SSL Services

Revision as of 05:13, 30 March 2016 by Yellows8 (talk | contribs)

SSL service "ssl:C"

Command Header Available since system-version Available from service-sessions Description
0x00010002 1.0.0-0 Basically main-only Initialize
0x000200C2 1.0.0-0 CreateContext
0x00030000 1.0.0-0 CreateRootCertChain
0x00040040 1.0.0-0 DestroyRootCertChain
0x00050082 1.0.0-0 Main-only AddTrustedRootCA
0x00060080 1.0.0-0 Main-only RootCertChainAddDefaultCert
0x00070080 1.0.0-0 Main-only RootCertChainRemoveCert
0x00080000 1.0.0-0 This writes an output u32 to cmdreply[2](created context handle).
0x00090040 1.0.0-0 (u32 handle for a context) This is used for destroying a context created by command 0x00080000.
0x000A0082 1.0.0-0 Main-only (u32 contexthandle, u32 size, ((Size<<4) | 10), inbufptr) Writes the output cert-context-handle to cmdreply[2]. This uses a context created by command 0x00080000. This adds the specified cert to this context.
0x000B0080 1.0.0-0 Main-only (u32 contexthandle, u8 inval2) Writes an output cert-context-handle to cmdreply[2]. This uses a context created by command 0x00080000. This just returns error 0xD8A0B83D eventually.
0x000C0080 1.0.0-0 Main-only (u32 contexthandle, u32 certcontexthandle) This uses a context created by command 0x00080000. This removes the specified cert from the context.
0x000D0084 1.0.0-0 Main-only OpenClientCertContext
0x000E0040 1.0.0-0 Main-only OpenDefaultClientCertContext
0x000F0040 1.0.0-0 Main-only CloseClientCertContext
0x00100000 1.0.0-0 All GatherEntropy
0x00110042 1.0.0-0 All GenerateRandomData
0x00120042 1.0.0-0 InitializeConnectionSession
0x00130040 1.0.0-0 Context-only StartConnection
0x00140040 1.0.0-0 Context-only StartConnectionGetOut
0x00150082 1.0.0-0 Context-only Read
0x00160082 1.0.0-0 Context-only (u32 contexthandle, u32 size, ((Size<<4) | 12), outbufptr) Writes an output u32 to cmdreply[2].
0x00170082 1.0.0-0 Write
0x00180080 1.0.0-0 ContextSetRootCertChain
0x00190080 1.0.0-0 Context-only ContextSetClientCert
0x001A0080 1.0.0-0 Context-only (u32 contexthandle, u32 handle) This writes a context handle created by command 0x00080000 into the session context.
0x001B0080 1.0.0-0 Context-only ContextClearOpt
0x001C00C4 1.0.0-0 Context-only (u32 contexthandle, u32 size0, u32 size1, ((Size0<<4) | 12), outbufptr0, ((Size1<<4) | 12), outbufptr1) This copies two strings to the specified output buffers, each string is only copied if it was successfully loaded. The out sizes include the nul-terminator.
0x001D0040 1.0.0-0 Context-only (u32 contexthandle) Writes an output u32 from the context state to cmdreply[2].
0x001E0040 1.0.0-0 All DestroyContext
0x001F0082 1.0.0-0 Context-only ContextInitSharedmem
0x00200082 1.0.0-0 Context-only (contexthandle, u32 size, ((Size<<4) | 10), inbufptr) Inbuf seems to be a cert?

Going by strings in the SSL sysmodule it appears the sysmodule uses RSA BSAFE(like certain other 3DS software), this is also likely where the "ssl:C" name comes from(RSA BSAFE "SSL-C").

Similar to HTTPC, each SSL context is used with a dedicated service session which gets opened after creating that context. Following creating the context + opening the service session, SSLC:InitializeConnectionSession is used from that service session for that context. Afterwards, all commands which require a handle for this context are done with this dedicated service session.

Internally there's a separate object vtable used with the above SSLC commands, for the main session(where SSLC:InitializeConnectionSession wasn't used), and context sessions where SSLC:InitializeConnectionSession was used. Error 0xD960BBF4 will be returned if a command was used with the wrong session type.

Like some other commands, 0x001F0082 and 0x00200082 are not used by HTTP-sysmodule.

Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.

It's unknown whether TLS server->client connections are supported.

The highest supported TLS protocol version is v1.1.

Commands 0x00080000..0x000C0080

These appear to be basically the same as the RootCertChain 0x00030000..0x00070080 commands, except with a different context. The equivalent of RootCertChainAddDefaultCert in this set(0x000B0080) is not usable however.

It's unknown what this context is actually used for.

SSLOpt

Bit(s) Description
8 ?
9 Disables server cert verification when set.
11 Use TLSv1.0.

This is the options field initialized during SSLC:CreateContext, and cleared via SSLC:ContextClearOpt. When the context is initially created, the options field initially has bitmask 0x1B set(besides the additional bits specified via SSLC:CreateContext).

Error codes

Error code Description
0xD8A0B814 Server cert verification failed since the RootCA isn't trusted.
0xD8A0B836 The specified RootCertChain handle was not found in the linked-list.