Is there an example available for SSL on the DE910? I see a simple example in Telit IP Easy User Guide, “HTTP GET over SSL / TLS Example”, but it does not work on the DE910. For example, AT+CGDCONT is not supported on the DE910 according to the command reference.
I am trying to connect to the example.com website using HTTPS and its CA certificate “DigiCert High Assurance EV Root CA”, as follows:
AT+CGDCONT is a GPRS specific command, has no relevance and use for a CDMA module.
What firmware version pease (At+CGMR)?
@Cosmin, I am running 15.00.026.
@Cosmin, I am running 15.00.026.
Hello Mat,
Please see my log below to get the DE910 to work.
I have also attached the DER file as well.
Warning – the product series HE920 / UE910 V2/ DE910 do not support
TLS_RSA_WITH_NULL_SHA and TLS_RSA_WITH_AES_256_CBC_SHA
Warning – the product series HE920 / UE910 V2/ DE910 do not support
SHA-2
Please refer to the Telit SSL/TLS User Guide Section 3.2
AT+CGMM DE910-DUAL
OK AT+CGMR 15.00.026
OK
AT#SSLEN? #SSLEN: 1,1
OK AT#SSLSECDATA=1,1,1,826
> 0‚60‚Ÿ 6″–Åã8¥ ¡Ò_L× T0 *†H†÷
Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷ premium-server@thawte.com0Ÿ0 *†H†÷ ñ¸ì±åU€¬=RÈ9ÂðÀOÖ‚uŒ½_ÒÜvšÉ¯rÃÜ%~¤MŽ¥à‡ášZá`Üd#<B.M OK
AT#SSLSECCFG=1,3,1,0 OK AT#SSLD=1,443,”ssltest28.bbtest.net”,0,0
CONNECT
OK AT#SSLH=1
OK
Cheers
Nick Tart
Thanks for the example. I seem to have some basic problems with SSLEN. When I try to enable it, I get an error stating it is already activated, but the query command shows it is not enabled. If I try to disable it, I get a “generic” error. See the following command sequence. Any ideas why this could be?
at+cgmm
DE910-DUAL
OK
at+cgmr
15.00.026
OK
at#sslen?
#SSLEN: 1,0
OK
at#sslen=1,1
ERROR
at+cmee=2
OK
at#sslen=1,1
+CME ERROR: SSL already activated
at#sslen=1,0
+CME ERROR: SSL generic error
at#sslseccfg?
#SSLSECCFG: 1,0,0,1
OK
at#sslcfg?
#SSLCFG: 1,1,300,90,100,50,1,0,0,0
OK
Hello Mat,
This is error generally given when you have already activated your PDP Context as see below.
at+gmr
15.00.026
OK at#sgact=1,1 #SGACT: “10.204.3.66”
OK at#sslen=1,1 ERROR at+cmee=2 OK at#sslen=1,1 +CME ERROR: SSL already activated
Cheers
Nick,
A few more questions:
I have SSL/TLS User Guide rev 6, and it does not include DE910 in the list of supported devices. Is there a newer revision? Where did you find additional restrictions you stated at the front of your message?
You are using DER format, while I was using PEM. Should that matter? I couldn’t make it past the SSLEN, so I didn’t ask in the previous reply.
Thanks.
Hello Mat,
I have attached the most recent SSL Guide and it is a preference with format that you would like to use.
Cheers Nick Tart
After reloading the current firmware (15.00.026), I no longer get the “operation not supported” error, but now I get “ERROR: SSL error during handshake”. I have been able to get other SSL connections to work. Here is the complete transcript, and the PEM format certificate is attached.
A SSL handshake error can take place for several reasons.
The most common reasons are due to:
1) incorrect CA certificate (not the true root)
OR more likely
2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.
Can you verify and confirm that the server requires SHA-256 signature algorithm support?
Hi Mat,
Your steps appear to be correct.
A SSL handshake error can take place for several reasons.
The most common reasons are due to:
1) incorrect CA certificate (not the true root)
OR more likely
2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.
Can you verify and confirm that the server requires SHA-256 signature algorithm support?
Cosmin,
Thanks for the information. Is there documentation somewhere that lists limitations like SHA-1? SHA-1 is generally considered insecure. Are there any plans to update the SSL code on the module to use more modern algorithms?
It would be nice if the error message/code were more specific!
Is there an example available for SSL on the DE910? I see a simple example in Telit IP Easy User Guide, “HTTP GET over SSL / TLS Example”, but it does not work on the DE910. For example, AT+CGDCONT is not supported on the DE910 according to the command reference.
