HTTPS problems using Cinterion TC65i module | Telit Cinterion IoT Developer Community
February 12, 2018 - 1:42pm, 3505 views
Hi,
I have an application running on a Cinterion TC65i module (rev 1.100), that is sending requests to an HTTP server, and all is working fine.
Now we have to send the same requests to an HTTPS server, but in this case the same application is not working anymore.
I've prepared a reduced (simple) application that is basically performing GET requests on popular HTTPS servers, and it is not working too.
The error is not always the same, depending on the queried server, here are what I found:
Exception occurred during GET java.io.IOException: TLS: ServerChangeCipher error
Exception occurred during GET java.io.IOException: Alert (2,40)
Exception occurred during GET (7) javax.microedition.pki.CertificateException: Subject alternative name did not match site name
It seems to me from the last error that it could be related to certificate management. Could you please check this ?
The code that I use to test is the following:
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import javax.microedition.io.CommConnection;
import javax.microedition.io.Connector;
import javax.microedition.io.HttpConnection;
import javax.microedition.io.HttpsConnection;
import javax.microedition.io.SecurityInfo;
import javax.microedition.midlet.MIDlet;
import javax.microedition.midlet.MIDletStateChangeException;
import javax.microedition.pki.CertificateException;
public class HttpsDemo extends MIDlet {
private OutputStream serialOut;
public HttpsDemo() {
}
protected void destroyApp(boolean arg0) throws MIDletStateChangeException {
notifyDestroyed();
}
protected void pauseApp() {
}
protected void startApp() throws MIDletStateChangeException {
try {
String strCOM = "comm:com0;blocking=on;autocts=off;autorts=off;baudrate=115200";
CommConnection commConn = (CommConnection)Connector.open(strCOM);
serialOut = commConn.openOutputStream();
} catch(Exception e) {
destroyApp(true);
}
debug("started HTTPS test app");
openPage("https://www.google.it");
openPage("https://www.microsoft.com/it-it");
openPage("https://www.amazon.com");
destroyApp(true);
}
void initGPRS() {
}
private void openPage(String url) {
String data = getDataFromServer(url);
if (data == null) data = "";
debug("received "+data.length()+" bytes of data from server "+url);
debug(data);
}
String getDataFromServer(String url){
HttpsConnection httpConn = null;
InputStream is = null;
String dataRead = "";
debug("opening "+url);
try{
url = url + ";bearer_type=GPRS;access_point=ibox.tim.it";
httpConn = (HttpsConnection)Connector.open(url);
//httpConn.setRequestProperty("User-Agent", "Profile/MIDP-2.0, Configuration/CLDC-1.1");
debug("opened url "+url+", port: "+httpConn.getPort());
SecurityInfo si = httpConn.getSecurityInfo();
String cs = si.getCipherSuite();
debug(cs);
if((httpConn.getResponseCode() == HttpsConnection.HTTP_OK)){
debug("received HTTP_OK");
int length = (int)httpConn.getLength();
is = httpConn.openInputStream();
if(length == -1){//unknown length returned by server.
int chunkSize = 1500;
byte[] data = new byte[chunkSize];
ByteArrayOutputStream baos = new ByteArrayOutputStream();
int dataSizeRead = 0;//size of data read from input stream.
while((dataSizeRead = is.read(data))!= -1){
baos.write(data, 0, dataSizeRead );
debug("Data Size Read = "+dataSizeRead);
}
dataRead = new String(baos.toByteArray());
baos.close();
} else{//known length
byte[] data = new byte[length];
DataInputStream dis = new DataInputStream(is);
//try to read all the bytes returned from the server.
dis.readFully(data);
dataRead = new String(data);
}
//System.out.println("Data Read from server--\n"+dataRead);
} else{
debug("\nServer returned unhandled " +
"response code. "+httpConn.getResponseCode());
}
} catch(Throwable t){
if (t instanceof CertificateException) {
CertificateException ex = (CertificateException)t;
debug("Exception occurred during GET ("+ex.getReason() + ") " +ex.toString());
}
else {
debug("Exception occurred during GET "+t.toString());
}
}
//Since only limited number of network objects can be in open state
//it is necessary to clean them up as soon as we are done with them.
finally{//Networking done. Clean up the network objects
try{
if(is != null)
is.close();
} catch(Throwable t){
debug("Exception occurred while closing input " +
"stream.");
// t.printStackTrace();
}
try{
if(httpConn != null)
httpConn.close();
} catch(Throwable t){
debug("Exception occurred "+t.toString());
//t.printStackTrace();
}
}
return dataRead;
}
private void debug(String text) {
try {
serialOut.write((text + "\n").getBytes());
serialOut.flush();
} catch (IOException e) {}
}
}
Hello,
This module is quite old and it is no longer developed. It is possible that now the sites have greater security requirements, some cipher suites might be needed that may not be supported by the firmware that you have or there may be some similar problem. The last exception could mean that the site name that you connect to does not match any of the alternative names listed in the certificate that the site is using.
I think that you should test this with the latest firmware available for this module.
As I understand you don't store any certificates on the module and just want to connect over a secure connection without server certificate verification.
Best regards,
Bartłomiej
Hello,
thank you for your answer.
I confirm that I just would like to connect to a site without server certificate verification.
About your suggestion to update the firmware of the module, what is the download procedure (and the new firmware binary) ?
Thank you for your support,
Best regards
Marco
Hello,
Please paste ATI1 command reply. The firmware is not available in public site, I will send it to you.
Regards,
Bartłomiej
Hello,
here you are:
Cinterion
TC65i
REVISION 01.100
A-REVISION 03.002.04
Best Regards,
Marco
Please check your email.
Regards,
Bartłomiej
Hello,
still nothing in my email ...
Best regards,
Marco
Please check again now.
Hello,
I've tried the same program on a module with a new firmware, here it is the result of the ATI1 command:
Cinterion
TC65i
REVISION 02.004
A-REVISION 03.000.20
The program is still not working, this time the response is the same on all tried sites, though:
Exception occurred during GET (7) javax.microedition.pki.CertificateException: Subject alternative name did not match site name
Do you have any other suggestion ?
Best regards,
Marco
Hello,
So it seems that there still is a problem. And you have already tested the latest official firmware. This module is quite old and already discontinued. I think that it probably ***** ssl libraries update. In such case I think that you can try 2 more things:
- You could contact your local Gemalto office. Maybe there is some unofficial newer version created for some other customer or there will be a possibility to fix this.
- If these addresses are not the ones that you want to use in your application, it would be worth trying with some other public sites and the server that is going to be used in your application (if for some reason you haven't done this yet). Additionally if you control this server you could try to change it's configuration to possibly get it working with this module. You'd probably have to use some older TLS versions.
Best regards,
Bartłomiej