AT Commands For SSL
No | Command | Description |
L1001 | AT+CCHSTART | Start SSL service |
L1002 | AT+CCHSTOP | Stop SSL service |
L1003 | AT+CCHOPEN | Connect to SSL server |
L1004 | AT+CCHCLOSE | Disconnect from SSL server |
L1005 | AT+CCHSEND | Send data to SSL server |
L1006 | AT+CCHRECV | Read the cached data that received from the SSL server |
L1007 | AT+CCHADDR | Get the IPV4 address |
L1008 | AT+CCHCFG | Configure the client context |
L1009 | AT+CCHSSLCFG | Set the SSL context |
L1010 | AT+CCHSET | Configure the report mode of sending and receiving data |
L1011 | AT+CCHMODE | Configure the mode of sending and receiving data |
L1012 | AT+CSSLCFG | Configure the SSL context |
L1013 | AT+CCERTDOWN | Download certificate into the module |
L1014 | AT+CCERTLIST | List certificates |
L1015 | AT+CCERTDELE | Delete certificates |
L1001 AT+CCHSTART Start SSL Service
AT+CCHSTART is used to start SSL service by activating PDP context.
You must execute AT+CCHSTART before any other SSL related operations.
E) AT+CCHSTART |
a)If start SSL service successfully: OK +CCHSTART: 0 b) If start SSL service successfully: +CCHSTART: 0 OK c) If failed: ERROR d) If failed: OK +CCHSTART: <err> |
Maximum Response Time | 120000ms |
<err> | Integer type, which indicates the result code. |
Example |
AT+CCHSTART OK +CCHSTART: 0 |
NOTE
You must execute AT+CCHSTART before any other SSL related operations
L1002 AT+CCHSTOP Stop SSL Service
AT+CCHSTOP is used to stop SSL service.
E) AT+CCHSTOP |
a)If stop SSL service successfully: +CCHSTOP: 0 OK b)If stop SSL service successfully: OK +CCHSTOP: 0 c)If failed: ERROR |
<err> | Integer type, which indicates the result code. |
Example |
AT+CCHSTOP OK +CCHSTOP: 0 |
L1003 AT+CCHOPEN Connect To SSL Server
This command is used to connect to SSL server.
Note: If there is other service working in transparent mode, it is not allowed setup transparent connection by cchopen cmd.
T) AT+CCHOPEN=? |
+CCHOPEN: (0-1),”ADDRESS”,(1-65535)[,(1-2)[,(1-65535)]] OK |
R) AT+CCHOPEN? |
If connect to a server, it will show the connected information. Otherwise, the connected information is empty. +CCHOPEN: 0,”<host>”,<port>,<client_type>[,<bind_port>] +CCHOPEN: 1,”<host>”,<port>,<client_type>[,<bind_port>] OK |
W) AT+CCHOPEN=<session_id>, ”host”,<port> [,<client_type>[,<bind_port>]] |
a) If connect successfully: +CCHOPEN: <session_id>,0 OK b) If connect successfully: OK +CCHOPEN: <session_id>,0 c) If connect successfully in transparent mode: CONNECT [<text>] d) If failed: OK +CCHOPEN: <session_id>,<err> [+CCHCLOSE: <session_id>,<err>] e)If failed: ERROR f)If failed in transparent mode: CONNECT FAIL |
<session_id> | The session index to operate. It’s from 0 to 1. |
<host> | The server address, length range is 1 to 256. |
<port> | The server port which to be connected, the range is from 1 to 65535. |
<client_type> |
The type of client: 1 TCP client. 2 SSL/TLS client. Default value is 2. |
<bind_port> | The local port for channel, the range is from 1 to 65535. |
<text> | CONNECT result code string; the string formats please refer ATX/AT\V/AT&E command. |
<err> | Integer type, the result of operation. 0 is success, other value is failure. |
Example |
AT+CCHOPEN=0,”www.baidu.com”,443,2 OK +CCHOPEN: 0,0 |
NOTE
If you don’t set the SSL context by AT+CCHSSLCFG before connecting a SSL/TLS server by AT+CCHOPEN,
it will use the <session_id> (the 1’st parameter of AT+CCHOPEN) SSL context when connecting to the server.
L1004 AT+CCHCLOSE Disconnect From SSL Server
AT+CCHCLOSE is used to disconnect from the server.
