HTTPS test failed on HL8548 - here is my log


#1

Hi, I’m using a HL8548 module and I’m trying to have https connection with coursera.org/ following the example in the at command interface guide(page 757-759). I have no idea what’s going wrong. This is what I’m doing:

First I entered the certificate - my browser is chorme. I entered to coursera.com, clicked on the lock icon, clicked on details, clicked on View certificate, moved to Details tab and clicked on “Copy to File”. Then I clicked “Next”, chose "Base-64 encoded X. 509 (.CER) and clicked Next and then saved the file.

I opened the file with Notepad++, and send the HL8548 the command “AT+KCERTSTORE=1,1874” because according to notepadd++ there are 1874 bytes in this file. I got a “CONNECT” message from the module and send the certificate. The module sent OK so it seems that the certifacate stored successfully.

Then I tried to connect coursera, here is my log:
at+kcnxcfg=1,“GPRS”,“MYAPN”;+KCNXTIMER=1,30,1,30;+KCNXPROFILE=1;+CGATT=1 (works well)
AT+CCLK=“16/06/19,14:30:54+03” (works well)
AT+KHTTPSCFG=1,"www.coursera.org ",2 (works well)
AT+KHTTPSHEADER=1
The module send CONNECT, and the I send:
Accept : text/html
If-Modified-Since : Saturday, 15-January-2000 14:37:11 GMT
–EOF–Pattern-- (the module return OK, mean it works well…)

and then I send :
AT+KHTTPSGET=1, “/”

It takes about 2-4 seconds but the module send:
NO CARRIER

+KHTTPS_ERROR: 1,4

What am I doing wrong?

Regards,
Matan


#2

Matan,

From some testing I can see that internally the unit is producing handshake SSL_ERROR_SSL(1) 0X14094410, I am waiting for some feedback on this to see what the actual problem is, might be down to wanting to use SSLv3 rather than v1.

Regards

Matt


#3

Thanks Matt,

Since we’ll be communicating with our own servers over HTTPS, if there’s a specific protocol we need to use, it should not be a problem.
If you could provide us with a fully functional HTTPS example, we’ll probably take it from there.

Regards


#4

Matanfly,

This is an example that should work, the issue with your server is in the system and will be looked at in due course.

AT+CCLK=“15/12/10,18:26:16+32”
AT+KCNXTIMER=1,30,1,30,10
AT+KCNXCFG=1,“GPRS”,“uninet” //Manage server authentication and encrypt data
AT+khttpscfg=1,“posttestserver.com”,443,2 //“at+KHTTPSCFG=,<http_server>,<https_port>,<http_version>,<cipher_suite>,<sec_level>,,, Paramters translate to , 443: https port, 0: version, HTTP1.1, 0: cipher_suite, TLS_RSA_CHOOSE_BY_SERVER, 1: sec_level, No authentication, only encrypt data”
AT+KCERTSTORE=0
PostServer_Trust_BASE.cer (zipped up version attached)
+++ //Without /r/n
AT+KCERTSTORE?
AT+KHTTPSGET=1,"/"
AT+KHTTPSHEADER?
AT+KHTTPSHEADER=1
Content-Length: 20 //With /r/n
–EOF–Pattern-- //Without /r/n
AT+KHTTPSPOST=1,"/post.php"
AAAAAAAAAAAAAAAAAA //20 bytes including /r/n
AT+KCGPADDR
AT+KHTTPSCLOSE=1
AT+KHTTPSDEL=1
AT+KCNXDOWN=1,1

Regards

Matt
PostServer_Trust_BASE.zip (1.2 KB)


#5

Hi Matt,
Thanks, but this still doesn’t work.
When trying to insert the attached certificate PostServer_Trust_BASE.cer, we receive an ERROR response.
We’re using RealTerm and dumping the file (after unzipping of course) to the teminal, after the “+++” we receive ERROR. let me know if we should be doing something else.
We’ve also tried downloading the base64 certificate of the CA of posttestserver.com, this time AT+KCERTSTORE returns OK after the +++, but we then receive the regular “+KHTTPS_ERROR: 1,13” response upon trying to preform AT+KHTTPSGET=1,"/"
Please advise.
Thanks,
Matan.


#6

See attached for how the downloaded certificate looks in Notepad++
Again - we have used RealTerm to dump the file directly to the module.



#7

Matan,

Can you tell me why you are specifically using HTTPS?

Regards

Matt


#8

We need a secure, authenticated and encrypted connection to our servers . Https is a standard protocol and the HL8548 supports it.

Do you have any other suggestions how to do it?


#9

Matan,

We have tried using openssl on Linux to check this issue and met the same problem:
openssl s_client -connect coursera.org:443
139703702972064:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:734:

but when we add the servername :
openssl s_client -connect coursera.org:443 -servername coursera.org
connection successful.

Reason we have determined from the web:
“With Server Name Indication (SNI), a web server can have multiple SSL certificates installed on the same IP address. SNI-capable browsers will specify the hostname of the server they’re trying to reach during the initial handshake process. This allows the web server to determine the correct SSL certificate to use for the connection.”

It seems “coursera.org” has different SSL certificates on the same IP address which leads to the handshake failure. Can you tell me why you are using this specific website? We think the issue is only here, if you try a different one it will work.

Regards

Matt


#10

Did this resolve your problem?

Regards

Matt


#11

Sorry to interject here, but I have been considering using Sierra modules (I was thinking the HL8548) for use on a project I am starting. The project requires SNI support. Am I correct in interpreting this thread to mean that the TLS implementation on the HL8548 does not support SNI? If so, would Sierra consider implementing this feature? Are there other modules from Sierra that support this?

Thanks.

  • Steven

#12

Hello, we are using HL8548-G and have the same problem with SSL connection.
If send the command:
AT+KHTTPSCFG=1,“posttestserver.com”,443,2 - SSL does’t work
Error:
AT+KHTTPSGET=1,"/"
NO CARRIER
+KHTTPS_ERROR: 1,13

but if send:
AT+KHTTPSCFG=1,“posttestserver.com”,443,0 without server authentificate- Working fine.


#13

Hello Matt.
I doubt that your example in post #38865 has really worked, since according to the documentation (doc. 4114680, rev. 14.1, page 570) user should provide the certificate in DER format (which is binary) whereas the certificate you provided (in the attached .zip archive) is in PEM format.
I’d like to know what is wrong, if it’s your example or the module documentation, because my company has absolute need to use the HTTPS with server authentication and we choose that module because documentation says it’s supported.
Kind regards,
Peppe


#14

Same problem, with +HTTPS_ERROR: 1,13 with server authentication (works fine with only encryption)… Any results?