HTTPS TCP Connection - Migration to SSLV3 broke out System | Telit Cinterion IoT Developer Community
April 12, 2017 - 1:38pm, 9508 views
Hello.
I've developed an application that communicates with a web page via TCP. Passing the url, I'm using "https://.." and this has worked smoothly in SSLV2 without having to deal with certificates and such. Thing is, our hosting provider has updated the platform to SSLV3 and the system started to fail the communication, presenting the following messages:
java.io.IOException: Subject alternative name did not match site name
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=642
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.http.Protocol.getResponseCode(), bci=5
For now, the hosting company kept us a port with SSLV2 but we need to work this out for the update.
So, what measures should I take migrate my system into SSLV3?
Hi,
You should have received an email.
Regards,
Bartłomiej
Hello Bartlomiej.
What kind of command/java method did you use to trace back to this address? I've been studying the issue but using java functions like .getHost, .getProtocol etc, and analysing the link with an ssl analyser like this (https://www.sslshopper.com/ssl-checker.html) it returns me the correct certificate.
How can I replicate the scenario you got so I can report it to our hosting service provider?
I have downloaded Wireshark but I'm not really familiar with the tool. Is there a specific filter for extracting the certificate?
Thanks
Hello Luis,
I have grabbed the pcap trace directly from the module with our internal tools. You are not able to do it. If you'd like to reproduce it you'd probably need to trace on the server side.
The online tool may get different result than the module. The reason might be the SNI. In case of using the web browser I also have got the proper certificate.
There's no "export certificate" feature in Wireshark - to extract the certificate I have found the TCP packet where the server sent the certificate, found the certificate in the packet data and exported it as bytes. Then I have changed the extension to .der and the cert was readable by Windows tools.
Regards,
Bartłomiej
I have tried but I was unsuccessful via desktop.
The email you sent me with the .der got block due to security measures of my webmail server. Could you please send me the .der once again but now in .rar?
I really need the evidence to give to the provider so I can solve the issue at the side of the service.
They keep blaming the device and that it does not support the protocol, but I'm just not buying it.
Thank you so much once again.
I've sent you again.
To trace on the sever you'd have to have access to server - and you probably don't.
But you could try to connect with the web browser, catch it with Wireshark and then try to compare with the module trace I have sent you.
Regards,
Bartłomiej
Hello Bartlomiej.
I've sent you the log that I got via web browser.
It seems that via browser the behaviour is different so that could explain why I'm getting this exception. Back in the browser everything appears to be normal.
Regards,
As in your log there is Server Name Indication extension in Client Hello message I think that this is the reason why the server knows at the moment of TLS handshaking which domain the browser is trying to connect and may present the proper certificate.
In case of the module the server does not know yet at at the moment of TLS handshaking which domain the module is trying to connect. So it presents some certificate (maybe a default one or just a first available) but it is not the appropriate one.
So the only solution for this situation would probably be in the server configuration.
Regards,
Bartłomiej
Hello Bartlomiej,
Could you please trace the connection again? Is there anyway that I can do this by own?
The hosting service is making some arrangements and they're asking if the certificate returned is still the same.
Thanks!
Hello Luis,
You can't do it on the module. You'd need to trace on the server.
The certificate has changed but it's still not the correct one.
Regards,
Bartłomiej
Hello Bartlomiej,
The thing is that I need to know which certificate the module is receiving and I can't get acess to the server side.
I will pass the information to the hosting company
Thanks!