W) AT+CCHCLOSE=<session_id> |
a)If successfully: +CCHCLOSE: <session_id>,0 OK b)If successfully: OK +CCHCLOSE: <session_id>,0 c)If successfully in transparent mode: OK CLOSED d)If failed: ERROR |
<session_id> | The session index to operate. It’s from 0 to 1. |
<err> | Integer type, the result of operation. 0 is success, other value is failure |
Example |
AT+CCHCLOSE=0 OK +CCHCLOSE: 0,0 |
L1005 AT+CCHSEND Send Data To SSL Server
AT+CCHCLOSE is used to disconnect from the server.
T) AT+CCHSEND=? |
+CCHSEND: (0-1),(1-2048) OK |
R) AT+CCHSEND? |
+CCHSEND: 0,<unsent_len_0>,1,<unsent_len_1> OK |
W) AT+CCHSEND=<session_id>, <len> |
a)if parameter is right: > <input data here> When the total size of the inputted data reaches <len>, TA will report the following code. Otherwise, the serial port will be blocked. OK b)If parameter is wrong or other errors occur: ERROR |
<session_id> | The session index to operate. It’s from 0 to 1. |
<len> | The length of data to send. Its range is from 1 to 2048 bytes. |
<unsent_len_0> | The data of connection 0 cached in sending buffer which is waiting to be sent. |
<unsent_len_1> | The data of connection 1 cached in sending buffer which is waiting to be sent. |
Example |
AT+CCHSEND=0,125 > GET / HTTP/1.1 Host: www.google.com.hk User-Agent: MAUI htp User Agent Proxy-Connection: keep-alive Content-Length: 0 OK |
L1006 AT+CCHRECV Read The Cached Data That Received From The Server
You can use AT+CCHRECV to read the cached data which received from the server.
R) AT+CCHRECV? |
+CCHRECV: LEN,<cache_len_0>,<cache_len_1> OK |
W) AT+CCHRECV=<session_id> [,<max_recv_len>] |
a)if parameter is right and there are cached data: OK [+CCHRECV: DATA,<session_id>,<len> … +CCHRECV: DATA,<session_id>,<len> …] +CCHRECV: <session_id>,<err>
b) if parameter is not right or any other error occurs: +CCHRECV: <session_id>,<err> ERROR |
<session_id> | The session_id to operate. It’s from 0 to 1. |
<max_recv_len> |
Maximum bytes of data to receive in the current AT+CCHRECV calling. It will read all the received data when the value is greater than the length of RX data cached for session <session_id>. 0 means the maximum bytes to receive is 2048 bytes. (But, when 2048 is greater than the length of RX data cached for session <session_id>, 0 means the length of RX data cached for session <session_id>). The default value is the length of RX data cached for session <session_id>. It will be not allowed when there is no data in the cache. |
<cache_len_0> | The length of RX data cached for connection 0. |
<cache_len_1> | The length of RX data cached for connection 1. |
<len> | The length of data followed. |
<err> | String type, displays the cause of occurring error, please refer to Chapter 10.3 for details. |
Example |
AT+CCHRECV=1 OK +CCHRECV: DATA,1,249 HTTP/1.1 200 OK Content-Type: text/html Content-Language: zh-CN Content-Length: 57 Date: Tue, 31 Mar 2009 01:56:05 GMT Connection: Close Proxy-Connection: Close
<html> <header>test</header> <body> Test body </body>
+CCHRECV: 1,0 |
L1007 AT+CCHADDR Get IPV4 Address
AT+CCHADDR is used to inquire socket PDP address.
E) AT+CCHADDR |
+CCHADDR: <ip_address> OK |
<ip_address> | A string parameter that identifies the IPV4 address after PDP activated. |
Example |
AT+CCHADDR +CCHADDR: 10.71.155.118 OK |
L1008 AT+CCHCFG Configure The Client Context
AT+CCHCFG is used to set the client session context. It must be called before AT+CCHOPEN and after AT+CCHSTART.
The setting will be cleared after AT+CCHOPEN failed or AT+CCHCLOSE.
T) AT+CCHCFG=? |
+CCHCFG: “sendtimeout”,(0-1),(60-150) +CCHCFG: “sslctx”,(0-1),(0-9) OK |
R) AT+CCHCFG? |
+CCHCFG: 0,<sendtimeout_val>,<sslctx_index> +CCHCFG: 1,<sendtimeout_val>,<sslctx_index> OK |
Configure the timeout value of the specified client when sending data. W) AT+CCHCFG=”sendtimeout”, <session_id>,<sendtimeout_val> |
If successfully: OK If failed: ERROR |
Configure the SSL context index, it’s as same as AT+CSSLCFG W) AT+CCHCFG=”sslctx”,<session_id>, <sslctx_index> |
If successfully: OK If failed: ERROR |
<session_id> | The session_id to operate. It’s from 0 to 1. |
<sendtimeout_val> |
The timeout value used in sending data stage. The range is 60-150 seconds. The default value is 150. |
<sslctx_index> |
The SSL context ID which will be used in the SSL connection. Refer to the <ssl_ctx_index> of AT+CSSLCFG. |
Example |
AT+CCHCFG=”sendtimeout”,0,60 OK |
NOTE
This command must be called before AT+CCHOPEN and after AT+CCHSTART.
