Go Down

Topic: SSL Client not behaving as i would expect... (Read 1 time) previous topic - next topic

quattrodave

Afternoon all,

I've reciently moved to an MKR GSM 1400 looking to use the GSM to connect to an API where the web server requires TLS 1.2 which i believe the board supports.  I was previously using an Uno & SIM800L board that worked fine until i wanted to use SSL.

Problem is the board isn't behaving quite like i'd expect. I'm currently using the GSMSSLWebClient example and only altering the server & path.  I currently have antenna, lipo battery, usb connected & UK o2 data only SIM card inserted. 


MKR GSM 1400 > server:arduino.cc path:/asciilogo.txt = 301 moved perminantly.
Postman > server:arduino.cc path:/asciilogo.txt = 200 text logo displayed.

MKR GSM 1400 > server:postman-echo.com path:/get?foo1=bar1&foo2=bar2 = echoed correctly
Postman > server:postman-echo.com path:/get?foo1=bar1&foo2=bar2 = 200 echoed correctly

MKR GSM 1400 > server:mytestapi.co.uk path:/api/post/read_single.php = 'connection failed'
Postman > server:mytestapi.co.uk path:/api/post/read_single.php = 200 data returned


I'm a little confused why i'm recieving the differing results, if i change the port to 80 then they all recieve 'connection failed'. 

gprs.getIPAddress() will return an IP address
modemTest.getIMEI() will return the IMEI num
scannerNetworks.getCurrentCarrier() will return 'UK o2'
scannerNetworks.getSignalStrength() will return usually between 12 & 18

Am i missing a step somewhere, have i overlooked something?  I've tested the SIM in an ipad and it works fine...

Any help of pointers  would be greatly apreciated...

Thanks

Dave


This is the code i'm using, its literally the example...

Code: [Select]

#include <MKRGSM.h>

const char PINNUMBER[]     = "";
const char GPRS_APN[]      = "";
const char GPRS_LOGIN[]    = "";
const char GPRS_PASSWORD[] = "";

// initialize the library instance
GSMSSLClient client;
GPRS gprs;
GSM gsmAccess;

char server[] = "arduino.cc";
char path[] = "/asciilogo.txt";
int port = 443;

void setup() {
  // initialize serial communications and wait for port to open:
  Serial.begin(9600);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }

  Serial.println("Starting Arduino web client.");
  // connection state
  bool connected = false;

  // After starting the modem with GSM.begin()
  // attach the shield to the GPRS network with the APN, login and password
  while (!connected) {
    if ((gsmAccess.begin(PINNUMBER) == GSM_READY) &&
        (gprs.attachGPRS(GPRS_APN, GPRS_LOGIN, GPRS_PASSWORD) == GPRS_READY)) {
      connected = true;
    } else {
      Serial.println("Not connected");
      delay(1000);
    }
  }

  Serial.println("connecting...");

  // if you get a connection, report back via serial:
  if (client.connect(server, port)) {
    Serial.println("connected");
    // Make a HTTP request:
    client.print("GET ");
    client.print(path);
    client.println(" HTTP/1.1");
    client.print("Host: ");
    client.println(server);
    client.println("Connection: close");
    client.println();
  } else {
    // if you didn't get a connection to the server:
    Serial.println("connection failed");
  }
}

void loop() {
  // if there are incoming bytes available
  // from the server, read them and print them:
  if (client.available()) {
    char c = client.read();
    Serial.print(c);
  }

  // if the server's disconnected, stop the client:
  if (!client.available() && !client.connected()) {
    Serial.println();
    Serial.println("disconnecting.");
    client.stop();

    // do nothing forevermore:
    for (;;)
      ;
  }
}

quattrodave

#1
Aug 16, 2020, 07:17 pm Last Edit: Aug 16, 2020, 07:18 pm by quattrodave
After some head scratching and a fair amount of reading, i think i'm on to something... I enabled the modem debug:

Code: [Select]

  MODEM.debug();


Which generates a fair amount of output.  However after comparing the out put the the manual to work out what all the codes mean, see below:

Code: [Select]

OK
AT+USOCR=6                                                 (socket identifier)     

+USOCR: 0                                                    (not sure why socket appears to change from 6 to 0)

OK
AT+USOSEC=0,1,0                                          (SSL/TLS mode config on TCP socket)

OK
AT+USECPRF=0,0,1                                         (SSL/TLS Connection Properties)                                           

OK
AT+USOCO=0,"mytestapi.co.uk",443                   (Not the real hostname)

ERROR

+UUSOCL: 0
AT+USOCL=0                                                  (Close socket)

ERROR
connection failed

disconnecting.




I think my problem may lie with AT+USECPRF=0,0,1 according to the manual its SSL/TLS connection properties <profile id>, <op-code>, <param value>. 

If i understand it correctly my value means:
<Profile ID 0>,
<0  -  No  validation;  the  server  certificate  will  not  bechecked or verified. The server in this case is not authenticated.>
<1: TLSv1.0; connection allowed only to TLS/SSL servers which support TLSv1.0/TLSv1.1/TLSv1.2>


Now this has me a little concerned, seeing as my webserver ONLY supports TLSv1.2 i believe i need my +USECPRF code to read AT+USECPRF=0,1,3

<Profile ID 0>,
<1: Level 1 - Root certificate validation without URL integrity check. The server certificate will be verified>
<3: TLSv1.2; connection allowed only to TLS/SSL servers which support TLSv1.2>


I hope this all makes sense as i'm getting a little over my head now.  Any idea how i can manually set the  SSL/TLS connections properties?

