Thales' cellular IoT products business is now part of Telit Cinterion, find out more.

You are here

Community > Forum > Cellular Hardware > error in bgs2 communication with tls

error in bgs2 communication with tls | Telit Cinterion IoT Developer Community

Like
0
10
Jose Manuel's picture
Jose Manuel

July 12, 2018 - 2:36pm, 4798 views

I have created 4 certificates.

I try to establish a secure communication with tls and when sending the command AT ^ SISO = 1  get

OK

^ SIS: 1,0,62, "Unknown internal TLS error"

Can we know the reason?

The complete log:

ATE0

OK

AT^SBNR=IS_CERT

 

^SBNR: 0, size: "654", issuer: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", serial number: "4334ECD1", subject: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "34D8696A0BE7AC58B9C4772B5F0CA4D7F3FDB72E"

^SBNR: 1, size: "1939", issuer: "/C=US/O=Google Trust Services/CN=Google Internet Authority G3", serial number: "26BCA5446030C32B", subject: "/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "EF4AE5F84F63E12F26D94B12AB346A4E2C13465F"

^SBNR: 2, size: "1623", issuer: "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3", serial number: "03A0C5DC7F02830CAF561D6DA840B448D67A", subject: "/CN=inventario.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "DCCCF5F9C56696650CE6283E41A4BCC60FED6893"

^SBNR: 3, size: "529", issuer: "/CN=ModemsysCA", serial number: "ECAA89E5E8C8038C4FD783CCF5702968", subject: "/CN=test.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "ECC5B02381D824E57C4979A432686C98BFB5C51D"

^SBNR: 4, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 5, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 6, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 7, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 8, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 9, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 10, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

 

OK

at+cmee=2

OK

AT^SIND=IS_CERT,1

^SIND: is_cert,1

OK

AT+CMER=3,0,0,2

OK

AT^SICS=0,conType,"GPRS0"

OK

at^sics=0,apn,internetmas

OK

at^siss=1,srvType,"Transparent"

OK

AT^SISS=1,conId,0

OK

AT^SISS=1,address,"test.modemsys.com:442"

OK

AT^SISS=1,secOpt,3

OK

AT^SISO=1

OK

^SIS: 1,0,62,"Unknown internal TLS error"

10
Comment
Log in or register to post comments
Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Jul 12 2018 - 4:23pm

Hello,

Does this happen each time or occasionally?

I can see that you have more certificates loaded. Have you tried with other sites also?

Generally you should be using server root certificate (from the top of certification path hierarchy) for validation of the server certificate during the TLS handshake.

The error message 'Unknown internal TLS error' is not much helpful unfortunately. 

Can you check the firmware version with ATI1 command?

Best regards,

Bartłomiej

Jose Manuel's picture
Jose Manuel
Jul 13 2018 - 8:00am

Hello

ATI1

Cinterion

BGS2-W

REVISION 04.030

A-REVISION 01.000.15

OK

THE ERROR PERSISTS IN ALL ATTEMPTS. I HAVE NOT ANY VALID LINK

WITH ALL CERTIFICATES RETURNS THE SAME ERROR

THANKS

Jose Manuel's picture
Jose Manuel
Jul 13 2018 - 8:26am

Hello

I tried with root certificate.

Returns the same error

attached log:

AT^SBNR=IS_CERT

^SBNR: 0, size: "654", issuer: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", serial number: "4334ECD1", subject: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "34D8696A0BE7AC58B9C4772B5F0CA4D7F3FDB72E"

^SBNR: 1, size: "1939", issuer: "/C=US/O=Google Trust Services/CN=Google Internet Authority G3", serial number: "26BCA5446030C32B", subject: "/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "EF4AE5F84F63E12F26D94B12AB346A4E2C13465F"

^SBNR: 2, size: "1623", issuer: "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3", serial number: "03A0C5DC7F02830CAF561D6DA840B448D67A", subject: "/CN=inventario.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "DCCCF5F9C56696650CE6283E41A4BCC60FED6893"

^SBNR: 3, size: "529", issuer: "/CN=ModemsysCA", serial number: "ECAA89E5E8C8038C4FD783CCF5702968", subject: "/CN=test.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "ECC5B02381D824E57C4979A432686C98BFB5C51D"

^SBNR: 4, size: "529", issuer: "/CN=ModemsysCA", serial number: "ECAA89E5E8C8038C4FD783CCF5702968", subject: "/CN=test.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "ECC5B02381D824E57C4979A432686C98BFB5C51D"

^SBNR: 5, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 6, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 7, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 8, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 9, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 10, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

 

OK

at+cmee=2

OK

AT^SIND=IS_CERT,1

^SIND: is_cert,1

OK

AT+CMER=3,0,0,2

OK

+CIEV: battchg,5

+CIEV: signal,99

+CIEV: service,1

+CIEV: sounder,0

+CIEV: message,1

+CIEV: call,0

+CIEV: roam,0

+CIEV: smsfull,0

+CIEV: rssi,3

+CIEV: is_cert

AT^SICS=0,conType,"GPRS0"

OK

at^sics=0,apn,internetmas

OK

at^siss=1,srvType,"Transparent"

OK

AT^SISS=1,conId,0

OK

AT^SISS=1,address,"test.modemsys.com:442"

OK

AT^SISS=1,secOpt,4

OK

AT^SISO=1

OK

^SIS: 1,0,62,"Unknown internal TLS error"

 

Jose Manuel's picture
Jose Manuel
Jul 13 2018 - 8:44am

Hello

Do you have a URL and a test certificate?