The setting will be cleared after AT+CCHOPEN failed or AT+CCHCLOSE.
L1009 AT+CCHSSLCFG Set The SSL Context
AT+CCHSSLCFG is used to set the SSL context which to be used in the SSL connection.
It must be called before AT+CCHOPEN and after AT+CCHSTART.
The setting will be cleared after AT+CCHOPEN failed or AT+CCHCLOSE.
Note: If you don’t set the SSL context by this command before connecting to SSL/TLS server by AT+CCHOPEN,
the CCHOPEN operation will use the SSL context as same as index <session_id> (the 1st parameter of AT+CCHOPEN) when connecting to the server.
T) AT+CCHSSLCFG=? |
+CCHSSLCFG: (0-1),(0-9) OK |
R) AT+CCHSSLCFG? |
+CCHSSLCFG: <session_id>,[ssl_ctx_index] +CCHSSLCFG: <session_id>,[ssl_ctx_index] OK |
W) AT+CCHSSLCFG=<session_id>, <ssl_ctx_index> |
a) If successfully: OK b) If failed: ERROR |
<session_id> | The session_id to operate. It’s from 0 to 1. |
<ssl_ctx_index> |
The SSL context ID which will be used in the SSL connection. Refer to the <ssl_ctx_index> of AT+CSSLCFG. |
Example |
AT+CCHSSLCFG=? +CCHSSLCFG: (0-1),(0-9) OK AT+CCHSSLCFG=1,1 OK |
NOTE
This command must be called before AT+CCHOPEN and after AT+CCHSTART.
The setting will be cleared after AT+CCHOPEN failed or AT+CCHCLOSE.
If you don’t set the SSL context by this command before connecting to SSL/TLS server by AT+CCHOPEN,
the CCHOPEN operation will use the SSL context as same as index <session_id> (the 1st parameter of AT+CCHOPEN) when connecting to the server.
L1010 AT+CCHMODE Configure The Mode Of Sending And Receiving Data
AT+CCHMODE is used to elect transparent mode (data mode) or non-transparent mode (command mode).
The default mode is non-transparent mode. This AT command must be called before calling AT+CCHSTART.
Note: There is only one session in the transparent mode, it’s the first session
T) AT+CCHMODE=? |
+CCHMODE: (0-1) OK |
R) AT+CCHMODE? |
+CCHMODE: <mode> OK |
W) AT+CCHMODE=<mode> |
a) If successfully: OK b) If failed: ERROR |
<mode> |
The mode value: (The default value is 0) 0 Normal 1 Transparent mode |
Example |
AT+CCHMODE=? +CCHMODE: (0-1) OK AT+CCHMODE=1 OK |
NOTE
This command must be called before AT+CCHSTART.
There is only one session in the transparent mode, it’s the first
L1011 AT+CCHSET Configure The Report Mode Of Sending And Receiving Data
AT+CCHMODE is used to elect transparent mode (data mode) or non-transparent mode (command mode).
The default mode is non-transparent mode. This AT command must be called before calling AT+CCHSTART.
Note: There is only one session in the transparent mode, it’s the first session
T) AT+CCHSET=? |
+CCHSET: (0-1),(0,1) OK |
R) AT+CCHSET? |
+CCHSET: <report_send_result>,<recv_mode> OK |
W) AT+CCHSET= <report_send_result>[,<recv_mode>] |
a) If successfully: OK b) If failed: ERROR |
<report_send_result> |
Whether to report result of CCHSEND, the default value is 0: 0 No. 1 Yes. Module will report +CCHSEND: <session_id>,<err> to MCU when complete sending data. |
<recv_mode> |
The receiving mode: 0 Output the data to MCU whenever received data. 1 Module caches the received data and notifies MCU with +CCHEVENT: <session_id>, RECV EVENT. MCU can use AT+CCHRECV to receive the cached data (only in manual receiving mode). |
Example |
AT+CCHSET=? +CCHSET: (0-1),(0,1) OK AT+CCHSET=1,1 OK |
NOTE
This command must be called before AT+CCHSTART.
