BGS5T SSL Issue | Telit Cinterion IoT Developer Community
February 22, 2023 - 9:07am, 337 views
Hi,
We are using a BGS5T modem in one of our products that interfaces our hardware to one of our customers' servers via REST (HTTPS).
The modem operated faultlessly, however, the customer modified their SSL certificate authority and now the modem generates the following errors when initiating a GET (HTTPS) to an endpoint on the customers' server:
INT:-213 SSL-Error: revcd alert fatal error
or
^SIS: 1,0,210,"INT:;IOError -123 during socket:: write \0a"
The endpoint is generally accessible via other means, e.g. Postman, but the BGS5T falls over.
A trace of the AT commands used and associated responses is shown below.
Is there anything that can be understood from the errors that might help indicate what the issue is on the CA side?
Thanks in advance.
Jim.
******************************************
AT+CREG?
+CREG: 0,5
AT^SICS=0,conType,"GPRS0"
OK
AT^SICS=0,"inactTO", "240"
OK
AT^SICS=0,user,"USER"
OK
AT^SICS=0,passwd,*******
OK
AT^SICS=0,apn,"iot.1nce.net"
OK
AT^SISS=1,"srvType","HTTP"
OK
AT^SISS=1,conId,0
OK
at^SISS=1,"hcProp","x-token: ********************************"
OK
at^siss=1,hcRedir,0
OK
AT^SISS=1,cmd,"get"
OK
at^siss=1,"address",https://*********************************"
OK
AT^SISO=1
OK
^SIS: 1,0,2200,"Http polysync.water.kisters.cloud:443"
^SIS: 1,0,210,"INT:-213 SSL-Error: revcd alert fatal error"
or alternatively--->
^SIS: 1,0,2200,"Http polysync.water.kisters.cloud:443"
^SIS: 1,0,210,"INT:;IOError -123 during socket:: write \0a"
Hello,
The error suggests some error on TLS layer probably during TLS handshake, probably the module received an alert message from the server and the connection was terminated. If you were able to get the pcap trace for this connection from the server side more details would be visible there and the particular certificates sent by the server.
If your suspicion is correct maybe the server send a certificate which is not supported by the module. In that case the module would most probably initiate the connection termination. You should find the supported cipher suites in the Java User's Guide document for the module (even if your solution does not use the module's JVM). And you could check them against the ones sent by the server, please especially take a closer look at the last one on the list in the pcap file.
For simple test you could also disable the server certificate check on the module side and see if it helps.
Could you explain more about the server, is it fully controlled by the customer or based on some cloud? Please also check the module's firmware version (ATI1 reply).
Best regards,
Bartłomiej
Hello Bartłomiej
Thanks for the quick response.
The server is fully controlled by the customer so we do not have access, they also control the SSL CA etc.
I have sent them the list of supported SSL standards and ciphers from the Java guide for them to check against what is being used on their side.
The module isn't accessible at the moment so I cannot check the firmware version or try to disable the disable the certificate check, but these are options once TLS / cipher compatibility has been confirmed.
Thanks again.
Jim.