HTTPS TCP Connection - Migration to SSLV3 broke out System | Telit Cinterion IoT Developer Community
April 12, 2017 - 1:38pm, 9511 views
Hello.
I've developed an application that communicates with a web page via TCP. Passing the url, I'm using "https://.." and this has worked smoothly in SSLV2 without having to deal with certificates and such. Thing is, our hosting provider has updated the platform to SSLV3 and the system started to fail the communication, presenting the following messages:
java.io.IOException: Subject alternative name did not match site name
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=642
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.http.Protocol.getResponseCode(), bci=5
For now, the hosting company kept us a port with SSLV2 but we need to work this out for the update.
So, what measures should I take migrate my system into SSLV3?
Hello,
Please provide the ATI1 reply to verify the module type and firmware.
Regards,
Bartłomiej
Hey, Bartlomiej.
ATI1ATI1
Cinterion
BGS5
REVISION 01.100
A-REVISION 00.000.21
OK
Hello,
Generally the module supports SSL3.
Could you write some more details? As I understand you don't upload any certificates to the module and don't need certificate verification but only connect to https site. Are you using the domain name or IP?
The exception is about that the address you are connecting to does not match any of the addresses in the certificate of the site.
Is it a public address, can you share it?
Regards,
Bartłomiej
I'm using the domain name.
Im passing the address like this "https://aplication.company.com"
Our domain holds some sub-domains. Still, this hasn't been an issue in the former SSL and I don't get any sort of problem using http type of connection
Yes, the address is public.
Regards!
The intention of my last question was to ask if you could paste the address (if it's not any secret) so I could also try to connect there, see what happens and read the certificate.
Thanks,
Bartłomiej
Is there any private contact that I can use to send you?
Thanks.
I've sent you an email.
Thanks
Hello Luis,
Thank you for the address - it was very helpful.
I've tested the communication with your address and my BGS5, AREV21 (currently the latest official revision) and gathered the pcap traces from the module.
There are two issues:
1.
I have tried to connect to the exact address and port that you have sent me. In this case the serves was sending the wrong certificate (for completely different site) and the connection was failing with the same exception as in your case.
I have tried to connect to standard port 443 where the server sent the proper certificate and the connection was established without any exception.
This problem is probably connected with SNI which our modules do not support yet. You can see more here: https://en.wikipedia.org/wiki/Server_Name_Indication
The solution for this could be to change the sever configuration if possible.
2.
If the certificate verification is not activated in the module and it still verifies one of the certificate parameter - the domain name - we might consider this as an incorrect behavior as there's no way to react on that. But it would be debatable. It increases the security even if we don't want to verify the correctness and authenticity of the certificate. There might be a different behavior on EHS5/6 modules but I didn't try.
I hope that it will be possible to solve this problem on the server side.
Best regards,
Bartłomiej
Hey Bartlomiej.
First of all, many thanks for your efforts.
I would really need to know for which site the certificate was being sent. Could you provide me the address once again for my email?
I will try to solve the issue on the side of the server, as soon as I get any news I'll post it here.
Thanks.
Pages