"
0x00AC
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
18
"00"
"AC"
0x00AD
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
19
"00"
"AD"
0x00AE
TLS_PSK_WITH_AES_128_CBC_SHA256
12
"00"
"AE"
0x00AF
TLS_PSK_WITH_AES_256_CBC_SHA384
13
"00"
"AF"
0x00B2
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
"00"
"B2"
0x00B3
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
"00"
"B3"
0x00B6
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
14
"00"
"B6"
0x00B7
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
15
"00"
"B7"
0x00BA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
"00"
"BA"
0x00BE
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
"00"
"BE"
0x00C0
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
"00"
"C0"
0x00C4
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
"00"
"C4"
0xC002
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
"C0"
"02"
0xC003
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
"C0"
"03"
0xC004
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
"C0"
"04"
0xC005
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
"C0"
"05"
0xC007
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
"C0"
"07"
0xC008
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
20
"C0"
"08"
0xC009
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
21
"C0"
"09"
0xC00A
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
22
"C0"
"0A"
0xC00C
TLS_ECDH_RSA_WITH_RC4_128_SHA
"C0"
"0C"
0xC00D
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
"C0"
"0D"
0xC00E
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
"C0"
"0E"
0xC00F
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
"C0"
"0F"
0xC010
TLS_ECDHE_RSA_WITH_NULL_SHA
"C0"
"10"
0xC011
TLS_ECDHE_RSA_WITH_RC4_128_SHA
"C0"
"11"
0xC012
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
23
"C0"
"12"
0xC013
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
24
"C0"
"13"
0xC014
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
25
"C0"
"14"
0xC017
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
"C0"
"17"
0xC018
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
"C0"
"18"
0xC019
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
"C0"
"19"
0xC023
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
26
"C0"
"23"
0xC024
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
27
"C0"
"24"
0xC025
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
"C0"
"25"
0xC026
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
"C0"
"26"
0xC027
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
28
"C0"
"27"
0xC028
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
29
"C0"
"28"
0xC029
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
"C0"
"29"
0xC02A
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
"C0"
"2A"
0xC02B
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
30
"C0"
"2B"
0xC02C
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
31
"C0"
"2C"
0xC02D
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
"C0"
"2D"
0xC02E
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
"C0"
"2E"
0xC02F
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
32
"C0"
"2F"
0xC030
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
33
"C0"
"30"
0xC031
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
"C0"
"31"
0xC032
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
"C0"
"32"
0xC033
TLS_ECDHE_PSK_WITH_RC4_128_SHA
"C0"
"33"
0xC034
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
"C0"
"34"
0xC035
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
"C0"
"35"
0xC036
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
"C0"
"36"
0xC037
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
"C0"
"37"
0xC038
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
"C0"
"38"
0xC072
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"72"
0xC073
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"73"
0xC074
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"74"
0xC075
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"75"
0xC076
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"76"
0xC077
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"77"
0xC078
TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"78"
0xC079
TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"79"
0xC07A
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"7A"
0xC07B
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"7B"
0xC07C
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"7C"
0xC07D
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"7D"
0xC086
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"86"
0xC087
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"87"
0xC088
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"88"
0xC089
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"89"
0xC08A
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"8A"
0xC08B
TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"8B"
0xC08C
TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"8C"
0xC08D
TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"8D"
0xC08E
TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"8E"
0xC08F
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"8F"
0xC090
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"90"
0xC091
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"91"
0xC092
TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
"C0"
"92"
0xC093
TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
"C0"
"93"
0xC094
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"94"
0xC095
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"95"
0xC096
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"96"
0xC097
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"97"
0xC098
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"98"
0xC099
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"99"
0xC09A
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
"C0"
"9A"
0xC09B
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
"C0"
"9B"
0xC09C
TLS_RSA_WITH_AES_128_CCM
"C0"
"9C"
0xC09D
TLS_RSA_WITH_AES_256_CCM
"C0"
"9D"
0xC09E
TLS_DHE_RSA_WITH_AES_128_CCM
"C0"
"9E"
0xC09F
TLS_DHE_RSA_WITH_AES_256_CCM
"C0"
"9F"
0xC0A0
TLS_RSA_WITH_AES_128_CCM_8
"C0"
"A0"
0xC0A1
TLS_RSA_WITH_AES_256_CCM_8
"C0"
"A1"
0xC0A2
TLS_DHE_RSA_WITH_AES_128_CCM_8
"C0"
"A2"
0xC0A3
TLS_DHE_RSA_WITH_AES_256_CCM_8
"C0"
"A3"
0xC0A4
TLS_PSK_WITH_AES_128_CCM
"C0"
"A4"
0xC0A5
TLS_PSK_WITH_AES_256_CCM
"C0"
"A5"
0xC0A6
TLS_DHE_PSK_WITH_AES_128_CCM
"C0"
"A6"
0xC0A7
TLS_DHE_PSK_WITH_AES_256_CCM
"C0"
"A7"
0xC0A8
TLS_PSK_WITH_AES_128_CCM_8
"C0"
"A8"
0xC0A9
TLS_PSK_WITH_AES_256_CCM_8
"C0"
"A9"
0xC0AA
TLS_PSK_DHE_WITH_AES_128_CCM_8
"C0"
"AA"
0xC0AB
TLS_PSK_DHE_WITH_AES_256_CCM_8
"C0"
"AB"
0xC0AC
TLS_ECDHE_ECDSA_WITH_AES_128_CCM
"C0"
"AC"
0xC0AD
TLS_ECDHE_ECDSA_WITH_AES_256_CCM
"C0"
"AD"
0xC0AE
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
"C0"
"AE"
0xC0AF
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
"C0"
"AF"
0xCCA8
TLS_ECDHE_RSA_WITH_CHACHA20_POL1305_SHA256
"CC"
"A8"
0xCCA9
TLS_ECDHE_ECDSA_WITH_CHACHA20_POL1305_SHA256
"CC"
"A9"
0xCCAA
TLS_DHE_RSA_WITH_CHACHA20_POL1305_SHA256
"CC"
"AA"
0xCCAB
TLS_PSK_WITH_CHACHA20_POL1305_SHA256
"CC"
"AB"
0xCCAC
TLS_ECDHE_PSK_WITH_CHACHA20_POL1305_SHA256
"CC"
"AC"
0xCCAD
TLS_DHE_PSK_WITH_CHACHA20_POL1305_SHA256
"CC"
"AD"
0xCCAE
TLS_RSA_PSK_WITH_CHACHA20_POL1305_SHA256
"CC"
"AE"
0x1301
TLS_AES_128_GCM_SHA256
"13"
"01"
0x1302
TLS_AES_256_GCM_SHA384
"13"
"02"
0x1303
TLS_CHACHA20_POLY1305_SHA256
"13"
"03"
0x1304
TLS_AES_128_CCM_SHA256
"13"
"04"
0x1305
TLS_AES_128_CCM_8_SHA256
"13"
"05"

