SSL Error: "INT:error in sendRequest -313 SSL-Error: revcd alert fatal error" | Thales IoT Developer Community
October 31, 2017 - 2:34am, 3634 views
Hello,
We get the SSL error " ^SIS: 0,0,210,"INT:error in sendRequest -313 SSL-Error: revcd alert fatal error" while trying to connect the following URLs:
https://httpbin.org/get?show_env=1
https://uihb0ja7x2.execute-api.ap-southeast-1.amazonaws.com/csr/
Boards Tested to reproduce the error
ELS61-E (Cinterion, ELS61-E, REVISION 01.000, A-REVISION 00.014.00)
EHS6 (Cinterion,EHS6,REVISION 03.001,A-REVISION 00.000.51)
EHS8 (Cinterion,EHS8,REVISION 03.001,A-REVISION 00.000.51)
Steps to reproduce:
AT^SISS=0,srvType,"Http"
OK
AT^SISS=0,conId,"0"
OK
AT^SISS=0,address,"https://httpbin.org/get?show_env=1"
OK
AT^SISS=0,cmd,"get"
OK
AT^SISO=0
OK
at^SISO=0
OK
^SIS: 0,0,2200,"Http httpbin.org:443"
^SIS: 0,0,210,"INT:error in sendRequest -313 SSL-Error: revcd alert fatal error"
at^SISC=0
OK
at^SISS=0,address,"https://uihb0ja7x2.execute-api.ap-southeast-1.amazonaws.com/csr/"
OK
at^SISO=0
OK
^SIS: 0,0,2200,"Http uihb0ja7x2.execute-api.ap-southeast-1.amazonaws.com:443"
^SIS: 0,0,210,"INT:error in sendRequest -313 SSL-Error: revcd alert fatal error"
at^SISC=0
OK
However the following URL works fine:
at^SISS=0,address,"https://www.google.com"
OK
at^SISO=0
OK
^SIS: 0,0,2200,"Http www.google.com:443"
^SIS: 0,0,2200,"redirect to: https://www.google.com.sg/?gfe_rd=cr&dcr=0&ei=KZz2WaaSKoLaugTvyofAAg"
^SISR: 0,1
at^SISR=0,1000
^SISR: 0,1000
<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en-SG"> <head> <meta content="application/xhtml+xml; charset=UTF-8" http-equiv="Content-Type"/> <title>Google</title> <link href="/images/branding/product/ico/googleg_lodp.ico" rel="shortcut icon"/> </head> <body style="font-family:Arial,Helvetica,sans-serif;font-size:small;text-align:center"> <div style="text-align:center"> <div> <img src="/images/branding/searchlogo/1x/googlelogo_mobile_tier3_hp_color_150x53dp.gif" height="53" id="hplogo" width="150"/> </div> <div> <form style="background:none" action="/search" id="tsf" method="GET" name="gs" role="search"> <input name="dcr" value="0" type="hidden"/><input name="ie" value="ISO-8859-1" type="hidden"/> <div> <input size="20" id="lst-ib" name="q" type="text" value=""/> </div> <div> <input value="Search" maxlength="2048" name="btnG" type="submit"/> </div> </form> </div> <div
OK
at^SISC=0
OK
Pls. advise if there is any configuration that will help to resolve the SSL handshake issue.
Thanks & Best Regards.
Sridharan
Hello,
As for amazonaws.com there is a mutual authentication required to connect and this would also not work from the web browser.
Here you can find the tutorial for this (it was tested and should work with these modules):
https://iot-developer.thalesgroup.com/showcase/concept-board-connection-...
I have tested the httpbin.org connection with EHS6 and ELS61 modules and the result is unfortunately the same as you have. There must be some problem with TLS negotiation, the cypher suite offered by the seerver or similar. But the user application have no influence on that. This issue will be analyzed by Gemalto and if necessary some changes will be introduced in some future release.
Best regards,
Bartłomiej
Hello,
Has there been any news regarding this issue? I had this problem accessing one server, now tried httpbin.org and it is exactly the same error. I have different hardware, but all else looks the same.
EHS5-E
REVISION 03.001
A-REVISION 00.000.51
And if I try through midlet, I get the same error:
java.io.IOException: error in sendRequest -313 SSL-Error: revcd alert fatal error
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=266
- com.sun.midp.io.j2me.http.Protocol.sendRequest(), bci=3
- com.sun.midp.io.j2me.http.Protocol.getResponseCode(), bci=11
If the problem is with automatic negotiating TLS version or cipher suite with some servers, is there a way to force using specific settings?
Best Regards,
Tomislav
Hello,
I have tested your scenario with httpbin.org with A-REVISION 00.000.55 and unfortunately got the same. For google.com on the other hand it was working fine.
I have a pcap trace from the module. Just after the module send 'Client ****** message which includes the information about supported TLS version, cipher suites and extensions the server replies with 'Alert' message and finishes the connection.
For now it's all I know. There's no valuable information in the message from server. The reason could be that it requires some cipher suite or extension that is not supported by the module or there is some other reason why this server does not like 'Client ****** from the module.
Regards,
Bartłomiej
Hello,
Thanks for the analysis.
I have seen few similar issues that were related to SNI support, e.g. https://iot-developer.thalesgroup.com/threads/https-tcp-connection-migra...
Now I have run online test with this: https://www.ssllabs.com/ssltest/analyze.html?d=httpbin.org&s=52.72.145.1...
It shows that clients which don't support SNI fail at handshake. And exactly the same result for domain that I also tried to use: https://www.ssllabs.com/ssltest/analyze.html?d=showcase%2dalpha.io.parqu...
Same test says google.com can use TLS 1.0 with all listed clients: https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=172.217.164.110
Is the SNI problem and if it is what can be done to solve this?
Regards,
Tomislav
Hello,
This sounds very reasonable. Gemalto modules do not support SNI. So this may be the reason why the connection is rejected just after Client Hello (which does not contain SNI extension). In this case the only solution I can imagine must be on the server side. I think that you'd have to contact your local Gemalto office or supplier to report such problem/requirement and ask if it could be provided.
Best regards,
Bartłomiej