Can you send it ?

Jose Manuel's picture
Jose Manuel
Jul 13 2018 - 8:49am

Hello

In the certificates that I am using, the signature appears as unknown.

It is important?

^SBNR: 4, size: "529", issuer: "/CN=ModemsysCA", serial number: "ECAA89E5E8C8038C4FD783CCF5702968", subject: "/CN=test.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "ECC5B02381D824E57C4979A432686C98BFB5C51D"

Jose Manuel's picture
Jose Manuel
Jul 13 2018 - 10:03am

Hello

We have tested with auto signed certificate and it works

AT^SISO=1

OK

+CIEV: is_cert,1,/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys S.L./OU=IoT/CN=test.modemsys.com/emailAddress=modemsys@modemsys.com,AE1BA68C422B697A,/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys S.L./OU=IoT/CN=test.modemsys.com/emailAddress=modemsys@modemsys.com,sha1RSA,sha1,A0BC8457891F45B5FFF69AE98FEB4159EAD60FFB

^SISW: 1,1

AT^SIST=1

CONNECT

why?

Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Jul 13 2018 - 1:43pm

Hello,

I think that you could start from the most basic scenario: delete all the certificates from the module, load the root certificate for developer.gemalto.com and then try to connect to the site first without and then with server certificate validation. I believe that this will work. Then try the same with your site. 

If this succeeds add both certificates and check again or try another one.

In your previous test you might not set the root certificate. Currently I can see the self signed certificate on port 442. Please also try to connect to your server on standard port with DST Root CA X3 certificate loaded to the module.

This 'signature: "Unknown"' should not mean any problem here.

Regards,

Bartłomiej

Jose Manuel's picture
Jose Manuel
Jul 16 2018 - 7:56am

Hello

Where can I get the certificate to connect to developer.gemalto.com?

Jose Manuel's picture
Jose Manuel
Jul 16 2018 - 10:17am

Hello

I have loaled in position one GemaltoRootCA.der

The result has been:

AT^SISO=1

OK

^SIS: 1,0,18,"For TCP/IP sockets, the socket is not connected"

I attach the log:

AT^SBNR=IS_CERT

^SBNR: 0, size: "654", issuer: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", serial number: "4334ECD1", subject: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys/OU=Modemsys/CN=Modemsys S.L.", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "34D8696A0BE7AC58B9C4772B5F0CA4D7F3FDB72E"

^SBNR: 1, size: "961", issuer: "/C=FR/L=Croissy/O=Gemalto/emailAddress=admin.pki@gemalto.com/CN=Gemalto Root CA", serial number: "2A8EE69C9DF60DA04CD10913CA3B795B", subject: "/C=FR/L=Croissy/O=Gemalto/emailAddress=admin.pki@gemalto.com/CN=Gemalto Root CA", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "A3D998268EA4D48D9709488DD3F96FABE1FA5113"

^SBNR: 2, size: "1623", issuer: "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3", serial number: "03A0C5DC7F02830CAF561D6DA840B448D67A", subject: "/CN=inventario.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "DCCCF5F9C56696650CE6283E41A4BCC60FED6893"

^SBNR: 3, size: "529", issuer: "/CN=ModemsysCA", serial number: "ECAA89E5E8C8038C4FD783CCF5702968", subject: "/CN=test.modemsys.com", signature: "Unknown", thumbprint algorithm: "sha1", thumbprint: "ECC5B02381D824E57C4979A432686C98BFB5C51D"

^SBNR: 4, size: "707", issuer: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys S.L./OU=IoT/CN=test.modemsys.com/emailAddress=modemsys@modemsys.com", serial number: "AE1BA68C422B697A", subject: "/C=ES/ST=Madrid/L=Alcala de Henares/O=Modemsys S.L./OU=IoT/CN=test.modemsys.com/emailAddress=modemsys@modemsys.com", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "A0BC8457891F45B5FFF69AE98FEB4159EAD60FFB"

^SBNR: 5, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 6, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 7, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 8, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 9, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

^SBNR: 10, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: ""

OK

at+cmee=2

OK

AT^SIND=IS_CERT,1

^SIND: is_cert,1

OK

AT+CMER=3,0,0,2

OK

AT^SICS=0,conType,"GPRS0"

OK

at^sics=0,apn,internetmas

OK

at^siss=1,srvType,"Transparent"

OK

AT^SISS=1,conId,0

OK

AT^SISS=1,address,"developer.gemalto.com:442"

OK

AT^SISS=1,secOpt,1

OK

AT^SISO=1

OK

^SIS: 1,0,18,"For TCP/IP sockets, the socket is not connected"

Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Jul 16 2018 - 3:46pm

Hello,

I can see 3 issued here:

- you connect to port 442 - please try https connection to a default https port

- when I connect to https://iot-developer.thalesgroup.com/ I can see the following certificate chain: DST Root CA X3, Let's encrypt Authority X3, developer.gemalto.com. You can use the web browser to download the root certificate.

- please test step by step, delete all other certificates for the first test

Regards,

Bartłomiej