Gemalto is now part of the Thales Group, find out more.

You are here

Community > Forum > Cellular Hardware > New BGS5T modems won't connect SSL

New BGS5T modems won't connect SSL | Thales IoT Developer Community

Like
0
3
Vadim's picture
Vadim

October 22, 2020 - 6:26am, 852 views

Good afternoon.

Problem with SSL connection in Java application.

17 BGS5T modems work correctly with the application.
Cinterion
BGS5
REVISION 01.100
A-REVISION 00.000.10

New BGS5T modems were purchased
Cinterion
BGS5
REVISION 01.100
A-REVISION 00.001.36

Java application has stopped working correctly.
Through debug it turned out that SSL certification does not pass.

Exception on connection..java.io.IOException: Certificate does not contain the correct site name.

Used connection libraries:
javax.microedition.io.Connector;
javax.microedition.io.SecureConnection;

connection = (SecureConnection) Connector
                    .open(new StringBuffer("ssl://")
                    .append(SunHelixBGS.host)
                    .append(":")
                    .append(_port)
                    .append(";")
                    .append(operator.getConnectionProfile())
                    .toString());

connection = ssl://*****.ulges.ru:1***4;bearer_type=gprs;access_point=internet;timeout=60

Please help with solving this problem.

3
Comment
Log in or register to post comments
Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Oct 22 2020 - 3:27pm

Hello,
Is the new version configured the same, does it connect to the same address, is the same certificate installed on the module?
This exception happens when the certificate sent by the server does not contain the domain name to which the module connects to.
Regards,
Bartłomiej

Vadim's picture
Vadim
Oct 23 2020 - 6:19am

It connects to the same address. The application is used the same on all modems.
Custom certificates were not installed on any modem.

AT^SJMSEC?

^SJMSEC: 1,0,1,0

Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Oct 23 2020 - 1:43pm

Hello,

Please check the server certificate details in your MIDlet to find out if this is the right one for the domain you connect. I got one suspicion - if the server hosts many domains on the single IP address it is possible that it can send the wrong certificate to the module as it does not support SNI. So the server does not know during TLS handshake which certificate to send.
That would also mean that there must have been a change in the firmware - the previous one was not verifying the domain name against the received certificate and this one does check the CN and SAN fields of the certificate during the TLS handshake even though the server certificate verification is switched off on the module and not performed.

Best regards,
Bartłomiej