Secure TCP socket fails

huw · July 9, 2018, 4:40pm

Hi,

I have been developing a product which relies on the HL6528 for the past couple of months. There is only one function required, to open a secure tcp connection with kinesis.eu-west-1.amazonaws.com and send data.

I have been accomplishing this with the “Secure client” option on the built in TCP functionality. I have not been uploading my own certificates, not sure if there are built in certs or not.

Up until 2 weeks ago this worked. The secure socket opened, I sent the data and I closed the socket. However 2 weeks ago I ran the same firmware and it no longer works. This is the response I get:

AT+KTCPCNX=1
NO CARRIER

+KTCP_NOTIF: 1,5

I have read from the datasheet that KTCP-NOTIF: 5 = “TCP connection error”

Please could I have some more information about how to diagnose this problem. What would be the cause of this TCP connection error? Has anything changed in the past 2 weeks (maybe an OTA firmware upgrade happened without me asking AirVantage to do it?) that would cause this error?

Huw

mlw · July 10, 2018, 6:19am

Huw,

From a Sierra side nothing has changed, FOTA only happens after explicit actions (both on our FOTA server and sending commands to the unit) from the the person controlling it.

The unit does not come with any certs loaded, you do need to load your own.

The TCP error you are seeing above is a catch all cause value so is impossible to give any more detail as to where the problem lies as it could be anything. A few more commands re your config would be helpful to see what you are doing.

If it worked before then any changes that have happened will have been on the network provider/server side.

Regards

Matt

huw · July 10, 2018, 11:33am

hi,

here is the log of commands sent to the hl6528 from the host microcontroller. This morning I added the +KCERTSTORE step. Doesn’t seem to have helped the situation. root CA cert was acquired by going to the web address on my pc (using chrome) and downloading the certificate from the “secure” box in the URL.

+KSUP: 0


ATE0
OK

AT+CPIN?							//wait for sim to respond
+CME ERROR: 14
AT+CPIN?
+CME ERROR: 14

+CGREG: 2
AT+CPIN?
+CPIN: READY

OK
AT+KCNXCFG?

OK

OK
AT+KURCCFG=TCPC,1,1
OK
AT+CMEE=1
OK
AT+KCNXTIMER=1,30,1,30,10
OK
AT+KCNXCFG? 

OK

AT+KCNXCFG=1,"GPRS","send.ee","",""										//set apn
OK
AT+KCNXPROFILE=1
OK
AT+CGREG?
+CGREG: 1,2

OK
AT+CREG=1
OK
AT+CGREG=1																//wait for registration
OK

+CREG: 5
AT+CGATT=1
+CME ERROR: 100

+CREG: 5
AT+CGATT=1
+CME ERROR: 100

+CREG: 5
AT+CGATT=1
+CME ERROR: 100

+CREG: 5

+CREG: 5

+CGREG: 5
AT+KCERTSTORE=0,2310,0													//store root CA cert
CONNECT
-----BEGIN CERTIFICATE-----
MIIGYDCCBUigAwIBAgIQDdT7wAfJLt55leGQ1jSRCDANBgkqhkiG9w0BAQsFADBE
... more data ...
jHCtaGbUGQXCEUyqp/XVAoSzdQdM/PY046eaNLWzGYg7MttfoAB6XNZqDPoTNOrr
Sm6w5w==
-----END CERTIFICATE-----

OK

AT+CCLK="18/07/10,11:20:11+00" 											//set correct time (NTP is used to 
acquire time, this section has been removed from this log)
OK

AT+KTCPCFG=1,3,kinesis.eu-west-1.amazonaws.com,443						//configure secure socket, port 443 (https)
+KTCPCFG: 1

OK

AT+KTCPCNX=1															//connect
NO CARRIER

+KTCP_NOTIF: 1,5
FAILED

mlw · July 10, 2018, 1:29pm

Huw,

Just for good measure can you set the clock on the unit to the correct time? Where are you getting the certificate from? Have confirmed that with this APN you can connect to some other server (secure or not)?

