Difference between revisions of "SSL Services"
(→SSLOpt) |
|||
| Line 194: | Line 194: | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| − | ! | + | ! Flag (BIT) |
! Description | ! Description | ||
|- | |- | ||
| − | | | + | | 0x000 (??) |
| − | | | + | | Don't verify certificate at all |
|- | |- | ||
| − | | | + | | 0x001 (00) |
| − | | | + | | Verify Common Name (CN) |
|- | |- | ||
| − | | 11 | + | | 0x002 (01) |
| − | | | + | | Verify RootCA |
| + | |- | ||
| + | | 0x004 (02) | ||
| + | | Verify date | ||
| + | |- | ||
| + | | 0x008 (03) | ||
| + | | Verify cert chain | ||
| + | |- | ||
| + | | 0x010 (04) | ||
| + | | Verify "subject alt name" (required for multi-address certificates) | ||
| + | |- | ||
| + | | 0x020 (05) | ||
| + | | Verify cert EV | ||
| + | |- | ||
| + | | 0x200 (09) | ||
| + | | Makes certification validation always succeed | ||
| + | |- | ||
| + | | 0x800 (11) | ||
| + | | Disable use of TLSv1.1 (hence fallback to TLSv1.0) | ||
|} | |} | ||
Revision as of 16:25, 11 July 2017
SSL service "ssl:C"
| Command Header | Available since system-version | Available from service-sessions | Description |
|---|---|---|---|
| 0x00010002 | 1.0.0-0 | Basically main-only | Initialize |
| 0x000200C2 | 1.0.0-0 | CreateContext | |
| 0x00030000 | 1.0.0-0 | CreateRootCertChain | |
| 0x00040040 | 1.0.0-0 | DestroyRootCertChain | |
| 0x00050082 | 1.0.0-0 | Main-only | AddTrustedRootCA |
| 0x00060080 | 1.0.0-0 | Main-only | RootCertChainAddDefaultCert |
| 0x00070080 | 1.0.0-0 | Main-only | RootCertChainRemoveCert |
| 0x00080000 | 1.0.0-0 | This writes an output u32 to cmdreply[2](created context handle). | |
| 0x00090040 | 1.0.0-0 | (u32 handle for a context) This is used for destroying a context created by command 0x00080000. | |
| 0x000A0082 | 1.0.0-0 | Main-only | (u32 contexthandle, u32 size, ((Size<<4) | 10), inbufptr) Writes the output cert-context-handle to cmdreply[2]. This uses a context created by command 0x00080000. This adds the specified cert to this context. |
| 0x000B0080 | 1.0.0-0 | Main-only | (u32 contexthandle, u8 inval2) Writes an output cert-context-handle to cmdreply[2]. This uses a context created by command 0x00080000. This just returns error 0xD8A0B83D eventually. |
| 0x000C0080 | 1.0.0-0 | Main-only | (u32 contexthandle, u32 certcontexthandle) This uses a context created by command 0x00080000. This removes the specified cert from the context. |
| 0x000D0084 | 1.0.0-0 | Main-only | OpenClientCertContext |
| 0x000E0040 | 1.0.0-0 | Main-only | OpenDefaultClientCertContext |
| 0x000F0040 | 1.0.0-0 | Main-only | CloseClientCertContext |
| 0x00100000 | 1.0.0-0 | All | SeedRNG |
| 0x00110042 | 1.0.0-0 | All | GenerateRandomData |
| 0x00120042 | 1.0.0-0 | InitializeConnectionSession | |
| 0x00130040 | 1.0.0-0 | Context-only | StartConnection |
| 0x00140040 | 1.0.0-0 | Context-only | StartConnectionGetOut |
| 0x00150082 | 1.0.0-0 | Context-only | Read |
| 0x00160082 | 1.0.0-0 | Context-only | ReadPeek |
| 0x00170082 | 1.0.0-0 | Write | |
| 0x00180080 | 1.0.0-0 | ContextSetRootCertChain | |
| 0x00190080 | 1.0.0-0 | Context-only | ContextSetClientCert |
| 0x001A0080 | 1.0.0-0 | Context-only | (u32 contexthandle, u32 handle) This writes a context handle created by command 0x00080000 into the session context. |
| 0x001B0080 | 1.0.0-0 | Context-only | ContextClearOpt |
| 0x001C00C4 | 1.0.0-0 | Context-only | ContextGetProtocolCipher |
| 0x001D0040 | 1.0.0-0 | Context-only | (u32 contexthandle) Writes an output u32 from the context state to cmdreply[2]. |
| 0x001E0040 | 1.0.0-0 | All | DestroyContext |
| 0x001F0082 | 1.0.0-0 | Context-only | ContextInitSharedmem |
| 0x00200082 | 1.0.0-0 | Context-only | (contexthandle, u32 size, ((Size<<4) | 10), inbufptr) This loads the input cert, it's unknown what format the cert is. The input buffer is handled as a string. It's unknown what the cert is used for once this command is finished. |
Going by strings in the SSL sysmodule it appears the sysmodule uses RSA BSAFE(like certain other 3DS software), this is also likely where the "ssl:C" name comes from(RSA BSAFE "SSL-C").
Similar to HTTPC, each SSL context is used with a dedicated service session which gets opened after creating that context. Following creating the context + opening the service session, SSLC:InitializeConnectionSession is used from that service session for that context. Afterwards, all commands which require a handle for this context are done with this dedicated service session.
Internally there's a separate object vtable used with the above SSLC commands, for the main session(where SSLC:InitializeConnectionSession wasn't used), and context sessions where SSLC:InitializeConnectionSession was used. Error 0xD960BBF4 will be returned if a command was used with the wrong session type.
Like some other commands, 0x001F0082 and 0x00200082 are not used by HTTP-sysmodule.
Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.
It's unknown whether TLS server->client connections are supported.
The highest supported TLS protocol version is v1.1(this is the version used by default).
Commands 0x00080000..0x000C0080
These appear to be basically the same as the RootCertChain 0x00030000..0x00070080 commands, except with a different context. The equivalent of RootCertChainAddDefaultCert in this set(0x000B0080) is not usable however.
It's unknown what this context is actually used for. Trying to use this seems to have no affect on the TLS connection at all, it seems like the cert isn't even parsed.
Cert verification
The server TLS cert not-before/not-after timestamps are not validated using the system-date which can be set via System Settings(it's possible these timestamps are not validated at all).
SSLOpt
| Flag (BIT) | Description |
|---|---|
| 0x000 (??) | Don't verify certificate at all |
| 0x001 (00) | Verify Common Name (CN) |
| 0x002 (01) | Verify RootCA |
| 0x004 (02) | Verify date |
| 0x008 (03) | Verify cert chain |
| 0x010 (04) | Verify "subject alt name" (required for multi-address certificates) |
| 0x020 (05) | Verify cert EV |
| 0x200 (09) | Makes certification validation always succeed |
| 0x800 (11) | Disable use of TLSv1.1 (hence fallback to TLSv1.0) |
This is the options field initialized during SSLC:CreateContext, and cleared via SSLC:ContextClearOpt. When the context is initially created, the options field initially has bitmask 0x1B set(besides the additional bits specified via SSLC:CreateContext).
Error codes
| Error code | Description |
|---|---|
| 0xD8A0B814 | Server cert verification failed since the RootCA isn't trusted. |
| 0xD8A0B836 | The specified RootCertChain handle was not found in the linked-list. |