How to generate the HTTPS certificates for a site with basic authenication? | Telit Cinterion IoT Developer Community
July 20, 2015 - 1:27pm, 14299 views
I try to connect to a REST service on a HTTPS server. I do have the certification chain in PEM, but are still not able to make a successful connection.
Here is how I did proceed:
I did add the certificates and jad and jar on flash:
Then go over to add the AT commands:
at^sjmsec?
^SJMSEC: 1,0,1,0
OK
Everything is disabled, so far so good. Enable HTTPS unsercured mode and add the Certificates
at^sjmsec="cmd",0B00310001000500020001
OK
at^sjmsec="file",AddHttpsCertificate.bin
OK
at^sjmsec="file",AddHttpsClientCertificateUntrusted.bin
OK
at^sjmsec?
^SJMSEC: 1,1,1,1
OK
Now HTTPS is on for untrusted mode and the certificates are added.
But after starting the midlet I sill get that error and have no idea where exactly the problem is (I guess it's the certificate)
System out:
Open page: https://... .com/...
Connection state: UP
-213 SSL-Error: revcd alert fatal error IOE is trown
java.io.IOException: -213 SSL-Error: revcd alert fatal error
- com.sun.midp.ssl.SSLStreamConnection.GenerateException(), bci=82
- com.sun.midp.ssl.SSLStreamConnection.<init>(), bci=264
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=198
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.http.Protocol.openInputStream(), bci=6
- com.sun.midp.io.ConnectionBaseAdapter.openDataInputStream(), bci=5
- com.fastprk.FastPrk.getViaHttpsConnection(FastPrk.java:374)
- com.fastprk.FastPrk.startApp(FastPrk.java:330)
- javax.microedition.midlet.MIDletTunnelImpl.callStartApp(), bci=1
- com.sun.midp.midlet.MIDletPeer.startApp(), bci=5
- com.sun.midp.midlet.MIDletStateHandler.startSuite(), bci=261
- com.sun.midp.main.AbstractMIDletSuiteLoader.startSuite(), bci=38
- com.sun.midp.main.CldcMIDletSuiteLoader.startSuite(), bci=5
- com.sun.midp.main.AbstractMIDletSuiteLoader.runMIDletSuite(), bci=134
- com.sun.midp.main.AppIsolateMIDletSuiteLoader.main(), bci=26
Is there a straight way to generate the right certificates?
E.g. starting with downloading it from the browser:
Maybe a basic example with e.g. facebook.com would be interesting.
BTW that is the code:
protected void startApp() {
System.out.println("startApp begin");
initGsm();
...
System.out.println("Open page: " + httpsUrl);
try {
getViaHttpsConnection(httpsUrl);
if(!followUrl.equalsIgnoreCase(""))
getViaHttpsConnection(followUrl);
} catch (CertificateException ce) {
System.out.println(ce.getMessage() + " CE is trown");
ce.printStackTrace();
} catch (IOException ioe) {
System.out.println(ioe.getMessage() + " IOE is trown");
ioe.printStackTrace();
}
}
void getViaHttpsConnection(String url) throws CertificateException, IOException {
HttpsConnection c = null;
InputStream is = null;
try {
c = (HttpsConnection) Connector.open(url);
c.setRequestProperty("Accept", "application/json");
c.setRequestProperty("Authorization", "Basic "+ nameAndPwdBase64 );
is = c.openDataInputStream();
if (c.getResponseCode() == HttpConnection.HTTP_OK) {
// Get the length and process the data
int len = (int) c.getLength();
if (len > 0) {
byte[] data = new byte[len];
is.read(data);
} else {
System.out.println("Data: ");
int ch;
..
}
System.out.println("Message: " + c.getResponseMessage() + " Type: " + c.getType());
} else {
System.out.println("Error code: " + c.getResponseCode() + " Message: " + c.getResponseMessage() + " Type: " + c.getType());
}
} finally {
if (is != null) {
is.close();
}
if (c != null) {
c.close();
}
}
}
Hello,
So there's both server and client authentication activated.
Generally in case of certificate errors CertificateException should be thrown.
Maybe it would be good to test the application with some other server or try some tracing on server side or check connections with server authentication and client authentication separately.
What module are you using, can you check ATI1 reply?
Regards,
Bartłomiej
Hello,
we're using EHS5-Terminals:
ati1
Cinterion
EHS5-E
REVISION 02.000
A-REVISION 00.000.15
Hello,
could it be a TLS/SSL version problem?
A https experienced developer told me that SSL 3.0 ist obsolet since beginning of 2015. Can this be our problem?
If yes, should we do an update of the firmware?
best regards
André
Hello again,
Provider wrote us the following: From our side we do not user client certificate so it wouldn't be a problem
What does this mean?
Best regards
André
Hello,
In the AT commands manual I find: "For HTTP only simple authentication is supported"
Does ist mean the same like "Basic Auth"? (what we need)
Thx and best regards
André
Hello,
I tried out with xca tool:
- AddHttpsCertificateUntrusted.bin (here I used the server certificate, translated to the DER format
- AddHttpsClientCertificateUntrusted.bin (a self generated certificate with the private key file translated to PEM format)
with untrusted mode --> It does'nt work. (I mean https connection)
Maybe I have to use trusted mode. Herefore I have to prepare the same as above but with trusted commands. That it works with jseccmd.jar it seems that I have to build a keystore - I dont understand why. I use the xca GUI tool proposed by you.
Can you help in that point: How to setup a keystore if needed?
Hello,
There's quite a fresh update for your firmware. But I don't think that this is a problem here.
According to the documentation SSL 3.0 is supported.
What do you mean by "provider" - is is the https REST service provider - if so my understanding is that they do not validate the client's certificate - so this might be the source of the problem because you have activated client's certificate to be validated by server (in that case you should have also provided the public key to the server administrators). So I'd deactivate this on the module.
Simple authentication for HTTP has nothing to do with certificates - it's just a login and password that must be provided by the user.
You don't need to generate your own keystore and certificate if you only need to connect to the server which already has its own certificate and doesn't require to validate yours.
Best regards,
Bartłomiej
Hello,
thanks a lot.
I agree, it's seems not to be a problem with the certificate (I learned a lot during the last few days from specialists and with trial). But Yesterday we found out that the https sides with sha1 (signature algorithm) like facebook.com work but those with sha256 like our cloud service and google, microsoft (azure) dont.
Maybe a firmware update will support this?
Where I can get the latest firmware? (For us in Switzerland Celphone ist responsible, but person is on holiday, mybe you can send me by email)
Best regards
André
Hello Andre,
I can send you the latest firmware version. Please try with your server.
I've also reproduced this problem. And I found out that it's been already reported to support line.
I've updated my module and after that there is no problem with google.
Regards,
Bartłomiej
Hello Bartlomiej,
I meet the same problem when I try to authenticate with AWS Iot that uses Verisign root CA (SHA1RSA). The SSL socket thrown exception that it could not parse algorithm id. Could you send me the latest firmware for EHS6 to test, we are Clean Mobility Pte Ltd in Singapore, which is key partner with Gemalto in Singapore. Or I can contact Gemalto Singapore for this help.
Thanks,
Thanh
Pages