SSL error 5

We have finished our SSL development and it worked well - until last week: Our ISP has “just only” changed its own certificate, using an updated bundle of certificates provided by an intermediate certification authority. All “higher level” certificates didn’t change at all, as an analysis of the old and the “new” certificates of the bundle showed. But now there is the goddamn error 5 back, which we asked for in our first posting, unfortunately at AirPrime embedded wireless modules\Legacy modules. (https://forum.sierrawireless.com/t/ssl-error-5/7439/1)

We used to load the root certificate of the root CA of the certification chain to parameter WIP_COPT_CERT_AUTHORITY of function wip_SSLInitOpts() and it worked. But now not anymore - error 5. We tried intermediate certificates - doesn’t work - error 5. We tried ISP-certificate - error 5. We tried the bundle without ISP certificate - error 5. We tried the complete bundle (a total of 4) - undocumented error “-2000”!
Is there anyone at Sierra Wireless or this forum who knows about the functionality of the SSL-library? Who might possibly help with this disaster? Is it in general possible to include a certicate-chain into wip_SSLInitOpts()? And if so, how are the certificates to include? Does SSL-library in general check the certificate-chain? And if so, how does SSL-lib perform this check? “Normal” SSL-client software (IE, Firefox, Outlook) does the check with existent certificates in its memory. But OpenAT?

If we set parameter WIP_COPT_VERIFY of function wip_SSLInitOpts() to WIP_SSL_NEVER, the system works again. But as we see it, there is no more authentication of the SMTP-server - which makes our system vulnerable to attackers.

We would dearly appreciate any help in this case.

Hi,
Can you check the wireshark traces and see the certificates are proper or not?
Also make sure your module is up to date using AT+CCLK command…

Thanks,
Alex

Hello Alex,

how do we initiate wireshark traces? As we see it, wireshark is only usefull in ethernet environments whereas Q2687 has no connection to such an environment at all. At least we see no way to “look” from our PC “through” Q2687 on to the GSM network side. Or is there any port of wireshark for Q2687?
The certificates we use are from the currently used certificate-bundle of our ISP. So they should be really “proper”.
The time of our module is surely up to date as we call the time from an NTP-server. So current time should not cause any trouble.

Any further hints are appreceated!

Thanks
Jochen & Harald

Hi,
I guess you are using the developer studio. In that case you can enable the net level traces and see what is happening in the network level.
But in this case I will suggest you to contact your distributer/FAE and riase a CRM ticket.

Thanks,
Alex

Hello Alex,

up to now we only used ADL-, HLH- and LLH-traces for debugging. Other traces are somehow cryptic for us. We assume “net level traces” are configured in “Profiles” of the “Traces configuration”. The only point for “net level” seems to be “Internet library”. So we activated it. The attached .JPG-file shows it. The question: Is this the “net level trace” we should use?

The resulting trace (attached .PDF-file, we cleared all entries up to start of e-mail) shows after the “stop of transmission” (6 ADL [evh_tcpServerLocal] WIP_CEV_WRITE) an for us unknown SEQ entry (Bad Fn …). The next two ADL entries are again well known to us. First of them shows the SSL error 5 of the subject. All following entries are new for us. The question is, do they say anything about the underlying error?

Regards

Joachim and Harald
TRACES-COM7-20150727-140819.pdf (22.5 KB)


Hi,
You can set the NET level traces in the ‘level filter’. PFA the image.
If you are using WIP library, then you have to make the following changes in your code to get the proper NET level traces.

wip_netInitOpts(
WIP_NET_OPT_DEBUG_PORT, WIP_NET_DEBUG_PORT_TRACE
WIP_NET_OPT_DEBUG_PKT_MAXLEN, 1500, // Set the maximum size of the dump here so that the DUMP is complete, and not broken.
WIP_NET_OPT_END);

r = wip_bearerSetOpts( b, WIP_BOPT_GPRS_APN, GPRS_APN,
WIP_BOPT_LOGIN, GPRS_USER,
WIP_BOPT_PASSWORD, GPRS_PASSWORD,
WIP_BOPT_DEBUG_PKT, TRUE, // This option would set DUMP value
WIP_BOPT_END);

Anyways, I strongly recommend you to contact your distributor to get the proper technical support…

Thanks,
Alex

Hi,
PFA the NET trace level in ‘level filter’