ELS61 ER2 with PAHO MQTT: 112 SSL-Error: mp_exptmod error state | Telit Cinterion IoT Developer Community
September 23, 2021 - 8:21am, 1962 views
Good morning,
we are a proud user of a new module based on ELS61ER2.
We are using the Eclipse PAHO Mqtt library shared in this forum for connecting to MQTT. We manged it to use TLS encryption for different modules now (EHS5 ARev >42, ELS61 ER1). We created our own CA and certificates for our servers.
With new module ELS61ER2 we received two different errors (depending on configuration):
- Unable to connect to server (32103) - java.io.IOException: -112 SSL-Error: mp_exptmod error state
- Unable to connect to server (32103) - java.io.IOException: TLS/SSL: SNI extension used without domain
The second error occurs if we try to connect with ip (e.g. ssl://111.222.0.241:30005). The ip is inside certificate's SAN. This worked with older devices.
The first error occurs if we connect via dns name: (e.g. ssl://my.domain.com:30005).
We followed the code until this fragment in com.cwm.net.SSLMicroNetworkModule.java
At this place the exception is thrown but I have no clue why.
On our server side I see the connection but it breaks before payload is transmitted. So I'm going to prepare everything again for dumping the network traffic. But maybe someone already has better idea or can say someone about the error message? 
Best regards
Kris Budde
Hello,
As for the SNI extension - it was introduced in ELS61ER2 new firmware. The older modules that you mentioned did not support this.
SNI is enabled by default. If IP is used instead of the domain SNI must be disabled. So you probably get this 'TLS/SSL: SNI extension used without domain' because SNI is enabled and there is no domain name available to place into SNI extension in Client Hello message which the module sends to start the TLS handshake.
In a Java MIDlet it can be done by adding ;sni=off to the connection string passed to the Connector.open() method. It can be also enabled with sni=on but as it is the default setting it can be skipped.
As for '-112 SSL-Error: mp_exptmod error state' I've probably never encountered this. It myst be something related to TLS. Maybe it is related to the key length. Maybe the network trace would help at least to see when the connection brakes during the TLS handshake.
Best regards,
Bartłomiej
Hi Bartłomiej ,
thanks again. We recreated our server certificate with 2048 it instead of 4096 and it works.
Nevertheless it feels wrong that the newer device supports only less secure certificates.
Do you know where to file a bug?
Best regards
Kris Budde
Hello,
Good to read that you were able to get things working.
I did some research. It is not a bug actually. The problem that you encountered is most probably related to the Fast Math feature of WolfSSL library. There was a library update and in the new version there is Fast Math feature enabled. The purpose if it is to speed up handling of public key operations. But as a side effect the keys need to be shorter.
There may be some improvement for this but I don't know any details yet.
BR,
Bartłomiej