EHS6 could not work with SSL | Telit Cinterion IoT Developer Community
September 14, 2015 - 10:17am, 16928 views
Hello
Today i was playing with SSL on EHS6 and i have received below this error.
javax.microedition.pki.CertificateException: Certificate failed verification
- com.sun.midp.ssl.SSLStreamConnection.GenerateException(), bci=47
- com.sun.midp.ssl.SSLStreamConnection.<init>(), bci=264
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=198
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.https.Protocol.getSecurityInfo(), bci=5
- posthtml.PostHtml.startApp(PostHtml.java:135)
The first i downloaded ssl info form www.google.com page with format .der
after that i have used a tool to generate certificate code.
1 >java -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename d:\-.google.der > AddHttpsCertificateUntrusted.bin
2 > On Ehs6 i changed on http **** to https **** by below command and install cerficate
at^sjmsec="cmd",0B00310001000500020001
at^sjmsec="file",AddHttpsCertificateUntrusted.bin
3> Check again i want to sure it have installed
at^sjmsec?
^SJMSEC: 1,1,1,0
4>This is my code:
connProfile="bearer_type=gprs;access_point=****;"
HttpsConnection http = (HttpsConnection) Connector.open( "https://www.google.com:443;" + connProfile);
if (http != null && http.getResponseCode() == HttpsConnection.HTTP_OK) {
//do something
}
Version working on EHS6:
ATI1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.14
Somebody can help me?
Thanks so much and best regards
You are right about the HttpsVerifyOnUntrusted command.
Hi Bartłomiej
I am reading this and I have the same problem.
I am trying to connect a Terminal Gemalto EHS6 to a Broker Amazon (AWS IoT) using a Client Mqtt Paho for Java Micro Edition.
I install the certificates and active the comand HttpsVerifyOnUntrusted.
So after the execute the Java Application Midlet the output is follows:
DeviceID:
Some URC
De ATEvent[event =
] +CTZV: +08,"16/06/02,17:26:03"
Some URC
De ATEvent[event =
] +CTZV: 1
OK
Current time is "16/06/02,17:26:03"
De ATEvent[event = ]
GSMHandler:RINGChanged()+
GSMHandler:RINGChanged()-
Enviando [AT+CCLK?]
this.gsmH.getTimestamp() = "16/06/02,17:26:03"
Connecting to MQTT brocker...
Connecting to: ssl://*******.iot.eu-west-1.amazonaws.com:8883
SSLMicroNetworkModule-start-->msg = Certificate failed verification
SSLMicroNetworkModule-start-->excep = java.io.IOException: Certificate failed verification
SSLMicroNetworkModule-start-->printStackTrace =
java.io.IOException: Certificate failed verification
I`m using the Gemalto Terminal with this revision:
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.31
My question is: Why can do you think, why we cannot connect to an AWS IoT endpoint or why I am getting this error?
I would very much appreciate any advice!
Thanks in advance,
Fer.
Hello,
As you have probably seen on the forum some users had problems with some certificates. And this was already reported. I've also done some tests by myself and I was also not able to successfully verify all the certificates.
But I was able for example to successfully connect with my EHS6 module with active certificate verification to the following addresses:
https://iot-developer.thalesgroup.com/threads/ehs6-could-not-work-ssl?pa...
https://www.identrust.com
https://www.symantec.com
https://aws.amazon.com
https://iot.eu-west-1.amazonaws.com
Generally you should store the root certificate from the certificate tree to a file (while using chrome browser use first option - DER encoded binary X.509 format) and generate bin file from it. Please check if the sites I was trying (especially amazonaws) are using the same root certificate as yours. If so you should also be able to connect.
Best regards,
Bartłomiej
Thanks so much Bartłomiej
I have some question, the first; do you know how can I install more than one CA certificate in the Gemalto Terminal?, this because I think that I have to install the complete certificate tree of Amazon Broker on Gemalto Terminal.
The seconds; do you know if, Is completely necessary the CA certificates must be in format ".der", this because the format of all certificates from AWS are in format ".pem".
Thanks, best regards,
Fer.
Hello,
It is possible to install more certificates in the same way you install the first one. But for the server certificate verification you need the root CA only (self-signed CA).
The certificate should be in binary encoded X.509 format (.der or .cer).
Regards,
Bartłomiej
Hello,
Thanks so much for the information.
Other question, you said that you can successfully connect with your EHS6 module with active certificate verification to the following address:
https://iot.eu-west-1.amazonaws.com
Could I know what certtificates used for the connection? and How can you do it, I mean, with AT commands or using a Java Application Midlet?
Thanks, regards,
Fer.
I opened this site in the chrome browser, after that I opened the site certificate and then the highest certificate from the certification path and stored it to the file using "DER encoded binary X.509 (.CER)" format. Next I generated the .bin file as it is described in this thread with jseccmd.jar tool and loaded it to the module with at^sjmsec command. Of course I also activated the https certificate verification untrusted ****. The reboot is needed.
I was using the MIDlet to connect to the site but it shouldn't matter whether you are using MIDlet or AT commands.
Regards,
Bartłomiej
I don't get to resolve the issue yet, however thanks so much for your help Bartłomiej.
Regards,
Fer.
Hope that you at least have been able to connect to https://iot.eu-west-1.amazonaws.com with certificate verification, but still have other issues (with other sites or client certificate verification for example).
Hi Bartłomiej,
I am working with EHS8 to hppts files from AWS S3 bucket. I get the Amazon Root CA 1 from browser and save as DER.
My question is what I issue command: "java -jar jseccmd.jar -cmd AddHttpsCertificate ..." to generate "AddHttpsCertificateTrusted_S3.bin".
After I load the BIN into mobile device, the error is "javax.microedition.pki.CertificateException: Certificate failed verification"
Could you please advise what I missed?
Thanks.