Thales' cellular IoT products business is now part of Telit Cinterion, find out more.

You are here

Community > Forum > Global Discussion > EHS6 difference between rel.2 and rel.3 when connect to...

EHS6 difference between rel.2 and rel.3 when connect to google.com:443 | Telit Cinterion IoT Developer Community

Like
0
3
Jasdin's picture
Jasdin

June 28, 2016 - 4:45pm, 2843 views

Hello sir,
We encounter a problem when connect to google using EHS6 v3, here is what we found. The v3 module just disconnects and fails with the "internal error" message, but the v2 is work fine without any problem.
We did some more digging and here are the same commands ran on Cinterion v2 and on v3, while connecting to google.com via secure SSL port, certificate checking disabled.
 
AT^SJMSEC?
^SJMSEC: 1,0,1,0
 
Below you will also find a TLS handshake dump from OpenSSL acting as a server for v2 & v3. 
Would you please give us some more suggestion ? 
==================================

Cinterion v2:

 

ATI1

Cinterion

EHS6

REVISION 02.000

A-REVISION 00.000.15

OK

AT^SISS=0,"srvType","none"

OK

AT^SISS=0,"SrvType","Socket"

OK

AT^SISS=0,"conId",0

OK

AT^SISS=0,"address","socktcps://google.com:443;etx"

OK

AT^SISO=0

OK

AT^SICI=0

^SICI: 0,1,1,"0.0.0.0"

OK

^SISW: 0,1

AT^SICI=0

^SICI: 0,2,1,"188.197.10.206

OK

AT^SIST=0

CONNECT

Dumping 127 bytes from 0x20005DC0:

48 54 54 50 2F 31 2E 30 20 33 30 32 20 46 6F 75  |  H T T P / 1 . 0   3 0 2   F o u  |  

6E 64 0D 0A 4C 6F 63 61 74 69 6F 6E 3A 20 68 74  |  n d . . L o c a t i o n :   h t  |  

74 70 73 3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65  |  t p s : / / w w w . g o o g l e  |  

2E 73 69 2F 3F 67 77 73 5F 72 64 3D 63 72 26 65  |  . s i / ? g w s _ r d = c r & e  |  

69 3D 79 6B 56 78 56 2D 33 47 44 65 6D 65 36 41  |  i = y k V x V - 3 G D e m e 6 A  |  

53 36 38 36 76 67 41 77 0D 0A 43 61 63 68 65 2D  |  S 6 8 6 v g A w . . C a c h e -  |  

43 6F 6E 74 72 6F 6C 3A 20 70 72 69 76 61 74 65  |  C o n t r o l :   p r i v a t e  |  

0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A     |  . . C o n t e n t - T y p e :  |  

 

 

Cinterion v2 TLS Handshake dump:

 

 

[root@srv311 ~]# openssl s_server -cert /etc/postfix/cert/cert.pem -accept 61500 -msg

Using default temp DH parameters

Using default temp ECDH parameters

ACCEPT

<<< TLS 1.2 Handshake [length 0095], ClientHello

    

>>> TLS 1.2 Handshake [length 004a], ServerHello

    

>>> TLS 1.2 Handshake [length 0259], Certificate

    

>>> TLS 1.2 Handshake [length 00cd], ServerKeyExchange

    

>>> TLS 1.2 Handshake [length 0004], ServerHelloDone

    

<<< TLS 1.2 Handshake [length 0046], ClientKeyExchange

    

<<< TLS 1.2 ChangeCipherSpec [length 0001]

    

<<< TLS 1.2 Handshake [length 0010], Finished

    

>>> TLS 1.2 ChangeCipherSpec [length 0001]

    

>>> TLS 1.2 Handshake [length 0010], Finished

    

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA

CIPHER is ECDHE-RSA-AES256-GCM-SHA384

Secure Renegotiation IS NOT supported

 

Connection is established OK.

