TLS

The NL200/201 supports transport layer security (TLS) for proxy functions including HTTPS. TLS versions 1.0, and 1.1 are supported. The TLS implementation supports symmetric algorithms AES-256, AES-128, and RC4 and RSA keys up to 4096 bits. For any TLS connection, the unit will preferentially use AES-256, then AES-128, and finally RC4. Certificates should be PEM (privacy-enhanced mail) format. Up to 10 certificates can be chained. 20 kB of space is provided for certificate storage. The private key should also be in PEM format and, if encrypted, use AES-256 or AES-128 (SHA).

The implementation of TLS in the NL200/201 is provided so that secure, encrypted communications can be established between a TLS client and the NL200/201. With the TLS proxy server enabled, the NL200/201 can act as a TLS proxy server for a data logger. The NL200/201TLS proxy server maintains a secure TLS connection with a remote TLS client and forwards data onto a data logger using a standard TCP connection thus enabling communications with TLS clients. The TLS client can be a web browser using HTTPS or another user-supplied TLS client. This offloads from the data logger the intensive computations that are necessary for a TLS server to perform.

Also, with the NL200/201 configured for TLS, it can establish a secure TLS configuration session with Device Configuration Utility.

In order to use TLS, the user must configure the NL200/201 with a user-supplied TLS private key and TLS certificate. The key and certificate are loaded using Device Configuration Utility.

  1. Connect to the NL200/201 in Device Configuration Utility (see Configuring the NL200/201).

  2. Navigate to the Settings Editor tab and then to the TLS tab.

  3. Load the user-supplied, PEM-formatted TLS private key using the Set TLS Key button. A file dialog will open. Navigate to the key file and click Open.

  4. Load the user-supplied, PEM-formatted TLS certificate using the Set TLS Certificate button. A file dialog will open. Navigate to the certificate file and click Open.

  5. Enter the TLS Private Key Password if the TLS private key is encrypted. Otherwise, leave the setting blank.

  6. After loading the key and certificate, click Apply. The NL200/201 will reboot. Connect with Device Configuration Utility again and navigate to the Settings Editor tab and then to the TLS tab. The TLS Status should say Initialized.

NOTE:

The TLS Settings described above cannot be edited over a standard TCP Device Configuration Utility link. The TLS Private Key, TLS Private Key Password, and TLS Certificate can only be edited/transmitted over a secure Device Configuration Utility link (USB or TLS).

NOTE:

If the status of the TLS stack is Initialized, the NL200/201 will automatically negotiate a secure TLS connection with Device Configuration Utility as long as the Use IP Connection option is selected.