This code example demonstrates the implementation of a secure TCP server with Infineon's PSOC™ Edge E84 MCU and AIROC™ CYW55513 Wi-Fi & Bluetooth® combo chip.
In this example, the TCP server establishes a secure connection with a TCP client through an SSL handshake. Once the SSL handshake completes successfully, the server lets you send LED on/off command to the TCP client. The client responds by sending an acknowledgement message to the server. The Wi-Fi device can be brought up in either STA (station) interface or softAP (access point) interface mode. This example can be configured to work with IPv4 or link-local IPv6 addressing mode.
This example uses the Wi-Fi Core FreeRTOS lwIP Mbed TLS library of the SDK. This library enables application development based on Wi-Fi, by pulling wifi-connection-manager, FreeRTOS, lwIP, Mbed TLS, secure sockets, and other dependent modules. The secure sockets library provides an easy-to-use API by abstracting the network stack (lwIP) and the security stack (Mbed TLS).
This code example has a three project structure: CM33 secure, CM33 non-secure, and CM55 projects. All three projects are programmed to the external QSPI flash and executed in Execute in Place (XIP) mode. Extended boot launches the CM33 secure project from a fixed location in the external flash, which then configures the protection settings and launches the CM33 non-secure application. Additionally, CM33 non-secure application enables CM55 CPU and launches the CM55 application.
Provide feedback on this code example.
See the Design and implementation for the functional description of this code example.
- ModusToolbox™ v3.6 or later (tested with v3.6)
- Board support package (BSP) minimum required version: 1.0.0
- Programming language: C
- Associated parts: All PSOC™ Edge MCU parts
- GNU Arm® Embedded Compiler v14.2.1 (
GCC_ARM) – Default value ofTOOLCHAIN - Arm® Compiler v6.22 (
ARM) - IAR C/C++ Compiler v9.50.2 (
IAR) - LLVM Embedded Toolchain for Arm® v19.1.5 (
LLVM_ARM)
- PSOC™ Edge E84 Evaluation Kit (
KIT_PSE84_EVAL_EPC2) – Default value ofTARGET - PSOC™ Edge E84 Evaluation Kit (
KIT_PSE84_EVAL_EPC4) - PSOC™ Edge E84 AI Kit (
KIT_PSE84_AI)
This example uses the board's default configuration. See the kit user guide to ensure that the board is configured correctly.
Ensure the following jumper and pin configuration on board.
- BOOT SW must be in the HIGH/ON position
- J20 and J21 must be in the tristate/not connected (NC) position
Note: This hardware setup is not required for KIT_PSE84_AI.
See the ModusToolbox™ tools package installation guide for information about installing and configuring the tools package.
Python: Download Python v 3.8-3.12 from the official Python. After installation, add the Python directory to your system path environment variables. This lets you easily run Python commands from anywhere in your terminal.
Install a terminal emulator if you do not have one. Instructions in this document use Tera Term.
This example requires no additional software or tools.
See Using the code example for instructions on creating a project, opening it in various supported IDEs, and performing tasks, such as building, programming, and debugging the application within the respective IDEs.
-
Connect the board to your PC using the provided USB cable through the KitProg3 USB connector
-
Configure the kit to run either in Wi-Fi STA or AP interface mode using the
USE_AP_INTERFACEmacro defined in the network_credentials.h file. Follow the steps for the desire interface mode:-
STA mode (default interface):
-
Set the
USE_AP_INTERFACEmacro to 0; this is the default mode -
Modify the
WIFI_SSID,WIFI_PASSWORD, andWIFI_SECURITY_TYPEmacros to match that of the Wi-Fi network credentials you want to connect. These macros are defined in the network_credentials.h file. Ensure the Wi-Fi network that you are connecting to is configured as a private network for the proper functioning of this example
-
-
AP mode:
-
Set the
USE_AP_INTERFACEmacro to 1 -
Update
SOFTAP_SSID,SOFTAP_PASSWORD, andSOFTAP_SECURITY_TYPEas desired. This step is optional
-
-
-
Configure the IP addressing mode. By default, IPv4-based addressing is used. To use IPv6 addressing mode, set the
USE_IPV6_ADDRESSmacro defined in the secure_tcp_server.h file as follows:#define USE_IPV6_ADDRESS (1) -
Open a terminal program and select the KitProg3 COM port. Set the serial port parameters to 8N1 and 115200 baud
-
After programming, the application starts automatically. Confirm that the text shown in any of the following figures is displayed on the UART terminal. Note that the assigned Wi-Fi SSID and IP address will be different based on the network that you have connected to; in AP mode, the AP credentials will be different based on your configuration in Step 2.
Figure 1 shows the Wi-Fi connection status in STA mode using IPv4 address.
Figure 1. UART terminal showing the Wi-Fi connection status (IPv4 address and STA mode)
Figure 2 shows Wi-Fi connection status in STA mode using IPv6 address.
