EHS6 could not work with SSL | Telit Cinterion IoT Developer Community
September 14, 2015 - 10:17am, 18278 views
Hello
Today i was playing with SSL on EHS6 and i have received below this error.
javax.microedition.pki.CertificateException: Certificate failed verification
- com.sun.midp.ssl.SSLStreamConnection.GenerateException(), bci=47
- com.sun.midp.ssl.SSLStreamConnection.<init>(), bci=264
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=198
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.https.Protocol.getSecurityInfo(), bci=5
- posthtml.PostHtml.startApp(PostHtml.java:135)
The first i downloaded ssl info form www.google.com page with format .der
after that i have used a tool to generate certificate code.
1 >java -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename d:\-.google.der > AddHttpsCertificateUntrusted.bin
2 > On Ehs6 i changed on http mode to https mode by below command and install cerficate
at^sjmsec="cmd",0B00310001000500020001
at^sjmsec="file",AddHttpsCertificateUntrusted.bin
3> Check again i want to sure it have installed
at^sjmsec?
^SJMSEC: 1,1,1,0
4>This is my code:
connProfile="bearer_type=gprs;access_point=****;"
HttpsConnection http = (HttpsConnection) Connector.open( "https://www.google.com:443;" + connProfile);
if (http != null && http.getResponseCode() == HttpsConnection.HTTP_OK) {
//do something
}
Version working on EHS6:
ATI1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.14
Somebody can help me?
Thanks so much and best regards
In order to use self-signed certificate, the following command is called outside the modem's JVM.
java -jar jseccmd.jar -cmd HttpsVerifyOnUntrusted > HttpsVerifyOnUntrusted.txt
Is there anyway to run the java command inside a MIDlet, which is in the modem's JVM? In standard java, shell command can be run via "Process p = Runtime.getRuntime().exec(command). However, I can not import "java.lang.process" in the Eclipse, which is from Gemalto's development kit. Does it mean that the modem's JVM does not support "java.lang.process"?
Hello,
This command uses a tool that is a part of JDK and is designed to be used on the PC.
With Runtime.getRuntime().exec(command) you can execute some other program on the PC but the module is an embedded device with some specific operating system and there is no way to execute anything else than Java MIDlet created with the provided API or some libraries that uses this API.
As far as I know there is no java.lang.process package in it - if you can use it in Eclipse, maybe you have the wrong libraries attached to the project. You could only try to use at^sjmsec command from inside the MIDlet if it makes sense for you but this command requires reboot to become effective.
Best regards,
Bartłomiej
Hi Bartlomiej,
I think the command "java -jar jseccmd.jar -cmd HttpsVerifyOnUntrusted > HttpsVerifyOnUntrusted.txt" is to generate binary command in Hex Ascii format, then we can use at^sjmsec="cmd",<content_of_ HttpsVerifyOnUntrusted.txt > to turn on certificate validation on the modem, am I right?
Hello,
This is an interesting scenario. I have also tried to reproduce this but in my case it didn't work. Is that reproducible in your case? Are you sure that you have activated the certificate verification and rebooted the module before this test (changes that are made with SJMSEC are effective after restart)? Have you tested in the same way with the same websites and certificates?
I can't think of anything that could FOTA MIDlet have in common with this problem except it is updating the firmware. But this is quite a mysterious scenario how could firmware update fix the certificate validation problem. So if you could be able to reproduce it again that would be a stronger proof that there is something in it.
Regards,
Bartłomiej
You are right. I did not restart the modem after the security setting was changed. So I do not think firmware update can fix the problem.
Now, I restarted the modem after the security option is changed to validate the certificate. However, my modem failed with different error. This time, no response is returned. Any idea? Does the feature, "Https with cerificate validation", work on the modem firmware?
Hello,
Is this "no response" case reproducible or was it just once? Maybe there was some other problem with the connection.
If you would like to test the certificate validation feature please see the link with the tutorial: https://iot-developer.thalesgroup.com/tutorial/internet-services-ssltls
This example should be working. There is a problem with some certificates which you have experienced but this example should work.
Regards,
Bartłomiej
I followed the "tutorial"; but "https with certification validation" failed with "Certificate failed verification" on both EHS5 and EHS6. Any idea?
Here are what I have tried:
1. downloaded openssl http://slproweb.com/products/Win32OpenSSL.html
https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html
2. ran the following commands in ~/https_demo_devzone\https_demo\Certs>
openssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -subj "/C=DE/ST=Berlin/L=Berlin/O=Demo Organization Ltd./OU=Demo AE Department/CN=rootCA admin/emailAddress=rootCA@ae.c-wm.net"
java -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename ./rootCA.der > AddHttpsCertificateUntrusted.bin
3. put AddHttpsCertificateUntrusted.bin to the modem flash
4. ran the following commands on the modem:
at^sjmsec="cmd",0B00310001000500020001
at^sjmsec="file",AddHttpsCertificateUntrusted.bin
5. power cycle the modem.
6. ran the following commands:
AT^SICS=0,conType,GPRS0
AT^SICS=0,dns1,"8.8.8.8"
AT^SICS=0,apn,"telargo.t-mobile.com"
AT^SISS=4,srvType,"Http"
AT^SISS=4,conId,"0"
AT^SISS=4,address,"https://ae.c-wm.net/ssltest/?format=plaintext"
AT^SISS=4,cmd,"get"
AT^SISO=4
Hello,
This is a complete example how to establish a connection with both server and client authentication but it requires to generate your own certificates and place them on both the server and module. You need to have your own server and adopt the attached script i.e. the paths and login credentials.
The introduction promises that it could be tested with the Application Engineering’s test server and I also thought that it could be done like that. But the server and client certificates would need to be published in order to do that because you don't have access to the server to put your own certificates.
It turned out that the introduction is misleading and you can't test it with this server but need your own one. I'm sorry for the misleading. The example must be working because it has been prepared and tested by Gemalto engineer.
Regards,
Bartłomiej
Cool! We are able to load the signed-certificate to the modem; and it works!
Thanks!