RC7620 HTTPS socket creation error

Hi everybody,

I’m trying to connect my RC7620 to an HTTPS server and the socket creation always failed.
The result of the command AT+KTCPSTAT=1 after AT+KTCPCNX=1 is +KTCPSTAT: 0,13,0,0 which means “SSL error”.
The module firmware version is SWI9X07H_00.08.07.00 which is the last one available currently.

Here are the logs of my test:

18/10/2021 11:56:37.089 [TX] - AT+CREG?

*18/10/2021 11:56:37.105 [RX] - *
+CREG: 0,1

OK

18/10/2021 11:56:37.752 [TX] - AT+CSQ

*18/10/2021 11:56:37.761 [RX] - *
+CSQ: 21,99

OK

18/10/2021 11:56:39.144 [TX] - AT+CCLK?

*18/10/2021 11:56:39.155 [RX] - *
+CCLK: “21/10/18,09:56:37+08”

OK

18/10/2021 11:56:39.904 [TX] - AT+CGATT=1

*18/10/2021 11:56:39.925 [RX] - *
OK

18/10/2021 11:56:40.824 [TX] - AT+KPATTERN="–EOF–"

*18/10/2021 11:56:40.838 [RX] - *
OK

18/10/2021 11:56:41.592 [TX] - AT+CGREG?

*18/10/2021 11:56:41.607 [RX] - *
+CGREG: 0,1

OK

18/10/2021 11:56:42.616 [TX] - AT+KCNXCFG=1,“GPRS”,“orange.fr”

*18/10/2021 11:56:42.665 [RX] - *
OK

18/10/2021 11:56:43.992 [TX] - AT+KCNXPROFILE=1

*18/10/2021 11:56:44.011 [RX] - *
OK

18/10/2021 11:56:44.680 [TX] - AT+KURCCFG=“TCP”,0,0

*18/10/2021 11:56:44.700 [RX] - *
OK

18/10/2021 11:56:53.329 [TX] - AT+KCERTSTORE=0

*18/10/2021 11:56:53.355 [RX] - *
CONNECT

18/10/2021 11:56:56.568 [TX] - -----BEGIN CERTIFICATE-----
/ certificate content /
-----END CERTIFICATE-----

18/10/2021 11:56:58.096 [TX] - --EOF–
*18/10/2021 11:56:58.119 [RX] - *
OK

18/10/2021 11:57:11.209 [TX] - AT+KCERTSTORE?

*18/10/2021 11:57:11.332 [RX] - *
CONNECT
root_cert,0,1200
-----BEGIN CERTIFICATE-----
/ certificate content /
-----END CERTIFICATE-----

local_cert,0,0
local_cert,1,0
local_cert,2,0

OK

18/10/2021 11:57:18.552 [TX] - AT+KTCPCFG=1,3,“my_server_address”,443,0

*18/10/2021 11:57:18.576 [RX] - *

+KTCPCFG: 1

OK

18/10/2021 11:57:22.064 [TX] - AT+KTCPCNX=1

*18/10/2021 11:57:22.102 [RX] - *
OK

18/10/2021 11:57:23.945 [TX] - AT+KTCPSTAT=1

*18/10/2021 11:57:24.633 [RX] - *

+KTCPSTAT: 0,13,0,0

OK

I think I did something wrong with the certificate or the certificate is not the good one (I don’t know).
Does anybody could help me on that subject?

Or does somebody cand share an HTTPS server adress with a good certificate I can test with my module before trying on our server?

Best regards,
Fabrice

You can try these certificates with your server which have been tested by stunnel.

server-key2048.pem (1.6 KB)
server-cert2048.pem (4.8 KB)
ca-cert2048.pem (4.7 KB)

Hi Jyijyi,

Thank you for your quick reply.

I’m not sure to understand how to use your files.

The *.pem files have a lot of informations.
Those I used only contains:

-----BEGIN CERTIFICATE-----
/* certificate content …*/
-----END CERTIFICATE-----

1/ Do I have to extract only the part of the file I need?
2/ What do you mean by “stunnel”?

This is the 1st time I have to use certificate… so I’m lost.

Best regards,
Fabrice

1. Yes, you can use this simplified one and store in module:

ca-cert2048_simplified.pem (1.5 KB)

2.Stunnel is an exe program for ssl testing

We tried “stunnel” software but unfortunately, we encountered some errors, here are the config we used:

foreground=yes

; TLS front-end to a web server
[https]
accept = 4433
connect = 80
cert = /etc/stunnel/server-cert2048.pem
key = /etc/stunnel/server-key2048.pem

And here are the errors from stunnel:

root@smtp:/etc/stunnel# stunnel test.conf -options
2021.10.18 14:51:56 LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
2021.10.18 14:51:56 LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
2021.10.18 14:51:56 LOG5[ui]: Running with OpenSSL 1.1.0l 10 Sep 2019
2021.10.18 14:51:56 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2021.10.18 14:51:56 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2021.10.18 14:51:56 LOG5[ui]: Reading configuration from file /etc/stunnel/test.conf
2021.10.18 14:51:56 LOG5[ui]: UTF-8 byte order mark detected
2021.10.18 14:51:56 LOG5[ui]: FIPS mode disabled
2021.10.18 14:51:56 LOG5[ui]: Configuration successful

2021.10.18 14:52:17 LOG5[0]: Service [https] accepted connection from 92.184.102.116:4328
2021.10.18 14:52:18 LOG3[0]: SSL_accept: Peer suddenly disconnected
2021.10.18 14:52:18 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

We made also a test with GNUTLS and here are the log of the test: errors.txt (8.6 KB)

I would like to precise that we are trying to make a connexion to an HTTPS server only with server authentication not mutual (< auth > set to 1 in +KSSLCRYPTO AT command). So I upload the file ca-cert2048_simplified.pem into the “root_cert” place with the AT+KCERTSTORE=0 command.

Hi jyijyi,

I think some problem with certificate I have are related to the RC7620 module itself.
I made others tests with the website “www.google.fr”

I’m able to create a secured socket to that website with a HL8548 modem but not with the RC7620. For this one, the result is “SSL connection error”.
Here are the log for the HL8548: HL8548_google_success.txt (2.2 KB)
Here are the log for the RC7620: RC7620_google_error.txt (2.0 KB)
Here is the root certificate I used: globalsign_ca_google_fr.cer.txt (1.3 KB)

In both tests, the purpose is to create a secured socket with server authentication only.
The RC7620 firmware version is: Revision: SWI9X07H_00.08.07.00 0ce4c1 jenkins 2021/03/17 02:18:20

Unfortunately, both modules doesn’t work with our root certificate and our server.
With openssl, I’m able to create a connexion to our server with our root certificate so this one is correct.

I hope this can help you to diagnose my problem.

Best regards,
Fabricce

issue has been reported internally with internal tracker “MOLRC9X07-274”

Hi,

Thank you Jyijyi.

Hi Jyijyi,

Do you have a feedback on my problem?

Anyway, I continued my test and I still can’t open a secured HTTPS connexion to our server with both modules.

I also try to get a secured connexion on “https://stackexchange.com/” who is using the same root certificate than us (Let’s Encrypt).

Does somebody can try this server with this root certificate ISRG Root X1: isrgrootx1.pem.txt (1.9 KB) downloaded from “Chain of Trust - Let's Encrypt” website.

Best regards,
Fabrice

I think you need to contact local distributor with business case to speed up the investigation.

Hi Jyijyi,

I did it and I’m still waiting information.

Best regards,
Fabrice