How to generate the HTTPS certificates for a site with basic authenication? | Thales IoT Developer Community
July 20, 2015 - 1:27pm, 14530 views
I try to connect to a REST service on a HTTPS server. I do have the certification chain in PEM, but are still not able to make a successful connection.
Here is how I did proceed:
I did add the certificates and jad and jar on flash:
Then go over to add the AT commands:
at^sjmsec?
^SJMSEC: 1,0,1,0
OK
Everything is disabled, so far so good. Enable HTTPS unsercured **** and add the Certificates
at^sjmsec="cmd",0B00310001000500020001
OK
at^sjmsec="file",AddHttpsCertificate.bin
OK
at^sjmsec="file",AddHttpsClientCertificateUntrusted.bin
OK
at^sjmsec?
^SJMSEC: 1,1,1,1
OK
Now HTTPS is on for untrusted **** and the certificates are added.
But after starting the midlet I sill get that error and have no idea where exactly the problem is (I guess it's the certificate)
System out:
Open page: https://... .com/...
Connection state: UP
-213 SSL-Error: revcd alert fatal error IOE is trown
java.io.IOException: -213 SSL-Error: revcd alert fatal error
- com.sun.midp.ssl.SSLStreamConnection.GenerateException(), bci=82
- com.sun.midp.ssl.SSLStreamConnection.<init>(), bci=264
- com.sun.midp.io.j2me.https.Protocol.connect(), bci=198
- com.sun.midp.io.j2me.http.Protocol.streamConnect(), bci=108
- com.sun.midp.io.j2me.http.Protocol.startRequest(), bci=7
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=33
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.http.Protocol.openInputStream(), bci=6
- com.sun.midp.io.ConnectionBaseAdapter.openDataInputStream(), bci=5
- com.fastprk.FastPrk.getViaHttpsConnection(FastPrk.java:374)
- com.fastprk.FastPrk.startApp(FastPrk.java:330)
- javax.microedition.midlet.MIDletTunnelImpl.callStartApp(), bci=1
- com.sun.midp.midlet.MIDletPeer.startApp(), bci=5
- com.sun.midp.midlet.MIDletStateHandler.startSuite(), bci=261
- com.sun.midp.main.AbstractMIDletSuiteLoader.startSuite(), bci=38
- com.sun.midp.main.CldcMIDletSuiteLoader.startSuite(), bci=5
- com.sun.midp.main.AbstractMIDletSuiteLoader.runMIDletSuite(), bci=134
- com.sun.midp.main.AppIsolateMIDletSuiteLoader.main(), bci=26
Is there a straight way to generate the right certificates?
E.g. starting with downloading it from the browser:
Maybe a basic example with e.g. facebook.com would be interesting.
BTW that is the code:
protected void startApp() {
System.out.println("startApp begin");
initGsm();
...
System.out.println("Open page: " + httpsUrl);
try {
getViaHttpsConnection(httpsUrl);
if(!followUrl.equalsIgnoreCase(""))
getViaHttpsConnection(followUrl);
} catch (CertificateException ce) {
System.out.println(ce.getMessage() + " CE is trown");
ce.printStackTrace();
} catch (IOException ioe) {
System.out.println(ioe.getMessage() + " IOE is trown");
ioe.printStackTrace();
}
}
void getViaHttpsConnection(String url) throws CertificateException, IOException {
HttpsConnection c = null;
InputStream is = null;
try {
c = (HttpsConnection) Connector.open(url);
c.setRequestProperty("Accept", "application/json");
c.setRequestProperty("Authorization", "Basic "+ nameAndPwdBase64 );
is = c.openDataInputStream();
if (c.getResponseCode() == HttpConnection.HTTP_OK) {
// Get the length and process the data
int len = (int) c.getLength();
if (len > 0) {
byte[] data = new byte[len];
is.read(data);
} else {
System.out.println("Data: ");
int ch;
..
}
System.out.println("Message: " + c.getResponseMessage() + " Type: " + c.getType());
} else {
System.out.println("Error code: " + c.getResponseCode() + " Message: " + c.getResponseMessage() + " Type: " + c.getType());
}
} finally {
if (is != null) {
is.close();
}
if (c != null) {
c.close();
}
}
}
Hello,
Could you please check with ATI1 command what firmware version you are currently using?
If there is any update I will send it to you.
Regards,
Bartłomiej
Hello. I am having some problems with certificates too. Still don't know, maybe I simply doing something wrong. I decided to begin my investigation with firmware - is it old?
ati1
Cinterion
EHS6-A
REVISION 03.001
A-REVISION 00.000.14
OK
If so, could you please send me new version?
Hello Vladimir,
I've sent you the update. But what exactly is the problem that you have. Please write more.
Regards,
Bartłomiej
Hello Bartłomiej,
Thanks for update, but unfortunately this did't help. My problem - I can't send some REST data to our Azure IOT service.
