EHS5-E TLS mutual authentication problem - Remote peer has closed the connection | Telit Cinterion IoT Developer Community
August 31, 2021 - 10:59pm, 2481 views
Hi,
I'm running EHS5-E and trying to establish TLS communication to AWS IoT mutual communication without success. The error code is:
AT^SISO=0
^SIS: 0,0,48,"Remote peer has closed the connection"
I then tried to connect to test.mosquitto.org server instead, and there they have 2 ports:
test.mosquitto.org:8883 server authenticationtest.mosquitto.org:8884 mutual authentication (client cert required)
and for port 8883, the connection is successful, while for 8884, it got the same message "remote peer has closed the connection", similar to AWS IoT.
Here are the link to the mosquitto client private key, cert and mosquitto ca cert that I used.
Please note that I do the same connection tests using ELS61-E R2, using the same set of certificates to AWS and mosquitto.org correspondingly, and all TLS communication works as expected. This got me to believe that something in the EHS5-E TLS stack is not right, specifically the client authentication part, causing the server to close the communication immediately. Unfortunately I have not managed to setup an internet server to capture TLS handshake yet.
My HW version:
It would be great if someone can do the same test (quite easy to do towards mosquitto server) and confirm the problem with the modem. Otherwise, any help would be appreciated. Thanks!
Hello,
I tried a socket connection to mosquitto on 8884 with EHS6, the same firmware. And the connection was established. Looks like the TLS part was successful. Didn't try any MQTT data exchange.
BR,
Bartłomiej
Hi, can you test with EHS5-E instead? I don't have EHS6 to test myself. I have ELS61-E R2 and that works without any problem.
BR,
James
Hello,
It's the same firmware (REVISION 03.001 A-REVISION 00.000.55) so there shouldn't be any difference. Are you sure that you installed the same certificates and configured the modules in the same way? Please also try to remove the client certificate and all server certificates, reboot the module and try again (also reboot after certificates installation).
BTW do you use Java or AT commands for the connection? When exactly does the error come? Could you paste any log?
BR,
Bartłomiej
Hi,
I'm pretty sure that I use the same certificates and configured the modules in the same way, because I have hardcoded the certificates, private key, ca chain into source code (for testing only) and built the code to automatically send AT commands to delete all existing certificates and install new ones. And as I mentioned above, ELS61-E works perfectly fine while EHS5-E failed, but only when client certificate is required. This failure happens on both AWS IoT and mosquitto port 8884.
PS I used AT commands from the MCU to establish the connection. The error occurs after AT^SISO command is sent.
Here is the log: connection to 8884, mutual authentication
Connection to port 8883, only server auth
Hello,
I did the test again to make sure (I even found EHS5-E module). The connection is established and after more than 30 seconds of inactivity or dummy activity the server closes it. Here's my log:
[2021-09-06 10:58:59.668] ATI1
[2021-09-06 10:58:59.688] Cinterion
[2021-09-06 10:58:59.688] EHS5-E
[2021-09-06 10:58:59.688] REVISION 03.001
[2021-09-06 10:58:59.688] A-REVISION 00.000.55
[2021-09-06 10:58:59.694]
[2021-09-06 10:58:59.694] OK
[2021-09-06 10:58:59.706] AT^SICS=1,conType,NONE
[2021-09-06 10:58:59.744] OK
[2021-09-06 10:58:59.775] AT^SICS=1,conType,GPRS0
[2021-09-06 10:58:59.789] OK
[2021-09-06 10:58:59.798] AT^SICS=1,apn,"internet"
[2021-09-06 10:58:59.829] OK
[2021-09-06 10:58:59.845] AT^SICS=1,"dns1","8.8.8.8"
[2021-09-06 10:58:59.863] OK
[2021-09-06 10:58:59.878] AT+CGCONTRDP
[2021-09-06 10:58:59.899] ERROR
[2021-09-06 10:58:59.907] AT^SISS=4,srvType,"none"
[2021-09-06 10:58:59.941] OK
[2021-09-06 10:58:59.957] AT^SISS=4,srvType,"socket"
[2021-09-06 10:59:00.116] OK
[2021-09-06 10:59:00.126] AT^SISS=4,conId,"1"
[2021-09-06 10:59:00.168] OK
[2021-09-06 10:59:00.174] AT^SISS=4,address,"socktcps://test.mosquitto.org:8884"
[2021-09-06 10:59:00.254] OK
[2021-09-06 10:59:00.270] AT^SISO=4
[2021-09-06 10:59:00.384] OK
[2021-09-06 10:59:07.906]
[2021-09-06 10:59:07.906] ^SISW: 4,1
[2021-09-06 10:59:13.921] at^sisw=4,10
[2021-09-06 10:59:19.998] ^SISW: 4,10,0
[2021-09-06 10:59:28.179]
[2021-09-06 10:59:28.179] OK
[2021-09-06 10:59:28.236]
[2021-09-06 10:59:28.236] ^SISW: 4,1
[2021-09-06 10:59:40.866] at^sisc=4
[2021-09-06 10:59:43.756] OK
[2021-09-06 10:59:43.796]
[2021-09-06 10:59:43.796] ^SIS: 4,0,48,"Remote peer has closed the connection"
[2021-09-06 10:59:43.808]
[2021-09-06 10:59:43.808] ^SISR: 4,2
[2021-09-06 11:13:42.149] at^siso=4
[2021-09-06 11:13:45.197] OK
[2021-09-06 11:13:51.736]
[2021-09-06 11:13:51.736] ^SISW: 4,1
[2021-09-06 11:13:58.314] at^siso?
[2021-09-06 11:14:00.112] ^SISO: 0,""
[2021-09-06 11:14:00.118] ^SISO: 1,""
[2021-09-06 11:14:00.120] ^SISO: 2,""
[2021-09-06 11:14:00.120] ^SISO: 3,""
[2021-09-06 11:14:00.122] ^SISO: 4,"socket",4,2,0,0,"31.2.6.69:4102","5.196.95.208:8884"
[2021-09-06 11:14:00.124] ^SISO: 5,""
[2021-09-06 11:14:00.126] ^SISO: 6,""
[2021-09-06 11:14:00.128] ^SISO: 7,""
[2021-09-06 11:14:00.136] ^SISO: 8,""
[2021-09-06 11:14:00.139] ^SISO: 9,""
[2021-09-06 11:14:00.146]
[2021-09-06 11:14:00.146] OK
[2021-09-06 11:14:29.380]
[2021-09-06 11:14:29.380] ^SIS: 4,0,48,"Remote peer has closed the connection"
[2021-09-06 11:14:29.387]
[2021-09-06 11:14:29.387] ^SISR: 4,2
[2021-09-06 11:14:31.517] at^sisc=4
[2021-09-06 11:14:34.561] OK
If the server authentication works in your case and the mutual authentication does not it looks like there is something wrong with the client cert on your side.
BR,
Bartłomiej
Thank you for trying it out to prove that EHS5-E works. I will double check and comeback.