TCP/SSL connection failure (HL7802)

Hi,

I am trying to connect to the Losant MQTT broker using SSL. I have succesfully connected previously without SSL with no problems.

Now i get ktcp_notif:1,13 (SSL connection error)
Here is my configuration so far:

at+ktcpcfg?

+KTCPCFG: 1,0,1,3,“146.148.110.247”,8883,235,0,0,0,0,0

OK

at+ksslcfg?

+KSSLCFG: 0,3
+KSSLCFG: 2,0

OK

at+KSSLCRYPTO?

+KSSLCRYPTO: 0,9,3,25456,12,4,1,0
+KSSLCRYPTO: 1,1,1,16,0,4,1,0
+KSSLCRYPTO: 2,1,1,32,0,4,1,0
+KSSLCRYPTO: 3,1,1,256,0,4,1,0
+KSSLCRYPTO: 4,1,1,512,0,4,1,0
+KSSLCRYPTO: 5,1,1,8192,4,4,1,0
+KSSLCRYPTO: 6,1,1,16384,8,4,1,0
+KSSLCRYPTO: 7,8,1,64,4,4,1,0
+KSSLCRYPTO: 8,8,1,8192,4,4,1,0
+KSSLCRYPTO: 9,8,2,16,0,4,1,0
+KSSLCRYPTO: 10,8,2,32,0,4,1,0
+KSSLCRYPTO: 11,8,2,64,4,4,1,0
+KSSLCRYPTO: 12,8,2,256,0,4,1,0
+KSSLCRYPTO: 13,8,2,512,0,4,1,0
+KSSLCRYPTO: 14,8,2,8192,4,4,1,0
+KSSLCRYPTO: 15,8,2,16384,8,4,1,0

OK

at+kcertstore?

CONNECT
root_cert,0,1338
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

root_cert,1,0

at+creg?

+CREG: 0,5

OK

AT+KTCPCNX=1

OK

+KCNX_IND: 1,1,0

+KTCP_NOTIF: 1,13

Also here is a little info on losant ssl:
-TLS 1.2 with 2048 bit key length encryption in transit
-AES 256 encryption at rest

I also tried with at+ksslcrypto=0,1,1,32,0,4,1,0 but with the same results.

Any ideas as to what the correct configuration might be?

thanks

Hi hkiol,

Firstly, may I know your firmware version which your device is running?

As far as I know, we have issue about SSL connection and it’s fixed on latest FW version 4.6.8.0. If yours is not, please upgrade to the latest FW version and try again. Detail you can refer to this similar topic: HL7800-M SSL connection error

Thanks,

I am running 4.6.6.

I am trying to upgrade by AirVantage (which i have done before) but it’s pending for hours now. Let’s hope the site will be up soon so i can get it from there. Will keep you posted.

thanks

Hi Donald,

Site is still down and i had no luck with AirVantage. Could i get the latest firmware somewhere else maybe?

thanks

Hi @hkiol ,

From user’s point of view, we have 2 ways to get the new FW:

  1. FOTA through AirVantage

  2. Source page website of SierraWireless

Unfortunately that, 2 ways cannot be used now. and we have to wait. In the meantime, can you please share with me the sequences commands which you used to make the connection? I will try on my device to see what the real issue is.

Thanks,

Hi @Donald,

My sequence has as follows:

at+creg?

+CREG: 0,5

OK
at+ktcpcfg=1,3,“146.148.110.247”,8883
AT+KTCPCNX=1

OK

+KCNX_IND: 1,1,0

+KTCP_NOTIF: 1,13

using the certification I have shown in my original post.

thanks

Hi @hkiol,

I have just tried your case on my HL7802 with all information you provided. I captured log on my device and this is the result:


Server requested certificate from device but device does not have it. So TCP/SSL connection cannot be established.

Please check that did you establish TCP/SSL connection with this server successfully before? As I see that device cannot connect to this server with only Root CA cert.

Please check again and insert the device certs if any.

Thanks,

Hi @jerdung,

It turns out that that specific broker (146.148.110.247) needs its domain name to work…

So i tried with the AWS platform and made the following configurations:
(ECDHE-RSA-AES128-GCM-SHA256 (recommended from AWS))

at+ksslcrypto=0,8,1,8192,4,4,3,0

(IPV6 this time)

AT+KTCPCFG=1,3,"-xx-ats.iot.us-west-2.amazonaws.com",8883,0,1

at+creg?
+CREG: 0,1
OK
AT+KTCPCNX=1
OK
+KTCP_NOTIF: 1,13

I also inserted the Local CA, Root CA and private key successfully, as per the AWS manual.
However i still get +KTCP_NOTIF: 1,13.

Any ideas?

Hi @hkiol,

Following HL78xx AT Command Reference, your module can work for ECDHE-RSA-AES128-GCM-SHA256 with your +KSSLCRYPTO command. So I think there are not any issue about setting Cipher Suite configuration on your module.

I saw you mentioned “IPV6 this time”. So have you ever make TCP/SSL connection with your domain “-xx-ats.iot.us-west-2.amazonaws.com” through IPv4 successfully before? If no, can you try this case through IPv4?

Besides that, based on +KTCP_NOTIF: 1,13 displaying after starting TCP/SSL connection following your comment, there maybe many things that impact to TCP/SSL connection. Are you using the simulator network or real network?
a, If you are using simulator network (example: Amarisoft), can you capture wireshark packet and provide me .pcap file for this TCP/SSL connection?
b, If you are using the real network, you cannot trace packet. So can you provide me your domain, local CA, root CA and private key exactly (you can send me the message for them)? Then I can try on my module and trace log on my Amarisoft to find the reason of your issue.

Thanks,

Hey, i guess the issue were the SIM cards i was testing and their providers.

All is successful with a different sim card.