L1012 AT+CSSLCFG Configure The SSL Context
AT+CSSLCFG is used to configure the SSL context.
T) AT+CSSLCFG=? |
+CSSLCFG: “sslversion”,(0-9),(0-4) +CSSLCFG: “authmode”,(0-9),(0-3) +CSSLCFG: “ignorelocaltime”,(0-9),(0,1) +CSSLCFG: “negotiatetime”,(0-9),(10-300) +CSSLCFG: “cacert”,(0-9),(5-128) +CSSLCFG: “clientcert”,(0-9),(5-128) +CSSLCFG: “clientkey”,(0-9),(5-128) +CSSLCFG: “enableSNI”,(0-9),(0,1) +CSSLCFG: “keypwd”,(0-9),(0-128) +CSSLCFG: “ciphersuites”,(0-9),(0x002F,0xFFFF) OK |
R) AT+CSSLCFG=? |
+CSSLCFG: 0,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 1,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSLCFG: 2,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 3,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 4,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 5,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 6,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 7,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 8,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> +CSSLCFG: 9,<sslversion>,<authmode>,<ignoreltime>,<negotiatetime>,<ca_file>,<clientcert_file>, <clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> OK |
Query the configuration of the specified SSL context. W) AT+CSSLCFG=<ssl_ctx_index> |
+CSSLCFG: <ssl_ctxindex>,<sslversion>,<authmode>,<ignoreltime>,<negot iatetime>,<ca_file>, <clientcert_file>,<clientkey_file>,<enalbeSNI_flag>,<keypwd>,<ciphersuites> OK |
Configure the version of the specified SSL context W) AT+CSSLCFG=”sslversion”, < ssl_ctx_index>,<sslversion> |
a) If successfully: OK b) If failed: ERROR |
Configure the authentication of the specified SSL context W) AT+CSSLCFG=”authmode”, <ssl_ctx_index>,<authmode> |
a) If successfully: OK b) If failed: ERROR |
Configure the ignore local time flag of the specified SSL context W) AT+CSSLCFG=”ignorelocaltime” ,<ssl_ctx_index>,<ignoreltime> |
a) If successfully: OK b) If failed: ERROR |
Configure the negotiate timeout value of the specified SSL context. W) AT+CSSLCFG=”negotiatetime”, <ssl_ctx_index>,<negotiatetime> |
a) If successfully: OK b) If failed: ERROR |
Configure the server root CA of the specified SSL context. W) AT+CSSLCFG=”cacert”, <ssl_ctx_index>,<ca_file> |
a) If successfully: OK b) If failed: ERROR |
Configure the client certificate of the specified SSL context. W) AT+CSSLCFG=”clientcert”, <ssl_ctx_index>,<clientcert_file> |
a) If successfully: OK b) If failed: ERROR |
Configure the client key of the specified SSL context. W) AT+CSSLCFG=”clientkey”, <ssl_ctx_index>,<clientkey_file> |
a) If successfully: OK b) If failed: ERROR |
Configure the enableSNI flag of the specified SSL context. W) AT+CSSLCFG=”enableSNI”, <ssl_ctx_index>,<enableSNI_Flag> |
a) If successfully: OK b) If failed: ERROR |
Configure the password of the specified SSL context. W) AT+CSSLCFG=”keypwd”, <ssl_ctx_index>,<keypwd> |
a) If successfully: OK b) If failed: ERROR |
Configure the ciphersuite of the specified SSL context. W) AT+CSSLCFG=”ciphersuites”, <ssl_ctx_index>,<ciphersui tes> |
a)If successfully: OK b)If failed: ERROR |
<ssl_ctx_index> | The SSL context ID. The range is 0-9. |
<sslversion> |
The SSL version, the default value is 4. 0 SSL3.0 1 TLS1.0 2 TLS1.1 3 TLS1.2 4 All The configured version should be support by server. So you should use the default value if you can’t confirm the version which the server supported. |
<authmode> |
The authentication mode, the default value is 0. 0 no authentication. 1 server authentication. It needs the root CA of the server. 2 server and client authentication. It needs the root CA of the server, the cert and key of the client. 3 client authentication and no server authentication. It needs the cert and key of the client. |
<ignoreltime> |
The flag to indicate how to deal with expired certificate, the default value is 1. 0 care about time check for certification. 1 ignore time check for certification When set the value to 0, it need to set the right current date and time by AT+CCLK when need SSL certification. |
<negotiatetime> |
The timeout value which is used in SSL negotiating stage. The range is 10-300 seconds. The default value is 300. |
<ca_file> |
The root CA file name of SSL context. The file name must have type like “.pem” or “.der”. The length of filename is from 5 to 128 bytes. If the filename contains non-ASCII characters, the file path parameter should contain a prefix of {non-ascii} and the quotation mark (The string in the quotation mark should be hexadecimal of the filename’s UTF8 code).