I am trying to connect to the example.com website using HTTPS and its CA certificate “DigiCert High Assurance EV Root CA”, as follows:
ATOKAT+CREG?+CREG: 0,1OKAT+CSQAT+CSQ+CSQ: 7,99OKAT+CMEE=2OKAT#SGACT=1,0OKAT#SGACT=1,1#SGACT: "10.32.60.205"OKAT#SSLEN=1,1+CME ERROR: SSL already activatedAT#SSLSECDATA=1,1,1,1367> -----BEGIN CERTIFICATE-----MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs[snip]+OkuE6N36B9K-----END CERTIFICATE-----OKAT#SSLD=1,443,"example.com"+CME ERROR: operation not supportedAT+CGDCONT is a GPRS specific command, has no relevance and use for a CDMA module.
What firmware version pease (At+CGMR)?
@Cosmin, I am running 15.00.026.
Hello Mat,
Please see my log below to get the DE910 to work.
I have also attached the DER file as well.
Warning – the product series HE920 / UE910 V2/ DE910 do not support
TLS_RSA_WITH_NULL_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA
Warning – the product series HE920 / UE910 V2/ DE910 do not support
SHA-2
Please refer to the Telit SSL/TLS User Guide Section 3.2
AT+CGMM
DE910-DUAL
OK
AT+CGMR
15.00.026
OK
AT#SSLEN?
#SSLEN: 1,1
OK
AT#SSLSECDATA=1,1,1,826
> 0‚60‚Ÿ 6″–Åã8¥ ¡Ò_L× T0
*†H†÷
Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
premium-server@thawte.com0Ÿ0
*†H†÷
ñ¸ì±åU€¬=RÈ9ÂðÀOÖ‚uŒ½_ÒÜvšÉ¯rÃÜ%~¤MŽ¥à‡ášZá`Üd#<B.M
OK
AT#SSLSECCFG=1,3,1,0
OK
AT#SSLD=1,443,”ssltest28.bbtest.net”,0,0
CONNECT
OK
AT#SSLH=1
OK
Cheers
Nick Tart
Thanks for the example. I seem to have some basic problems with SSLEN. When I try to enable it, I get an error stating it is already activated, but the query command shows it is not enabled. If I try to disable it, I get a “generic” error. See the following command sequence. Any ideas why this could be?
at+cgmmDE910-DUALOKat+cgmr15.00.026OKat#sslen?#SSLEN: 1,0OKat#sslen=1,1ERRORat+cmee=2OKat#sslen=1,1+CME ERROR: SSL already activatedat#sslen=1,0+CME ERROR: SSL generic errorat#sslseccfg?#SSLSECCFG: 1,0,0,1OKat#sslcfg?#SSLCFG: 1,1,300,90,100,50,1,0,0,0OKHello Mat,
This is error generally given when you have already activated your PDP Context as see below.
at+gmr
15.00.026
OK
at#sgact=1,1
#SGACT: “10.204.3.66”
OK
at#sslen=1,1
ERROR
at+cmee=2
OK
at#sslen=1,1
+CME ERROR: SSL already activated
Cheers
Nick,
A few more questions:
I have SSL/TLS User Guide rev 6, and it does not include DE910 in the list of supported devices. Is there a newer revision? Where did you find additional restrictions you stated at the front of your message?
You are using DER format, while I was using PEM. Should that matter? I couldn’t make it past the SSLEN, so I didn’t ask in the previous reply.
Thanks.
Hello Mat,
I have attached the most recent SSL Guide and it is a preference with format that you would like to use.
Cheers
Nick Tart
After reloading the current firmware (15.00.026), I no longer get the “operation not supported” error, but now I get “ERROR: SSL error during handshake”. I have been able to get other SSL connections to work. Here is the complete transcript, and the PEM format certificate is attached.
ATOKAT+CREG?+CREG: 0,1OKAT+CSQ+CSQ: 1,99OKAT+CMEE=2OKAT#SGACT=1,0OKAT#SGACT=1,1#SGACT: "10.32.60.205"OKAT#SSLEN=1,1+CME ERROR: SSL already activatedAT#SSLSECCFG=1,0,1,1OKAT#SSLSECDATA=1,1,1,1367> -----BEGIN CERTIFICATE-----MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs[snip]+OkuE6N36B9K-----END CERTIFICATE-----OKAT#SSLD=1,443,"example.com",0,0+CME ERROR: SSL error during handshakeWhat am I doing wrong?
Cosmin,
Thanks for the information. Is there documentation somewhere that lists limitations like SHA-1? SHA-1 is generally considered insecure. Are there any plans to update the SSL code on the module to use more modern algorithms?
It would be nice if the error message/code were more specific!
Regards,
-Mat