HTTPS Issues

  • Hello,


    I’m using module GL865-DUAL-V3 (FW revision 16.00.152) and I’m
    facing with the following issues:


    [Direct SSL Socket Connection]
    I’m using a HTTP/ TCP
    connection under SSL where the Server exposes web services via Https powered with
    a self-signed certificate.
    I did the following steps:

    • loaded the server certificate
      in the module (AT#SSLSECDATA=1,1,..)
    • configured the module to
      manage Server certificate (AT#SSLSECCFG=1,0,1)

    When I try to establish a SSL Socket connection (through the command
    AT#SSLD) I get ever the error “SSL error during handshake”


    From the other hand, everything works well if I configure the module
    by disabling the management of SSL Certificate: AT#SSLSECCFG=1,0,0


    Question: does the module support
    self-signed certificate?


    From the other hand, I get the same error even though I use the
    global “recognized” certificate:

    • I got the google.co.uk
      CACertificate (following the procedure described in Telit_SSL_TLS_User_Guide_r10)
    • I loaded the above certificate in
      the module
    • I configured the module to
      manage Server certificate (AT#SSLSECCFG=1,1,1)

    When I try to establish a SSL Socket connection (AT#SSLD=1,443,"google.co.uk",0,0)
    I ever get the error “SSL error during handshake”


    [HTTP SSL Socket Connection]
    In addition, I tried to use HTTP set of commands but without luck,
    here a piece of log:


    AT#HTTPCFG=0,"google.co.uk",443,0,,,1,30,1


    OK


    AT#HTTPQRY=0,0,"/"


    OK


    #HTTPRING: 0,0,"",0


    #HTTPRING: 0,0,"",0


    As you can see, I ever get an empty response from google.co.uk.


    NOTE: It works well if I try to send the same command trough a
    software acting as HTTP REST client (like Postman)



    Thanks in advance for your help.
    Ivan

  • Hello Ivan,


    Answer from our Telit-Support:


    AT#CPUMODE=4 may solve the issue.
    The SSL negotiation must be performed in a
    certain amount of time, otherwise it fails.
    The cert validation is a
    mathematically complex operation and it takes time, therefore a greater CPU
    clock helps.


    However, the negotiation speed was improved in newer SW
    versions, so we also suggest to upgrade the module to a newer SW
    version.
    (the latest is 16.01.151).


    It should work with self signed
    certificates, they are no different from other certificates, but the correct CA
    certificate must be imported in the module and the length it is limited to (2047
    bytes).
    The key length and the hashing algorithm may be the issue.
    SW
    version 16.00.152 supports only 1024 bit RSA keys and only SHA-1 hashing
    algorithm.
    SW version 16.01.151 supports up to 2048 bit RSA keys and SHA-256
    was added.



    Let us know if you need more info.




    Kind Regards,

    Hüseyin

  • Hi Huseyin,
    thanks for answering.


    First of all i would like to know what's the right (i suppose the latest in order of time) Firmware version for GL865-DUAL-V3.
    I got the more recent (in term of date) directly from the (private) Telit Download Zone, precisely the 16.00.xx2

    SW 16.00.xx2
    Telit GL865-DUAL V3
    28-01-2015

    SW 16.01.xx1
    Telit GL865-DUAL V3
    05-12-2014


    Are you sure that xx1 is the newest firmware?



    Also, the #CPUMODE=4 doesn't help:

    • AT#HTTPQRY gets ever timeout
    • AT#SSLD gets ever the same error: +CME ERROR: SSL error during handshake


    Thanks
    Ivan

  • Hi Ivan,


    the xx1 is newest/latest version because 16.01.xx1 there is a one before last dot.
    You are right, there is a mistake with date at downloadzone from Telit, but here is the right version history:


    newest
    16.01.xx1
    16.01.xx0
    16.00.xx3
    16.00.xx2
    oldest


    so please try first version 16.01.xx1 and let me know if your issue still exists.


    Kind regards,


    Hüseyin

  • Hi Huseyin,
    you're right, i downloaded and flashed the xx1.
    Anyway i have still some unexpected behavior.


    [AT#HTTPQRY]
    The AT#HTTPQRY command now works BUT only if i set anonymous ssl handling (AT#SSLSECCFG=1,0,0)
    If i try to manage server authentication (AT#SSLSECCFG=1,0,1) i receive the error "+CME ERROR: connection failed" (before i got timeout).


    [AT#SSLD]
    The AT#SSLD has the same behavior as before, i get ever "+CME ERROR: SSL error during handshake".
    I tried with a self-signed server or "recognized" certificate server, no difference.


    It seems there's not way to work with the server authentication mode.


    Thanks for your help.


    Ivan

  • Hi Ivan,


    Have you set AT#CPUMODE to 4?
    Maybe you are not using the correct
    certificate.
    Can you share with us the CA certificate that you are using
    and the server that you are trying to connect to?
    An AT log should be just
    fine, if is visible also the certificate import in it.


    Please send requested informations to ts(at)roundsolutions.com


    Thank you.


    Hüseyin

  • Hi,
    I am using below model and software version.



    Model: UL865-EUD


    SW version: 12.00.618


    Can we use the [HTTP SSL Socket Connection] implementation.


    Does HTTP SSL Socket Connection supports for above model and firmware version.


    Regards,
    John

  • Hi Hüseyin,


    Thank you so much for the reply. I am trying to connect ssl server but it shows error.


    I am using below commands


    AT#SCFG=1,1,1000,90,100,50


    AT#SSLEN=1,0


    AT#SSLEN=1,1


    AT#SSLSECCFG=1,0,1


    AT#SSLCFG=1,1,1000,90,100,50


    AT#SSLSECDATA=1,1,1,1143


    AT#SSLD=1,443,"www.google.co.uk",0,0


    All commands shows OK,and certificate stored successfully,but SSLD command always giving error.


    I tried AT#CPUMODE=4 command this also gives error. using below module and software version.
    Model: UL865-EUD




    SW version: 12.00.618


    Can you please help to solve this issue.


    Regards,
    John

  • Hi John,


    Try sending AT+CMEE=2 to check if you get a verbose error response that could explain what the problem is when the connection fails. It could be an error during handshake or not being able to connect at all.