PLS62-W Connection to AWS CloudFront | Thales IoT Developer Community
October 30, 2020 - 11:30am, 3780 views
Hello,
We use PLS62-W:
Cinterion
PLS62-W
REVISION 02.000
We need to connect to AWS CloudFront (TLS 1.2) and hadn't any succes. Reason: Terminal requires RSA keys and doesn't support ECDH ***** (verified on another server).
Is there any Firmware Update which allows us to work with AWS CloudFront with at least profile TLSv1 ?
List of supported ciphers of AWS CloudFront:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secur...
Thanks for Answer.
Erika
Hello,
PLS62-W should support TLS 1.2. You can find the supported cipher suites listed in the Java User's Guide document. Please visit this site if you don't have the document: https://iot-developer.thalesgroup.com/documentation/download-documentati...
What is the result of the connection? What is the exception thrown?
Please check the detailed firmware version with ATI1.
Best regards,
Bartłomiej
Hello Bartłomiej ,
thanks for your answer.
result of ATI1:
Cinterion<\r><\n>
PLS62-W<\r><\n>
REVISION 02.000<\r><\n>
A-REVISION 01.000.02<\r><\n>
<\r><\n>
OK<\r><\n>
I have no idea how to check the result of connection and exception thrown.
I open the connection with At^SISO=4 and check the result with AT^SISI?.
What i got: for some seconds ^SISI=4,3,.. then ^SISI=4,6
Maybe I have some incorrect configuration settings ?
AT^SCFG?<\r><\r><\n>
^SCFG: "GPRS/AutoAttach","disabled"<\r><\n>
^SCFG: "Gpio/****/ASC1","std"<\r><\n>
^SCFG: "Gpio/****/DCD0","std"<\r><\n>
^SCFG: "Gpio/****/DSR0","gpio"<\r><\n>
^SCFG: "Gpio/****/DTR0","gpio"<\r><\n>
^SCFG: "Gpio/****/FSR","gpio"<\r><\n>
^SCFG: "Gpio/****/HWAKEUP","gpio"<\r><\n>
^SCFG: "Gpio/****/PULSE","gpio"<\r><\n>
^SCFG: "Gpio/****/PWM","gpio"<\r><\n>
^SCFG: "Gpio/****/RING0","gpio"<\r><\n>
^SCFG: "Gpio/****/SPI","rsv"<\r><\n>
^SCFG: "Gpio/****/SYNC","std"<\r><\n>
^SCFG: "Ident/Manufacturer","Cinterion"<\r><\n>
^SCFG: "Ident/Product","PLS62-W"<\r><\n>
^SCFG: "MEShutdown/Fso","0"<\r><\n>
^SCFG: "MEShutdown/sVsup/threshold","0","0"<\r><\n>
^SCFG: "MEopMode/CFUN","0","1"<\r><\n>
^SCFG: "MEopMode/CregRoam","0"<\r><\n>
^SCFG: "MEopMode/ExpectDTR","current"<\r><\n>
^SCFG: "MEopMode/ExpectDTR","powerup"<\r><\n>
^SCFG: "MEopMode/Prov/AutoSelect","off"<\r><\n>
^SCFG: "MEopMode/Prov/Cfg","attus"<\r><\n>
^SCFG: "MEopMode/RingOnData","off"<\r><\n>
^SCFG: "MEopMode/SoR","off"<\r><\n>
^SCFG: "MeOpMode/SRPOM","0"<\r><\n>
^SCFG: "Radio/Band/2G","0x00000074"<\r><\n>
^SCFG: "Radio/Band/3G","0x0004019B"<\r><\n>
^SCFG: "Radio/Band/4G","0x080E08DF"<\r><\n>
^SCFG: "Radio/Mtpl/2G","0"<\r><\n>
^SCFG: "Radio/Mtpl/3G","0"<\r><\n>
^SCFG: "Radio/Mtpl/4G","0"<\r><\n>
^SCFG: "Radio/OutputPowerReduction","4"<\r><\n>
^SCFG: "RemoteWakeUp/Ports","current"<\r><\n>
^SCFG: "RemoteWakeUp/Ports","powerup"<\r><\n>
^SCFG: "Serial/Ifc","0"<\r><\n>
^SCFG: "Serial/Interface/Allocation","1","1"<\r><\n>
^SCFG: "Serial/USB/DDD","0","0","0409","1E2D","005B","Cinterion Wireless Modules","PLSx",""<\r><\n>
^SCFG: "Tcp/IRT","3"<\r><\n>
^SCFG: "Tcp/MR","10"<\r><\n>
^SCFG: "Tcp/OT","600"<\r><\n>
^SCFG: "Tcp/WithURCs","on"<\r><\n>
^SCFG: "Trace/Syslog/OTAP","0"<\r><\n>
^SCFG: "Urc/Ringline","local"<\r><\n>
^SCFG: "Urc/Ringline/ActiveTime","2"<\r><\n>
^SCFG: "Userware/Autostart","1"<\r><\n>
^SCFG: "Userware/Autostart/Delay","0"<\r><\n>
^SCFG: "Userware/DebugInterface","0.0.0.0","0.0.0.0","0"<\r><\n>
^SCFG: "Userware/DebugMode","off"<\r><\n>
^SCFG: "Userware/Passwd",<\r><\n>
^SCFG: "Userware/Stdout","null",,,,"off"<\r><\n>
^SCFG: "Userware/Watchdog","0"<\r><\n>
<\r><\n>
OK<\r><\n>
Best regards
Erika
Hello Erika,
I have incorrectly assumed that you are using a Java MIDlet. That is why I asked you about the exception. Anyway the cipher suites described in the document also refer to AT commands. Would it be possible to paste a log from the connection attempt? Can you also check AT^SISE=<srvProfileId> reply after the fail? BTW AWS cloud probably requires mutual authentication. So you also need to have the client certificate installed on the module.
