6.2.3.12 setsockopt
The setsockopt
function may be used to set socket options to control the
socket behavior.
The options supported are as follows:
SO_SET_UDP_SEND_CALLBACK
– enables or disables thesend
/sendto
event callbacks. The user may want to disable thesendto
event callback for UDP sockets to enhance the socket connection throughput.IP_ADD_MEMBERSHIP
– enables subscribe to an IP Multicast address.IP_DROP_MEMBERSHIP
– enables unsubscribe to an IP Multicast address.SOL_SSL_SOCKET
– sets SSL Socket. The following are the options supported for SSL socket:SO_SSL_BYPASS_X509_VERIF
command allows opening of the SSL socket to bypass the X509 certification verification process.Example:struct sockaddr_in addr_in; int optVal =1; addr_in.sin_family = AF_INET; addr_in.sin_port = _htons(MAIN_HOST_PORT); addr_in.sin_addr.s_addr = gu32HostIp; /* Create secure socket */ if (tcp_client_socket < 0) { tcp_client_socket = socket(AF_INET, SOCK_STREAM, SOCKET_FLAGS_SSL); } /* Check if socket was created successfully */ if (tcp_client_socket == -1) { printf("socket error.\r\n"); close(tcp_client_socket); return -1; } /* Enable X509 bypass verification */ setsockopt(tcp_client_socket, SOL_SSL_SOCKET,SO_SSL_BYPASS_X509_VERIF,&optVal,sizeof(optVal)); /* If success, connect to socket */ if (connect(tcp_client_socket, (struct sockaddr *)&addr_in, sizeof(struct sockaddr_in)) != SOCK_ERR_NO_ERROR) { printf("connect error.\r\n"); return SOCK_ERR_INVALID; }
SO_SSL_SNI
command sets the Server Name Indicator (SNI). During TLS handshake process, client can indicate which hostname it is trying to connect by setting Server Name in (extended) client hello. SNI allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure websites to be served by the same IP address without requiring all of the websites to use the same certificate.SO_SSL_ENABLE_SNI_VALIDATION
enables SNI validation functionality in case SNI is set. The server name validation is disabled by default. To enable server name validation, bothSO_SSL_SNI
andSO_SSL_ENABLE_SNI_VALIDATION
must be set by the application throughsetsockopt()
as shown in the example code snippet. When the SNI validation is enabled, the SNI is compared with the common name (CN) in the received server certificate. If the supplied SNI does not match the CN, the SSL connection will be forcibly closed by the ATWINC15x0 firmware.Example:#define MAIN_HOST_NAME "www.google.com" struct sockaddr_in addr_in; int optVal =1; addr_in.sin_family = AF_INET; addr_in.sin_port = _htons(MAIN_HOST_PORT); addr_in.sin_addr.s_addr = gu32HostIp; /* Create secure socket */ if (tcp_client_socket < 0) { tcp_client_socket = socket(AF_INET, SOCK_STREAM, SOCKET_FLAGS_SSL); } /* Check if socket was created successfully */ if (tcp_client_socket == -1) { printf("socket error.\r\n"); close(tcp_client_socket); return -1; } /* set SNI on SSL Socket */ setsockopt(tcp_client_socket, SOL_SSL_SOCKET,SO_SSL_SNI, MAIN_HOST_NAME,sizeof(MAIN_HOST_NAME)); /* Enable SSL SNI validation */ setsockopt(tcp_client_socket, SOL_SSL_SOCKET, SO_SSL_ENABLE_SNI_VALIDATION,&optVal,sizeof(optVal)); /* If success, connect to socket */ if (connect(tcp_client_socket, (struct sockaddr *)&addr_in, sizeof( struct sockaddr_in)) != SOCK_ERR_NO_ERROR) { printf("connect error.\r\n"); return SOCK_ERR_INVALID; }
SO_SSL_ENABLE_SESSION_CACHING
command allows the TLS to cache the session information to speed up the future TLS session establishment.Example:struct sockaddr_in addr_in; int optVal =1; addr_in.sin_family = AF_INET; addr_in.sin_port = _htons(MAIN_HOST_PORT); addr_in.sin_addr.s_addr = gu32HostIp; /* Create secure socket */ if (tcp_client_socket < 0) { tcp_client_socket = socket(AF_INET, SOCK_STREAM, SOCKET_FLAGS_SSL); } /* Check if socket was created successfully */ if (tcp_client_socket == -1) { printf("socket error.\r\n"); close(tcp_client_socket); return -1; } /* Enable SSL Session cache */ setsockopt(tcp_client_socket, SOL_SSL_SOCKET,SO_SSL_ENABLE_SESSION_CACHING,&optVal,sizeof(optVal)); /* If success, connect to socket */ if (connect(tcp_client_socket, (struct sockaddr *)&addr_in, sizeof(struct sockaddr_in)) != SOCK_ERR_NO_ERROR) { printf("connect error.\r\n"); return SOCK_ERR_INVALID; }
Warning:
SO_SSL_BYPASS_X509_VERIF
is only provided for debugging and
testing purposes. It is NOT recommended to use this socket option in production
software applications.