EHS6 SSL Certificate failed verification | Telit Cinterion IoT Developer Community
June 2, 2017 - 8:32am, 4221 views
My application uses mqtt client library to establish connection to aws server. The application will re-establish aws connection everytime the connection is lost (due to unstable cellular network). I have noticed that after about 11 or 12 ***** of disconnection, new attempt to reconnect will give exception "IOException Certificate failed verification".
I also stopped the java program, then used AT commands to make connection to aws server. Error was returned as "^SIS: 1,0,200,"error in sendRequest Certificate failed verification"
So far the only way to recover from this error is to restart the module. May I ask what might be the reason for the failure here?
This is the version of my module:
Could you provide some more information about the application? How frequent are the connections? Do you reconnect each time the connection is lost and keep it open or do periodic connections with some interval?
First thing I can think of here would be that maybe your application does not release the resources correctly after the connection. Then there could be no free resources after some time. But I'd rather expect a different exception her in such a situation. But please verify this. So for now the it is quite strange. You could also check if it is possible to establish some other connection when this happens, also an insecure one.
Other thing is that the firmware version that you are using is not the latest official release (it is A-REVISION 00.000.51). But here I wouldn't expect much, I'd rather start from investigating your app.
Thank you for the promt reply.
My application uses ATCommandlistener to check for +CREG URC and update a isRegistered flag accordingly. The app uses a thread to continously monitor aws connection: if MqttClient.isConnected() returns false, it will check isRegistered flag and re-establish a connection if isRegistered==true. Once established, the connection is kept open.
Due to the way aws connection is currently being monitored and the Certificate failed verification exception, the app keeps trying to reconnect, resulting in a huge data consumption. I am looking for a way to handle this error. I will reproduce the issue and try establishing some other connection.
I think that you should make sure that the application releases all the connection resources in case of detection of connection loss. For now this seems to be the most reasonable potential cause of this problem.
BTW how is it verified if the connection is still active?
If the connection is never closed it probably takes a lot of time to reproduce this in real life without any help like disconnecting the network for example.
Have you also tried to connect and disconnect in a loop to check if this also happens?
The app checks for connection status by using the api provided by mqtt client library:
The check is done on device side, I am not sure how the server checks for connection. One more thing is the app currently sets the keep-alive-interval to be 20 minutes to reduce the data consumption incurred from pings.
Unfortunately, our deployment environment has unstable network connection which results in multiple disconnections and the error seen. I will look into how the connection resources are being handled. Thank you for the suggestion.
I tried to connect and disconnect in a loop:
After 10 iterations, I got the following exceptions when the app tries to reconnect:
IOException Certificate failed verification
IOException -140 SSL-Error: ASN parsing error, invalid input
So it seems that this also happens in case of normal disconnection... Do you have the stack trace?
And where have you got the mqtt library - there's probably no compatible j2me version - have you adopted something or used the one form our demonstrator?
This is stack trace I got:
IOException Certificate failed verification ssl
- java.lang.Thread.run(), bci=5
I am using the mqtt library from the forum.
Currently I am also testing with a longer reconnection interval, in case it's a resource issue.
The library from the Knowledge Base has been adopted from Java SE for the purpose of demonstration project. Some classes have been changed, some removed. I wouldn't treat it as the final product that you can 100% relay on.
So you need to analyze and debug it to check if all the resources are released correctly after each connection.
On the other hand you could check if the certificate that you receive while getting this exception is really the same as before or try to connect and disconnect without using the library.
Thanks a lot for your help!