Device API Encryption Requirements
West Connectivity device APIs only supports secure communication with TLS encryption.
- Device API Encryption Requirements
- Supported TLS Version
- SNI
- Supported TLS Ciphers
- Root Server Certificates
Q. Why does West Connectivity not support plain TCP connections?
A. IoT-Devices communicate information which are expected to be true by users. Data communication over a public network, such as the Internet, has no guarantees of data integrity during the transport. In other words, data from and to your devices could easily be read and changed by anonymous 3rd party, making your product UN-TRUSTABLE.
Supported TLS Version
- TLSv1.2 (If enabled)
- TLSv1.3
By default only TLSv1.2 is supported as older versions have known security weaknesses allowing 3rd parties to impersonate your device and potentially access and compromise transmitted data.
To support legacy hardware, such legacy versions can be enabled per Connector while device maker is made fully aware of the risk.
You can check your TLS security settings robustness on https://www.ssllabs.com/ssltest/.
SNI
When making a secure TLS connection attempt to the API domain, it is required to specify the domain as the SNI field in the TLS connection request.
SNI stands for Server Name Indication, which is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which host-name it is attempting to connect to at the start of the handshaking process. This allows West Connectivity to present multiple certificates on the same IP address and provide a dedicated certificate to each of the IoT device products (aka Connectors) for high security. Most of the modern Web browsers and HTTP/MQTT clients have already supported the SNI feature behind the scenes during the TLS handshake process for secure HTTP/MQTT connections.
More technical details about SNI and TLS handshake can be found in the following references: * Server Name Indication from Wikipedia * Server Name Indication (SNI): Use Multiple SSL Certificates on One IP * What Happens in a TLS Handshake?
SNI is a standard widely supported by most implementation. See for example how to set SNI with OpenSSL
Supported TLS Ciphers
A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the server present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.
The following table describes the supported cipher suites for Device Connectivity.
| TLS Cipher Suites | Protocol-TLSv1 | Protocol-TLSv1.1 | Protocol-TLSv1.2 | Protocol-TLSv1.3 |
|---|---|---|---|---|
| AES128-GCM-SHA256 | * | * | * | * |
| AES128-SHA | * | * | * | * |
| AES128-SHA256 | * | * | * | * |
| AES256-GCM-SHA384 | * | * | * | * |
| AES256-SHA | * | * | * | * |
| AES256-SHA256 | * | * | * | * |
| DES-CBC-SHA | * | * | * | * |
| DES-CBC3-SHA | * | * | * | * |
| DHE-DSS-AES128-CBC-SHA | * | * | * | * |
| DHE-DSS-AES128-CBC-SHA256 | * | * | ||
| DHE-DSS-AES128-GCM-SHA256 | * | * | ||
| DHE-DSS-AES256-CBC-SHA | * | * | * | * |
| DHE-DSS-AES256-CBC-SHA256 | * | * | ||
| DHE-DSS-AES256-GCM-SHA384 | * | * | ||
| DHE-DSS-DES-CBC3-SHA | * | * | * | * |
| DHE-RSA-AES128-GCM-SHA256 | * | * | ||
| DHE-RSA-AES128-SHA | * | * | * | * |
| DHE-RSA-AES128-SHA256 | * | * | ||
| DHE-RSA-AES256-GCM-SHA384 | * | * | ||
| DHE-RSA-AES256-SHA | * | * | * | * |
| DHE-RSA-AES256-SHA256 | * | * | ||
| DHE-RSA-CHACHA20-POLY1305 | * | * | * | * |
| DHE-RSA-DES-CBC-SHA | * | * | * | * |
| DHE-RSA-DES-CBC3-SHA | * | * | * | * |
| ECDH-ECDSA-AES128-CBC-SHA | * | * | * | * |
| ECDH-ECDSA-AES128-CBC-SHA256 | * | * | ||
| ECDH-ECDSA-AES128-GCM-SHA256 | * | * | ||
| ECDH-ECDSA-AES256-CBC-SHA | * | * | * | * |
| ECDH-ECDSA-AES256-CBC-SHA384 | * | * | ||
| ECDH-ECDSA-AES256-GCM-SHA384 | * | * | ||
| ECDH-ECDSA-DES-CBC3-SHA | * | * | * | * |
| ECDH-ECDSA-RC4-SHA | * | * | * | * |
| ECDH-RSA-AES128-CBC-SHA | * | * | * | * |
| ECDH-RSA-AES128-CBC-SHA256 | * | * | ||
| ECDH-RSA-AES128-GCM-SHA256 | * | * | ||
| ECDH-RSA-AES256-CBC-SHA | * | * | * | * |
| ECDH-RSA-AES256-CBC-SHA384 | * | * | ||
| ECDH-RSA-AES256-GCM-SHA384 | * | * | ||
| ECDH-RSA-DES-CBC3-SHA | * | * | * | * |
| ECDH-RSA-RC4-SHA | * | * | * | * |
| ECDHE-ECDSA-AES128-GCM-SHA256 | * | * | ||
| ECDHE-ECDSA-AES128-SHA | * | * | * | * |
| ECDHE-ECDSA-AES128-SHA256 | * | * | ||
| ECDHE-ECDSA-AES256-GCM-SHA384 | * | * | ||
| ECDHE-ECDSA-AES256-SHA | * | * | * | * |
| ECDHE-ECDSA-AES256-SHA384 | * | * | ||
| ECDHE-ECDSA-CHACHA20-POLY1305 | * | * | * | * |
| ECDHE-ECDSA-DES-CBC3-SHA | * | * | * | * |
| ECDHE-ECDSA-RC4-SHA | * | * | * | * |
| ECDHE-RSA-AES128-GCM-SHA256 | * | * | ||
| ECDHE-RSA-AES128-SHA | * | * | * | * |
| ECDHE-RSA-AES128-SHA256 | * | * | ||
| ECDHE-RSA-AES256-GCM-SHA384 | * | * | ||
| ECDHE-RSA-AES256-SHA | * | * | * | * |
| ECDHE-RSA-AES256-SHA384 | * | * | ||
| ECDHE-RSA-CHACHA20-POLY1305 | * | * | * | * |
| ECDHE-RSA-DES-CBC3-SHA | * | * | * | * |
| ECDHE-RSA-RC4-SHA | * | * | * | * |
| RC4-MD5 | * | * | * | * |
| RC4-SHA | * | * | * | * |
| RSA-PSK-AES128-CBC-SHA | * | * | * | * |
| RSA-PSK-AES128-CBC-SHA256 | * | * | ||
| RSA-PSK-AES128-GCM-SHA256 | * | * | ||
| RSA-PSK-AES256-CBC-SHA | * | * | * | * |
| RSA-PSK-AES256-CBC-SHA384 | * | * | ||
| RSA-PSK-AES256-GCM-SHA384 | * | * | ||
| RSA-PSK-DES-CBC3-SHA | * | * | * | * |
| RSA-PSK-RC4-SHA | * | * | * | * |
| SRP-DSS-AES128-CBC-SHA | * | * | * | * |
| SRP-DSS-AES256-CBC-SHA | * | * | * | * |
| SRP-DSS-DES-CBC3-SHA | * | * | * | * |
| SRP-RSA-AES-128-CBC-SHA | * | * | * | * |
| SRP-RSA-AES-256-CBC-SHA | * | * | * | * |
| SRP-RSA-DES-CBC3-SHA | * | * | * | * |
Root Server Certificates
The root server certificates are following the ISRG Root X1
You can download the root certificate by below link,
ISRG Root X1 : .pem (Exp: 2035-06-04)