There are two ways to download certificate files to module: 1. By AT+CCERTDOWN. 2. By FTPS or HTTPS commands. Please refer to chapter 12 and 13. |
<clientcert_file> |
The client cert file name of SSL context. The file name must have type like “.pem” or “.der”. The length of filename is from 5 to 128 bytes. If the filename contains non-ASCII characters, the file path parameter should contain a prefix of {non-ascii} and the quotation mark (The string in the quotation mark should be hexadecimal of the filename’s UTF8 code).
There are two ways to download certificate files to module: 1. By AT+CCERTDOWN. 2. By FTPS or HTTPS commands. Please refer to chapter 12 and 13. |
<clientkey_file> |
The client key file name of SSL context. The file name must have type like “.pem” or “.der”. The length of filename is from 5 to 128 bytes. If the filename contains non-ASCII characters, the file path parameter should contain a prefix of {non-ascii} and the quotation mark (The string in the quotation mark should be hexadecimal of the filename’s UTF8 code).
There are two ways to download certificate files to module: 1. By AT+CCERTDOWN. 2. By FTPS or HTTPS commands. Please refer to chapter 12 and 13. |
<enableSNI_flag> |
The flag to indicate that enable the SNI flag or not, the default value is 0. 0 not enable SNI. 1 enable SNI. |
<keypwd> |
The password of the client key file of SSL context. When the client needs to be authorized, client key file is needed. Because the client key file may be encrypted, we need the<keypwd> to decrypt it. The length of <keypwd> is from 0 to 128bytes. |
<ciphersuites> |
Numeric type, SSL ciphersuites 0x002F TLS_RSA_WITH_AES_128_CBC_SHA 0xFFFF Support all |
Example |
AT+CSSLCFG=”sslversion”,1,1 OK |
L1013 AT+CCERTDOWN Download Certificate Into The Module
AT+CCERTDOWN is used to download certificate files into the module.
T) AT+CCERTDOWN=? |
+CCERTDOWN: (5-128),(1-10240) OK |
W) AT+CCERTDOWN=<filename>, <len> |
a) If it can be download: > <input data here> OK b) If failed: ERROR |
<filename> |
The name of the certificate/key file. The file name must have type like “.pem” or “.der”. The length of filename is from 5 to 128 bytes. If the filename contains non-ASCII characters, the file path parameter should contain a prefix of {non-ascii} and the quotation mark (The string in the quotation mark should be hexadecimal of the filename’s UTF8 code).
For example: If you want to download a file with name “中华.pem”, you should convert the “中华.pem” to UTF8 coding (中华.pem), then input the hexadecimal (262378344532443B262378353334453B2E70656D) of UTF8 coding. |
<len> | The length of the file data to send. The range is from 1 to 10240 bytes. |
Example |
AT+CCERTDOWN=”client_key.der”,611 > file content…… OK |
L1014 AT+CCERTLIST List Certificates
AT+CCERTLIST is used to list certificate files of the module.
E) AT+CCERTLIST |
[+CCERTLIST: <file_name> [+CCERTLIST: <file_name>] … <CR><LF>] OK |
<file_name> |
The certificate/key files which has been downloaded to the module. If the filename contains non-ASCII characters, it will show the non-ASCII characters as UTF8 code. |
Example |
AT+CCERTLIST +CCERTLIST: “ca_cert.der” +CCERTLIST: “client_key.pem”” OK |
L1015 AT+CCERTDELE Delete Certificates
AT+CCERTDELE is used to remove certificate files from the module.
W) AT+CCERTDELE=<filename> |
a)If delete successfully: OK b)If failed: ERROR |
<filename> |
The name of the certificate/key file. The file name must have type like “.pem” or “.der”. The length of filename is from 5 to 128 bytes. If the filename contains non-ASCII characters, the file path parameter should contain a prefix of {non-ascii} and the quotation mark (The string in the quotation mark should be hexadecimal of the filename’s UTF8 code).
For example: If you want to download a file with name “中华.pem”, you should convert the “ 中 华 .pem” to UTF8 coding (中华.pem), then input the hexadecimal (262378344532443B262378353334453B2E70656D) of UTF8 coding. |
Example |
AT+CCERTDELE=”server_ca.der” OK |