 

 

Cinterion v3:

 

ATI1

Cinterion

EHS6

REVISION 03.001

A-REVISION 00.000.31

OK

AT^SISS=0,"srvType","none"

OK

AT^SISS=0,"SrvType","Socket"

OK

AT^SISS=0,"conId",0

OK

AT^SISS=0,"address","socktcps://google.com:443;etx"

OK

AT^SISO=0

OK

AT^SICI=0

^SICI: 0,1,1,"0.0.0.0"

OK

^SIS: 0,0,50,"Fatal: Service has detected an internal error"

AT^SICI=0

^SICI: 0,2,1,"188.199.255.202"

OK

AT^SISI=0

^SISI: 0,6,0,0,0,0

OK

 

 

Cinterion v3 TLS handshake dump:

 

[root@srv311 ~]# openssl s_server -cert /etc/postfix/cert/cert.pem -accept 61500 -msg

Using default temp DH parameters

Using default temp ECDH parameters

ACCEPT

<<< SSL 3.0 Handshake [length 0095], ClientHello

>>> SSL 3.0 Handshake [length 004a], ServerHello

>>> SSL 3.0 Handshake [length 0259], Certificate

>>> SSL 3.0 Handshake [length 00cb], ServerKeyExchange

>>> SSL 3.0 Handshake [length 0004], ServerHelloDone

<<< SSL 3.0 Handshake [length 0046], ClientKeyExchange

<<< SSL 3.0 Alert [length 0002], warning close_notify

ERROR

shutting down SSL

CONNECTION CLOSED

 

3
Comment
Log in or register to post comments
Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Jun 30 2016 - 11:42am

Hello,

I have also checked with firmware version REVISION 03.001 A-REVISION 00.000.31 and also found this problem.

But while using http with the same address there's different and more precise information "Certificate does not contain the correct site name". Although the certificate verification is not active and the certificate is not compared to the one stored in the module there are still some checks against certificate and the site name done.

This particular case might need some more investigation. But for now there is a workaround - after adding www. to the address the connection was successful. This was also working for "socktcps". 

Best regards,

Bartłomiej

Jasdin's picture
Jasdin
Jul 14 2016 - 10:22am

Hello Bartłomiej,

Thanks for your help, it is very helpful to us.

It's work when we adding the "www." in the address.

But we got antoher question in the same issue that when we change the domain name from "www.google.com:443;etx" to "74.125.203.105:443;etx", the result is same as before, the detail log as below, due to we need to connect to server via real IP addresses, would you please help us on it ?

Notice : (1). V2 is worked without problem

             (2). V3 will return an error : "50,"Fatal: Service has detected an internal error"

             (3). The IP "74.125.203.105" is www.google.com addresses

=====================================================================

Cinterion v2:

ati
Cinterion
EHS6
REVISION 02.000

OK
at+cpin?
+CPIN: READY

OK
at+csq
+CSQ: 19,99

OK

AT^SJMSEC?
^SJMSEC: 1,0,1,0

OK
AT^SICS=0,contype,gprs0
OK
AT^SICS=0,apn,internet
OK
AT^SISS=0,"srvType","none"
OK
AT^SISS=0,"SrvType","Socket"
OK
AT^SISS=0,"conId",0
OK
AT^SISS=0,"address","socktcps://74.125.203.105:443;etx"
OK
AT^SISO=0
OK

^SISW: 0,1
AT^SICI=0
^SICI: 0,2,1,"10.174.221.195"

OK
AT^SIST=0
CONNECT

=====================================================================

Cinterion v3:

ati
Cinterion
EHS6
REVISION 03.001

OK
at+cpin?
+CPIN: READY

OK
at+csq
+CSQ: 19,99

OK
AT^SJMSEC?
^SJMSEC: 1,0,1,0

OK
AT^SICS=0,contype,gprs0
OK
AT^SICS=0,apn,internet
OK
AT^SISS=0,"srvType","none"
OK
AT^SISS=0,"SrvType","Socket"
OK
AT^SISS=0,"conId",0
OK
AT^SISS=0,"address","socktcps://74.125.203.105:443;etx"
OK
AT^SISO=0
OK

^SIS: 0,0,50,"Fatal: Service has detected an internal error"
AT^SICI=0
^SICI: 0,2,1,"100.88.235.34"

OK

=====================================================================

Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Jul 15 2016 - 11:13am

Hello,

You have to use the domain name unfortunately - that's how it works - please do the test with the web browser for google.com for example: open the address https://216.58.194.78 - there will be the same situation, you'll get the warning that the connection is not safe, when you accept it the site will open. 

In Java API there's a method "HostbyAddr(String Hostaddr)" in "NetExtension" class that can retrieve the DNS name from a Hosts IP. Maybe this would work for you. But for AT commands you'd probably need to implement the reverse DNS lookup with datagrams - that shouldn't be complicated.

Regards,

Bartłomiej