Figure 2. UART terminal showing the Wi-Fi connection status (IPv6 address and STA mode)
Figure 3 shows Wi-Fi connection status in AP mode using IPv4 address.
Figure 3. UART terminal showing the Wi-Fi connection status (IPv4 address and AP mode)
Similarly, when the CE is configured for IPv6 and AP mode, the IPv4 address displayed in Figure 3 will be replaced by the IPv6 address.
-
Connect your PC to the Wi-Fi AP that you have configured in Step 2:
-
In STA mode: Connect the computer to the same AP to which the kit is connected
-
In AP mode: Connect the computer to the kit's AP
Make a note of the IP address assigned to the kit. Note that the type of IP address (IPv4 or IPv6) assigned is based on the IP addressing mode configured in Step 3
-
-
From the project directory ({project directory}/proj_cm33_ns/python-tcp-secure-client folder), open a command shell and run the Python TCP secure client (tcp_secure_client.py). In the command shell opened in the project directory, type in one of these commands based on the IP addressing mode configuration:
-
For IPv4-based addressing:
python tcp_secure_client.py ipv4 <IPv4 address of the kit> -
For IPv6-based addressing:
python tcp_secure_client.py ipv6 <IPv6 address of the kit>Note: Ensure that the firewall settings of your computer allow Python access to communicate with the TCP server. For more details on enabling Python access, see this community thread
-
-
Once connection has been established, press the user button (USER_BTN1) to send LED on or off command to the Python TCP client
Each user button press will issue the LED on or off commands alternately. The client in turn sends an acknowledgement message back to the server.
Figure 4 shows the TCP server output in IPv4 addressing mode, when the CE is configured in STA mode.
Figure 4. TCP server output - STA mode (IPv4 addressing mode)
Figure 5 shows the TCP server output in IPv4 addressing mode, when the CE is configured in AP mode.
Figure 5. TCP server output - AP mode (IPv4 addressing mode)
Figure 6 shows the TCP client output using python script in IPv4 addressing mode for both AP and STA mode.
Figure 6. TCP client output (IPv4 addressing mode)
Figure 7 shows the TCP server output in IPv6 addressing mode, when the CE is configured in STA mode.
Figure 7. TCP server output - STA mode (IPv6 addressing mode)
Figure 8 shows the TCP client output using python script in IPv6 addressing mode for both AP and STA modes.
Figure 8. TCP client output (IPv6 addressing mode)- using python script
Similarly, when the CE is configured in AP and IPv6 mode, the only difference from Figure 5 is the IPv6 address being displayed instead of IPv4.
Note: Instead of using the Python TCP client (tcp_secure_client.py), you can alternatively use the 'mtb-example-psoc-edge-wifi-secure-tcp-client' example to run as the TCP client on the second kit. See the code example documentation to learn how to use the example. When using two devices, they will be assigned the same MAC address by default, preventing them from connecting to the same Wi-Fi network. To resolve this, update the NVRAM_GENERATED_MAC_ADDRESS value in the generated_mac_address.txt file located in WHD to assign a unique MAC address to each device.
This code example is configured to run on CM33 core at a frequency of 200 MHz, out of the external flash memory. However, this setup may result in lower throughput compared to when running the code in internal memory (SRAM).
For optimal performance, it is recommended to run the code example on the CM55 core at 400 MHz, leveraging the internal memory (i.e. System SRAM/SoCMEM). For guidance on achieving better throughput, See the README file of the Wi-Fi Bluetooth tester (mtb-psoc-edge-wifi-bluetooth-tester) application.
The TCP server demonstrated in this example uses a self-signed SSL certificate. This requires OpenSSL, already preloaded with ModusToolbox™ installation. Self-signed SSL certificate means there is no third-party certificate-issuing authority (CA), involved in server authentication. Clients connecting to the server must have an exact copy of the SSL certificate to verify the server's identity.
Perform the following to generate a self-signed SSL certificate:
-
Run the following command within a CLI (on Windows, use the command line "modus-shell" program provided in the ModusToolbox™ installation instead of a standard Windows command line application) to generate the CA certificate. Follow the instructions in the command window to provide the details required
openssl ecparam -name prime256v1 -genkey -noout -out root_ca.key openssl req -new -x509 -sha256 -key root_ca.key -out root_ca.crt -
Generate the server key pair and server certificate (signed using the CA certificate from Step 1). Follow the instructions in the command window to provide the details required
openssl ecparam -name prime256v1 -genkey -noout -out server.key openssl req -new -sha256 -key server.key -out server.csr openssl x509 -req -in server.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server.crt -days 1000 -sha256 -
Follow the instructions in the command window to provide the details required for creating the SSL certificate and private key
The server.crt file is your server's certificate and server.key is your server's private key
Note: Make sure to include the host name in the python script (tcp_secure_client.py) with the common name (CA) used while creating the server key pair and server certificate using these commands.
