EHS6 SSL Certificate failed verification | Telit Cinterion IoT Developer Community
June 2, 2017 - 8:32am, 4223 views
Hi,
My application uses mqtt client library to establish connection to aws server. The application will re-establish aws connection everytime the connection is lost (due to unstable cellular network). I have noticed that after about 11 or 12 ***** of disconnection, new attempt to reconnect will give exception "IOException Certificate failed verification".
I also stopped the java program, then used AT commands to make connection to aws server. Error was returned as "^SIS: 1,0,200,"error in sendRequest Certificate failed verification"
So far the only way to recover from this error is to restart the module. May I ask what might be the reason for the failure here?
This is the version of my module:
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.49
Thank you.
Regards
Thu Hang
Hello,
Could you provide some more information about the application? How frequent are the connections? Do you reconnect each time the connection is lost and keep it open or do periodic connections with some interval?
First thing I can think of here would be that maybe your application does not release the resources correctly after the connection. Then there could be no free resources after some time. But I'd rather expect a different exception her in such a situation. But please verify this. So for now the it is quite strange. You could also check if it is possible to establish some other connection when this happens, also an insecure one.
Other thing is that the firmware version that you are using is not the latest official release (it is A-REVISION 00.000.51). But here I wouldn't expect much, I'd rather start from investigating your app.
Regards,
Bartłomiej
Hi
Thank you for the promt reply.
My application uses ATCommandlistener to check for +CREG URC and update a isRegistered flag accordingly. The app uses a thread to continously monitor aws connection: if MqttClient.isConnected() returns false, it will check isRegistered flag and re-establish a connection if isRegistered==true. Once established, the connection is kept open.
Due to the way aws connection is currently being monitored and the Certificate failed verification exception, the app keeps trying to reconnect, resulting in a huge data consumption. I am looking for a way to handle this error. I will reproduce the issue and try establishing some other connection.
Regards
Thu Hang
Hello,
I think that you should make sure that the application releases all the connection resources in case of detection of connection loss. For now this seems to be the most reasonable potential cause of this problem.
BTW how is it verified if the connection is still active?
If the connection is never closed it probably takes a lot of time to reproduce this in real life without any help like disconnecting the network for example.
Have you also tried to connect and disconnect in a loop to check if this also happens?
Regards,
Bartłomiej
Hi
The app checks for connection status by using the api provided by mqtt client library:
The check is done on device side, I am not sure how the server checks for connection. One more thing is the app currently sets the keep-alive-interval to be 20 minutes to reduce the data consumption incurred from pings.
Unfortunately, our deployment environment has unstable network connection which results in multiple disconnections and the error seen. I will look into how the connection resources are being handled. Thank you for the suggestion.
Regards
Thu Hang
Hi
I tried to connect and disconnect in a loop:
while (true)
{
connect
sleep(1min)
disconnect
sleep(1min)
}
After 10 iterations, I got the following exceptions when the app tries to reconnect:
IOException Certificate failed verification
IOException -140 SSL-Error: ASN parsing error, invalid input
Regards
Thu Hang
Hello,
So it seems that this also happens in case of normal disconnection... Do you have the stack trace?
And where have you got the mqtt library - there's probably no compatible j2me version - have you adopted something or used the one form our demonstrator?
Regards,
Bartłomiej
Hi,
This is stack trace I got:
IOException Certificate failed verification ssl
reason 0
org.eclipse.paho.client.mqttv3.MqttException
- org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
- org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:652)
- java.lang.Thread.run(), bci=5
I am using the mqtt library from the forum.
Currently I am also testing with a longer reconnection interval, in case it's a resource issue.
Regards
Thu Hang
Hello,
The library from the Knowledge Base has been adopted from Java SE for the purpose of demonstration project. Some classes have been changed, some removed. I wouldn't treat it as the final product that you can 100% relay on.
So you need to analyze and debug it to check if all the resources are released correctly after each connection.
On the other hand you could check if the certificate that you receive while getting this exception is really the same as before or try to connect and disconnect without using the library.
Regards,
Bartłomiej
Hi
Thanks a lot for your help!
Regards
Thu Hang