Thanks

Dave

quattrodave

#2
Aug 18, 2020, 09:24 pm Last Edit: Aug 18, 2020, 09:35 pm by quattrodave
Cancel the previous post, in my tired state i mis read the manual the code AT+USECPRF=0,0,1
means:

<Profile ID 0>,
<0  -  No  validation;  the  server  certificate  will  not  bechecked or verified. The server in this case is not authenticated.>
<1: TLSv1.0; connection allowed only to TLS/SSL servers which support TLSv1.0/TLSv1.1/TLSv1.2>


But its requiring TLSv1.0 as a minimum not only allowing TLSv1.0....!

OK, back to the drawing board.... :(


EDIT:

As it turns out I made a bit of a mistake, I now seem to have non SSL working fine, I was only changing the port from 443 to 80 but I should also have been changing the line:

GSMSSLClient client;

to

GSMClient client;

quattrodave

Right, non SSL looks to be working now, however when i enable GSMSSLClient client; & port 443 i get the following out put:

Code: [Select]

⸮AT

OK
AT+IPR=921600

OK
AT

OK
AT+UPSV=3

OK
Connecting GSM.
⸮AT

OK
AT+IPR=921600

OK
AT

OK
AT+UPSV=3

OK
AT+CPIN?

ERROR
AT+CPIN?

+CPIN: READY

OK
AT+CMGF=1

OK
AT+UDCONF=1,1

OK
AT+CTZU=1

OK
AT+UDTMFD=1,2

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK

+UMWI: 0,1

+UMWI: 0,2

+UMWI: 0,3

+UMWI: 0,4
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,0

OK
AT+CREG?

+CREG: 0,1

OK
AT+UCALLSTAT=1

OK
AT+CGATT=1

OK
AT+UPSD=0,1,""

OK
AT+UPSD=0,6,3

OK
AT+UPSD=0,2,""

OK
AT+UPSD=0,3,""

OK
AT+UPSD=0,7,"0.0.0.0"

OK
AT+UPSDA=0,3

OK
AT+UPSND=0,8

+UPSND: 0,8,1

OK
Connected
Connecting web client: www.arduino.cc/asciilogo.txt443
AT+USECMNG=0,0,"AddTrust_External_CA_Root",1082
>
+USECMNG: 0,0,"AddTrust_External_CA_Root","1d3554048578b03f42424dbf20730a3f"

OK
AT+USECMNG=0,0,"Baltimore_CyberTrust_Root",891
>
+USECMNG: 0,0,"Baltimore_CyberTrust_Root","acb694a59c17e0d791529bb19706a6e4"

OK
AT+USECMNG=0,0,"COMODO_RSA_Certification_Authority",1500
>
+USECMNG: 0,0,"COMODO_RSA_Certification_Authority","1b31b0714036cc143691adc43efdec18"

OK
AT+USECMNG=0,0,"DST_Root_CA_X3",846
>
+USECMNG: 0,0,"DST_Root_CA_X3","410352dc0ff7501b16f0028eba6f45c5"

OK
AT+USECMNG=0,0,"DigiCert_High_Assurance_EV_Root_CA",969
>
+USECMNG: 0,0,"DigiCert_High_Assurance_EV_Root_CA","d474de575c39b2d39c8583c5c065498a"

OK
AT+USECMNG=0,0,"Entrust_Root_Certification_Authority",1173
>
+USECMNG: 0,0,"Entrust_Root_Certification_Authority","d6a5c3ed5ddd3e00c13d87921f1d3fe4"

OK
AT+USECMNG=0,0,"Equifax_Secure_Certificate_Authority",804
>
+USECMNG: 0,0,"Equifax_Secure_Certificate_Authority","67cb9dc013248a829bb2171ed11becd4"

OK
AT+USECMNG=0,0,"GeoTrust_Global_CA",856
>
+USECMNG: 0,0,"GeoTrust_Global_CA","f775ab29fb514eb7775eff053c998ef5"

OK
AT+USECMNG=0,0,"GeoTrust_Primary_Certification_Authority_G3",1026
>
+USECMNG: 0,0,"GeoTrust_Primary_Certification_Authority_G3","b5e83436c910445848706d2e83d4b805"

OK
AT+USECMNG=0,0,"GlobalSign",958
>
+USECMNG: 0,0,"GlobalSign","9414777e3e5efd8f30bd41b0cfe7d030"

OK
AT+USECMNG=0,0,"Go_Daddy_Root_Certificate_Authority_G2",969
>
+USECMNG: 0,0,"Go_Daddy_Root_Certificate_Authority_G2","803abc22c1e6fb8d9b3b274a321b9a01"

OK
AT+USECMNG=0,0,"VeriSign_Class_3_Public_Primary_Certification_Authority_G5",1239
>
+USECMNG: 0,0,"VeriSign_Class_3_Public_Primary_Certification_Authority_G5","cb17e431673ee209fe455793f30afa1c"

OK
AT+USECMNG=2,0,"AmazonRootCA1"

ERROR
AT+USECMNG=0,0,"Starfield_Services_Root_Certificate_Authority_G2",1011
>
+USECMNG: 0,0,"Starfield_Services_Root_Certificate_Authority_G2","173574af7b611cebf4f93ce2ee40f9a2"

OK
AT+USOCR=6

+USOCR: 0

OK
AT+USOSEC=0,1,0

OK
AT+USECPRF=0,0,1

OK
AT+USOCO=0,"www.arduino.cc",443

ERROR

+UUSOCL: 0
AT+USOCL=0

ERROR
connection failed

disconnecting.



The interesting one is there appears to be an error when downloading the AmazonRootCA1 certifiate.

Any ideas?

Go Up