Best regards,
Bartłomiej
Hello Bartłomiej,
We setup a Server with TLS without certificates and a defined list of accepted cipher to test our terminal. So we try to get data via http:
>> ATI1
Cinterion
PLS62-W
REVISION 02.000
A-REVISION 01.000.02
OK
>> AT+CREG=2
OK
>> AT+CGATT=0
OK
>> AT^SMONI
^SMONI: 3G,10564,438,-8.0,-101,262,02,03FE,295BA5F,10,14,NOCONN
OK
>> AT+CREG?
+CREG: 2,5,"03FE","0295BA5F",6
OK
>> AT^SJMSEC?
^SJMSEC: 1,0,1,0,0,0
OK
>> AT+CGDCONT=1,"IP","aer.aerisapn.eu"
OK
>> AT^SICA=1,1
OK
>> AT+CGPADDR=1
+CGPADDR: 1,"10.132.119.54"
OK
>> AT^SISS=4,srvType,"Http"
OK
>> AT^SISS=4,conId,1
OK
>> AT^SISS=4,cmd,"get"
OK
>> AT^SISS=4,address,"https://test2.solarpump.de"
OK
AT^SIO=4
OK
>> AT^SISI?
^SISI: 4,6,0,0,0,0
OK
>> AT^SISE=4
^SISE: 4,200,"INT:error in sendRequest -313 SSL-Error: revcd alert fatal error"
OK
>> AT^SISC=4
OK
With this cipher list we got the error:
If we remove the entry !kRSA we could get our data.
By the way, I found on folder Java_SDK/PLS62-W/PLS62_W_REL2 folders named pls62w_rel2_arn1.000.04. Do I have to update the Java Midlet?
Best regards
Erika
Hello Hello Bartłomiej,
sorry for the long list in the previous comment...
Here some additional information for the JAVA Midlet:
Installed:
AT^SJAM=4
^SJAM: "SLAE.jad","SL Agent Module Services","Gemalto M2M GmbH","2.1.9",0,429531,0,0
^SJAM: "a:/JRC-1.62.01.jad","Java Remote Control MIDletSuite","Cinterion ","1.62.01",1,592706,0,1
OK
Running:
AT^SJAM=5
^SJAM: "a:/JRC-1.62.01.jad","Java Remote Control MIDlet Suite","Cinterion","1.62.01",1,1
OK
According the error
^SISE: 4,200,"INT:error in sendRequest -313 SSL-Error: revcd alert fatal error"
it seems a problem with cipher list.
Best Regards
Erika
Hello,
It must be somehow related to the cipher suites based on what you have tested. But to know more we'd have to have TCP trace. It looks like the module received alert frame with fatal error from the server. So the server closed the connection for some reason. There may be more dependencies than just cipher suites. So it could not be that obvious. Anyway it seems that it was a server decision to close.
It's good that you have found the configuration that works.
As for the firmware there are newer versions released but you don't have to update.
Regards,
Bartłomiej
Hello Bartłomiej ,
We set up temporary our own HTTPS Server to check the connection with ciphers AWS Cloud supports. So we can't change the configuration on our HTTPS Server. Now we are going to make a TCP trace.
We communicate to our PLS62-W only with AT commands via Serial port without having installed any other Software.
Best regards
Erika
Hello Bartłomiej ,
now we have the TCP Trace, how can I send you the file?
Hello Bartłomiej ,
I checked the connection also with curl --> it seems we need TLS1.2
Hello Erika,
It looks for me that the server is closing the connection, possibly just after receiving Client Hello message. So that would mean that the server does not accept the Client Hello contents with regard to the current server configuration, maybe something is missing what is required by the server config. So it is more to be analyzed on your side. It's not only cipher suite that matters, there can be more puzzles like signature algorithm, elliptic curves and maybe more. Are you able to make a successful connection with any other device or curl?
Regards,
Bartłomiej
Pages