Authenticate with TLS 1.2 server | Telit Cinterion IoT Developer Community
May 24, 2016 - 4:45am, 11925 views
Hello,
I am working on an EHS6 project that require access to AWS IoT that using TLS 1.2 mutual authentication. Inoder to authenticate with AWS server, we will need the root CA from Verisign VeriSign root CA certificate with using sha1rsa signing algorithm. However, when I try to use this root CA the SecureConnection throw an Exception that X509Certificate.getAlg() could not parse the algorithm ID. I would like to ask if EHS6 support sha1rsa as I know form specification (java userguide) EHS6 support rsa-sha or sha245/384, etc...? Is there diffrent between SHA and SHA-1, this confuses me.
Thanks and looking for your help
Regards,
Thanh
Hello,
The situation is that we want to connect to AWS Iot using MQTT protocol. AWS requires TLS 1.2 server authentication which need Verisign root CA and our client client certificate+key. We use "jseccmd.jar" to generate .bin file and using at^sjmsec to active HTTPS/SSL verify and add root CA, client certificate. The AWS endpoint uses port 8883, then we use socktcps to connect from EHS6. However when the connection is open (using AT command), EHS6 prompts URC code: ^SIS: 1,0,50,"Fatal: Service has detected an internal error".
Hello,
I think that this scenario is quite complicated. We should start with checking what firmware version you are using with ATI1 command.
Then flash the module if needed and try to check the simple scenario at first - connecting to the site that is using the same or similar certificate as your AWS IoT but does not require the client authentication. I f that succeeds the next step would be to add the server certificate verification. And after that succeeds you connect to the server that requires client authentication.
You might also see this tutorial https://iot-developer.thalesgroup.com/tutorial/internet-services-ssltls which demonstrates how to prepare the module and test server for the connection with mutual authentication with your own certificates.
Regards,
Bartłomiej
Thanks Bartlomiej,
My device is EHS6:
ati1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.14
I try to connect to https://google.com using Google Internet Authority G2 certificate to test https connection but not success, the returned URC is always "Certificate failed verification". In this example, I only add https certificate without any client certificate.
Could you help me to instruct which certificate to connect with https://google.com, does it need any client certificate as I only need to test connection. Meanwhile, I will read your tutorial on ssltls. Thanks.
Regards,
Thanh
Hi,
In oder to to get root CA to access https://google.com, I use "openssl s_client -connect google.com:443 -showcerts" to show certificate chain. Then I tried each of them (3 in total, *.google.com, Google Internet Authority G2, GeoTrust Global CA) as a root-CA and install to EHS6 (without client certificate installed). But all ettemps failed. Have you tried to connect to https://google.com?
Regards,
Thanh
Hello,
I've sent you the latest firmware. Please try. To test the connection you don't need to load any certificate to the module. You just establish the connection. You load the root certificate to the module only if you need to verify the server certificate.
The "Certificate failed verification" problem was already reported on this forum here: https://iot-developer.thalesgroup.com/threads/ehs6-could-not-work-ssl
and I have also reproduced it and reported for further analysis.
Could you please send me the address that you have used to get java.io.IOException: Algorithm Id parsing failed - I'd also like to test it. Thanks.
Regards,
Bartłomiej
Please check your email address - I've received the reply that the user wasn't found on the server.
Hello,
Could you send to my office email: thanh@smove.sg? Thanks, will send you the addressed issue on Algorithm id failed
Regards,
Thanh
OK, I've sent to the new address. Please check.
Hi Thanh (vutu0001),
About your problem with try to connect to AWS IoT, I have the same issue, I am trying with a Gemalto Terminal connects to Broker AWS using certificates and the output after execute my Java Application Midlet is follows:
This is with firmware 31:
ati1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.31
Connecting to MQTT brocker...
Connecting to: ssl://*******.iot.eu-west-1.amazonaws.com:8883
SSLMicroNetworkModule-start-->printStackTrace =
java.io.IOException: Algorithm Id parsing failed
- com.sun.midp.io.j2me.ssl.Protocol.openPrim(), bci=363
- javax.microedition.io.Connector.open(), bci=47
This is with firmware 14:
ati1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.14
Connecting to MQTT brocker...
Connecting to: ssl://*******.iot.eu-west-1.amazonaws.com:8883
SSLMicroNetworkModule-start-->printStackTrace =
java.io.IOException: Algorithm Id parsing failed
- com.sun.midp.pki.X509Certificate.getAlg(), bci=130
- com.sun.midp.pki.X509Certificate.generateCertificate(), bci=348
- com.sun.midp.ssl.SSLStreamConnection.<init>(), bci=330
- com.sun.midp.io.j2me.ssl.Protocol.openPrim(), bci=267
- javax.microedition.io.Connector.open(), bci=47
So, my question is if you finally could resolve the problem to connect to AWS, if this is, Could you tell me how is doing it?
I would very much appreciate any advice!
Thanks in advance,
Fer.
Is it possible that the certificates on the module are wrong? I mean the format is wrong, so maybe they were converted in a wrong way or something similar.
BR,
Bartłomiej
Pages