| Resources | Links |
|---|---|
| Application notes | AN235935 – Getting started with PSOC™ Edge E8 MCU on ModusToolbox™ software AN236697 – Getting started with PSOC™ MCU and AIROC™ Connectivity devices |
| Code examples | Using ModusToolbox™ on GitHub |
| Device documentation | PSOC™ Edge MCU datasheets PSOC™ Edge MCU reference manuals |
| Development kits | Select your kits from the Evaluation board finder |
| Libraries | mtb-dsl-pse8xxgp – Device support library for PSE8XXGP retarget-io – Utility library to retarget STDIO messages to a UART port wifi-core-freertos-lwip-mbedtls -This repo includes core components needed for Wi-Fi connectivity support. The library bundles FreeRTOS, lwIP TCP/IP stack, Mbed TLS for security, Wi-Fi host driver (WHD), Wi-Fi Connection Manager (WCM), secure sockets, connectivity utilities, and configuration files |
| Tools | ModusToolbox™ – ModusToolbox™ software is a collection of easy-to-use libraries and tools enabling rapid development with Infineon MCUs for applications ranging from wireless and cloud-connected systems, edge AI/ML, embedded sense and control, to wired USB connectivity using PSOC™ Industrial/IoT MCUs, AIROC™ Wi-Fi and Bluetooth® connectivity devices, XMC™ Industrial MCUs, and EZ-USB™/EZ-PD™ wired connectivity controllers. ModusToolbox™ incorporates a comprehensive set of BSPs, HAL, libraries, configuration tools, and provides support for industry-standard IDEs to fast-track your embedded application development |
Infineon provides a wealth of data at www.infineon.com to help you select the right device, and quickly and effectively integrate it into your design.
Document title: CE239497 – PSOC™ Edge MCU: Wi-Fi secure TCP server
| Version | Description of change |
|---|---|
| 1.x.0 | New code example Early access release |
| 2.0.0 | GitHub release |
All referenced product or service names and trademarks are the property of their respective owners.
The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc., and any use of such marks by Infineon is under license.
PSOC™, formerly known as PSoC™, is a trademark of Infineon Technologies. Any references to PSoC™ in this document or others shall be deemed to refer to PSOC™.
© Cypress Semiconductor Corporation, 2023-2025. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS DOCUMENT OR ANY SOFTWARE OR ACCOMPANYING HARDWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. No computing device can be absolutely secure. Therefore, despite security measures implemented in Cypress hardware or software products, Cypress shall have no liability arising out of any security breach, such as unauthorized access to or use of a Cypress product. CYPRESS DOES NOT REPRESENT, WARRANT, OR GUARANTEE THAT CYPRESS PRODUCTS, OR SYSTEMS CREATED USING CYPRESS PRODUCTS, WILL BE FREE FROM CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, DATA LOSS OR THEFT, OR OTHER SECURITY INTRUSION (collectively, "Security Breach"). Cypress disclaims any liability relating to any Security Breach, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any Security Breach. In addition, the products described in these materials may contain design defects or errors known as errata which may cause the product to deviate from published specifications. To the extent permitted by applicable law, Cypress reserves the right to make changes to this document without further notice. Cypress does not assume any liability arising out of the application or use of any product or circuit described in this document. Any information provided in this document, including any sample design information or programming code, is provided only for reference purposes. It is the responsibility of the user of this document to properly design, program, and test the functionality and safety of any application made of this information and any resulting product. "High-Risk Device" means any device or system whose failure could cause personal injury, death, or property damage. Examples of High-Risk Devices are weapons, nuclear installations, surgical implants, and other medical devices. "Critical Component" means any component of a High-Risk Device whose failure to perform can be reasonably expected to cause, directly or indirectly, the failure of the High-Risk Device, or to affect its safety or effectiveness. Cypress is not liable, in whole or in part, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any use of a Cypress product as a Critical Component in a High-Risk Device. You shall indemnify and hold Cypress, including its affiliates, and its directors, officers, employees, agents, distributors, and assigns harmless from and against all claims, costs, damages, and expenses, arising out of any claim, including claims for product liability, personal injury or death, or property damage arising from any use of a Cypress product as a Critical Component in a High-Risk Device. Cypress products are not intended or authorized for use as a Critical Component in any High-Risk Device except to the limited extent that (i) Cypress's published data sheet for the product explicitly states Cypress has qualified the product for use in a specific High-Risk Device, or (ii) Cypress has given you advance written authorization to use the product as a Critical Component in the specific High-Risk Device and you have signed a separate indemnification agreement.
Cypress, the Cypress logo, and combinations thereof, ModusToolbox, PSoC, CAPSENSE, EZ-USB, F-RAM, and TRAVEO are trademarks or registered trademarks of Cypress or a subsidiary of Cypress in the United States or in other countries. For a more complete list of Cypress trademarks, visit www.infineon.com. Other names and brands may be claimed as property of their respective owners.