Here is what I'm doing:
We use MS certificate (https://github.com/Azure/azure-iot-sdks/blob/master/c/certs/ms.der). First of all, I'm changing it to be understandable by modem:
java -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename ./ms.der > server.bin
After that:
Enable HttpsVerifyOnUntrusted:
at^sjmsec="cmd", 0B00310001000500020001
OK
Add new certificate:
at^sjmsec="file",server.bin
OK
Reset modem;
And now this is my comands to gsm:
at
OK
at^sjmsec?
^SJMSEC: 1,1,1,1
OK
AT^SICS=0,"conType","gprs0"
OK
AT^SICS=0,"apn","internet"
OK
AT^SISS=0,"srvType","HTTP"
OK
AT^SISS=0,"conId",0
OK
AT^SISS=0,"address","https://relockIoT.azure-devices.net/devices/relock1/messages/events?api-..."
OK
AT^SISS=0,"cmd","post"
OK
AT^SISS=0,"hcProp","Content-Type: application/json\\0d\\0aHost:
relockIoT.azure-devices.net\\0d\\0aAuthorization: SharedAccessSignature sr=relockIoT.azure-devices.net%2fdevices%2frelock1&sig=5dWQRrlkR%2fxxJNB83VVteiMUpV1UvE9s33sb3kSi3e0%3d&se=1497808391"
OK
AT^SISS=0, "hcContLen", 16
OK
AT^SISO=0
OK
^SIS: 0,0,2200,"Http relockIoT.azure-devices.net:443"
^SISW: 0,1
AT^SISW=0,16
>> here I'm sending {"*****":"true"}
^SISW: 0,16,0
OK
^SISW: 0,1
AT^SISW=0,0,1
^SISW: 0,0,0
OK
^SISW: 0,2
^SIS: 0,0,2200,"HTTP POST:
https://relockIoT.azure-devices.net/devices/relock1/messages/events?api-..."
^SIS: 0,0,8002,"HttpHTTP POST: IOException ;IOError -123 during socket::
write \0a"
This error with new firmware. When I was using old A-REVISION 00.000.14 instead of
^SIS: 0,0,8002,"HttpHTTP POST: IOException ;IOError -123 during socket::
write \0a"
I had here ^SIS: 0,0,8002, "HttpHTTP POST: IOException SSL: underlaying socket closed"
I don't have any java programs in ESH6. Authorization Key for access for this temporary device and server address are valid - we've tested it with another desktop app.
Hello,
Thank you for the detailed description.
I have also tried your scenario with the same result. However on the pcap traces I can see that the server breaks the connection just after "Client Hello" message sent by the module. But as you have tested it successfully with other application it seems that that server "doesn't like" this ***** message for some reason. So any workaround I can think of at the moment would need to include the reconfiguration of the server.
As you have probably seen on this forum there was already some similar problems with TLS communication reported. These issues are already investigated and some changes are prepared. I've also had an opportunity to test this scenario with some beta version - the communication was established, some data transferred and finally there was a reply including "HTTP-CODE: 401", so I was not authorized to access this address but still it was possible to establish the connection and exchange some data.
We are constantly improving our products and this forum is also a precious source of information but unfortunately any statements about the planned official releases and dates are not public.
Best regards,
Bartłomiej
Hello,
Thank you for the information.
For MS Azure it is really important to have right time\data in a client. When you were testing beta version - did your module have right time? It didn't help for my case, but maybe it can help with 401 error.
And about test with another application - you can easily check, that this security key is working with same message with curl:
curl -X POST -H "Host: relockIoT.azure-devices.net" -H "Authorization: SharedAccessSignature sr=relockIoT.azure-devices.net%2fdevices%2frelock1&sig=5dWQRrlkR%2fxxJNB83VVteiMUpV1UvE9s33sb3kSi3e0%3d&se=1497808391" -H "Content-Type: application/json" -d "{"*****": "true"}" https://relockIoT.azure-devices.net/devices/relock1/messages/events?api-version=2016-02-03
And another question - this problem with EHS6-A, is it problem with only this module? If we'll switch to new ELS31 or ELS61 - do they have same issue?
Hello,
From curl I get "HTTP/1.1 204 No Content" and now I can get "HTTP-CODE: 204" from the module also. There was a problem with hcProp formatting.
As far as I know the ELS modules should not have these issues as they are based on newer libraries.
Regards,
Bartłomiej
Hello,
These are great news, looking forward for the new fixed firmware. Thank you for your help.
Bartłomiej,
Hello. I know, that new firmware is not ready yet. But now we are tuning up some code of our project. Could you please tell me, when you got HTTP-CODE: 204:
Have you used client sertificate?
Have you set up server sertificate?
Have you used any aditional (to ones, that I posted above) at commands?
Bartłomiej,
Hello. I've got ELS61-E Eval board with ELS61-E B2.1 for test. And with same commands I still have the same eror, that I've described in this topic above -
"^SIS: 0,0,8002,"HttpHTTP POST: IOException ;IOError -123 during socket::write \0a""
My questions are:
Which gemalto gsm module can work with MS Azure?
What does "IOException ;IOError -123 during socket::write \0a" mean?
We really like gemalto's modules, but we do not have time to check every module or wait months for some firmware updates. If they can't work with Azure, then we will have to look to other brands.