Cipher suite applicability

Cipher suite applicability accordingly to the modules

This section provides a list of cipher suites that are available on the series modules. The allowed cipher suites can be selected when <op_code>=2 (cipher suite) with:
  • The <legacy_cs> parameter
  • The <legacy_cs>=99 specifying <iana_b1> and <iana_b2> parameters
  • The <legacy_cs>=100 specifying <iana_b1> and <iana_b2> parameters
For proper <legacy_cs> value, see the +USECPRF AT command.
The cipher suites marked with (D) are the default cipher suites that are proposed to the server when <op_code>=2 (cipher suite) and <legacy_cs>=0. The secure connection will be established if the server supports at least one of the proposed cipher suites.
The available cipher suites are presented in the following list:
  • (0x000A) TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • (0x002F) TLS_RSA_WITH_AES_128_CBC_SHA
  • (0x0035) TLS_RSA_WITH_AES_256_CBC_SHA
  • (0x003C) TLS_RSA_WITH_AES_128_CBC_SHA256
  • (0x003D) TLS_RSA_WITH_AES_256_CBC_SHA256
  • (0x008B) TLS_PSK_WITH_3DES_EDE_CBC_SHA
  • (0x008C) TLS_PSK_WITH_AES_128_CBC_SHA
  • (0x008D) TLS_PSK_WITH_AES_256_CBC_SHA
  • (0x009C) TLS_RSA_WITH_AES_128_GCM_SHA256 (D)
  • (0x009D) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)
  • (0x009E) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (D)
  • (0x009F) TLS_RSA_WITH_AES_256_GCM_SHA384 (D)
  • (0x00A8) TLS_PSK_WITH_AES_128_GCM_SHA256 (D)
  • (0x00A9) TLS_PSK_WITH_AES_256_GCM_SHA384 (D)
  • (0x00AA) TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 (D)
  • (0x00AB) TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 (D)
  • (0x00AC) TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 (D)
  • (0x00AD) TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 (D)
  • (0x00AE) TLS_PSK_WITH_AES_128_CBC_SHA256 (D)
  • (0x00AF) TLS_PSK_WITH_AES_256_CBC_SHA384 (D)
  • (0xC003) TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • (0xC004) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • (0xC005) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • (0xC008) TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • (0xC009) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • (0xC00A) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • (0xC00D) TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • (0xC00E) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • (0xC00F) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • (0xC012) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • (0xC013) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • (0xC014) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • (0xC023) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (D)
  • (0xC024) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • (0xC025) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • (0xC026) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • (0xC027) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • (0xC028) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • (0xC029) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • (0xC02A) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • (0xC02B) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (D)
  • (0xC02C) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (D)
  • (0xC02D) TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (D)
  • (0xC02F) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (D)
  • (0xC030) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (D)
  • (0xC031) TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • (0xC032) TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • (0xC037) TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (D)
  • (0xC038) TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 (D)
  • (0xC09C) TLS_RSA_WITH_AES_128_CCM (D)
  • (0xC0A1) TLS_RSA_WITH_AES_256_CCM_8 (D)
  • (0xC0A4) TLS_PSK_WITH_AES_128_CCM (D)
  • (0xC0A5) TLS_PSK_WITH_AES_256_CCM (D)
  • (0xC0A6) TLS_DHE_PSK_WITH_AES_128_CCM (D)
  • (0xC0A7) TLS_DHE_PSK_WITH_AES_256_CCM (D)
  • (0xC0A8) TLS_PSK_WITH_AES_128_CCM_8 (D)
  • (0xC0A9) TLS_PSK_WITH_AES_256_CCM_8 (D)
  • (0xC0AA) TLS_PSK_DHE_WITH_AES_128_CCM_8 (D)
  • (0xC0AB) TLS_PSK_DHE_WITH_AES_256_CCM_8 (D)
  • (0xC0AC) TLS_ECDHE_ECDSA_WITH_AES_128_CCM (D)
  • (0xC0AD) TLS_ECDHE_ECDSA_WITH_AES_256_CCM (D)
  • (0xC0AE) TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (D)
  • (0xC0AF) TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (D)
Last updated: 13 January 2025
Need help?Contact Support
Questions?Contact us