Regards

Matt

huw · July 10, 2018, 2:01pm

Hi Matt,

Using the exact same setup but only changing the target URL to “google.com” or “amazon.com” does connect successfully, this works even without storing a certificate to the HL6528. The call of AT+CCLK in the above log is setting the time to the correct UTC time, each time I run this the time is successfully acquired using NTP (network time protocol) to ensure the time is correct.

I also tried to initiate a secure connection with “personal.natwest.com” (a bank website) and this gave me the same error as with the AWS website.

This lead me to think that the security settings on the device might have gotten messed up. Below are the cipher suite config setting I read from the device. Not sure if this will help you diagnose my problem. The first config in the KSSLCRYPTO list seems to have values which are not options in the documentation.

AT+KSSLCFG?
+KSSLCFG:0,3
+KSSLCFG:2,0

OK

    
AT+ KSSLCRYPTO?
+KSSLCRYPTO: 0,1,1,8388,67,7,0
+KSSLCRYPTO: 1,1,1,4,1,7,0
+KSSLCRYPTO: 2,1,1,4,2,7,0
+KSSLCRYPTO: 3,1,1,64,2,7,0
+KSSLCRYPTO: 4,1,1,128,2,7,0
+KSSLCRYPTO: 5,1,1,8192,64,7,0

OK

The certificate I am storing on the device is the certificate of the site. This was acquired by visiting “kinesis.eu-west-1.amazonaws.com” (the target site) on my computer, downloading the certificate from there and storing it in the flash of my host micro-controller.

huw · July 10, 2018, 4:03pm

SOLVED:
created the following cipher profile:

AT+KSSLCRYPTO=0,1,1,8192,64,4,0

and then changed my TCP config to:

AT+KTCPCFG=1,3,kinesis.eu-west-1.amazonaws.com,443,,,,0

so that is uses the new crypto profile when opening the connection. Not sure what changed to stop it from working.

Please can some more documentation be produced to explain how to use this device. Having only the AT command document makes it very difficult as if I don’t know the command exists then it takes a long time to find the solution to any unexpected problem.

Huw

mlw · July 10, 2018, 5:53pm

Huw,

When you say documentation are you referring to application notes rather than AT command manual updates given that the command you used above is detailed in the latest manual on the source?

https://source.sierrawireless.com/~/media/support_downloads/airprime/software/airprime_hl6528rdx_at_commands_interface_guide_rev7_0.ashx

Regards

Matt

huw · July 11, 2018, 1:07pm

I have been working from that AT command manual. The issue I was trying to point out is that the manual gives very little context to each command. For instance attempting to manually set the crypto profiles felt like a bit of a stab in the dark considering the errors I was receiving. Perhaps a introduction could be written for each section in the AT command manual that covers what the AT commands in that section are expected to be used for.

Take +KSSLCRYPTO as an example, there a a few words describing what the functions input parameters should be, but other than the heading “+KSSLCRYPTO Command: Cipher Suite Configuration” there is no description as to why the function exists or when it might be used.

I do appreciate that you quickly responded to my messages here on the forum though. It has helped me with the development.

eder_uedat · February 1, 2019, 1:21pm

Hi huw,

What part number of HL6528 are you using in this case?

Because I’m using HL6528-G2.8V BR (FW version 8.10) and KSSLCRYPTO command does not work.
Reading Sierra documentation, KSSLCRYPTO is just availabe to HL85xxx family…

Topic		Replies	Views
HL7650 throwing SSL Connection error Legacy HL Series	8	1182	January 2, 2020
HTTPS connectivity with HL7802 IoT Modules	1	371	July 5, 2023
HL6525rd: Secure tcp socket fails with particular data Legacy HL Series	1	594	November 28, 2018
KTCPSTAT Remaining data Legacy HL Series	7	880	August 2, 2018
RC7620-1 upload file to AWS S3 bucket using HTTPS	1	136	January 16, 2024

Secure TCP socket fails

Related Topics