Is there an example available for SSL on the DE910? I see a simple example in Telit IP Easy User Guide, “HTTP GET over SSL / TLS Example”, but it does not work on the DE910. For example, AT+CGDCONT is not supported on the DE910 according to the command reference.
I am trying to connect to the example.com website using HTTPS and its CA certificate “DigiCert High Assurance EV Root CA”, as follows:
AT+CGDCONT is a GPRS specific command, has no relevance and use for a CDMA module.
What firmware version pease (At+CGMR)?
@Cosmin, I am running 15.00.026.
@Cosmin, I am running 15.00.026.
Hello Mat,
Please see my log below to get the DE910 to work.
I have also attached the DER file as well.
Warning – the product series HE920 / UE910 V2/ DE910 do not support
TLS_RSA_WITH_NULL_SHA and TLS_RSA_WITH_AES_256_CBC_SHA
Warning – the product series HE920 / UE910 V2/ DE910 do not support
SHA-2
Please refer to the Telit SSL/TLS User Guide Section 3.2
AT+CGMM DE910-DUAL
OK AT+CGMR 15.00.026
OK
AT#SSLEN? #SSLEN: 1,1
OK AT#SSLSECDATA=1,1,1,826
> 0‚60‚Ÿ 6″–Åã8¥ ¡Ò_L× T0 *†H†÷
Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷ premium-server@thawte.com0Ÿ0 *†H†÷ ñ¸ì±åU€¬=RÈ9ÂðÀOÖ‚uŒ½_ÒÜvšÉ¯rÃÜ%~¤MŽ¥à‡ášZá`Üd#<B.M OK
AT#SSLSECCFG=1,3,1,0 OK AT#SSLD=1,443,”ssltest28.bbtest.net”,0,0
CONNECT
OK AT#SSLH=1
OK
Cheers
Nick Tart
Thanks for the example. I seem to have some basic problems with SSLEN. When I try to enable it, I get an error stating it is already activated, but the query command shows it is not enabled. If I try to disable it, I get a “generic” error. See the following command sequence. Any ideas why this could be?
at+cgmm
DE910-DUAL
OK
at+cgmr
15.00.026
OK
at#sslen?
#SSLEN: 1,0
OK
at#sslen=1,1
ERROR
at+cmee=2
OK
at#sslen=1,1
+CME ERROR: SSL already activated
at#sslen=1,0
+CME ERROR: SSL generic error
at#sslseccfg?
#SSLSECCFG: 1,0,0,1
OK
at#sslcfg?
#SSLCFG: 1,1,300,90,100,50,1,0,0,0
OK
Hello Mat,
This is error generally given when you have already activated your PDP Context as see below.
at+gmr
15.00.026
OK at#sgact=1,1 #SGACT: “10.204.3.66”
OK at#sslen=1,1 ERROR at+cmee=2 OK at#sslen=1,1 +CME ERROR: SSL already activated
Cheers
Nick,
A few more questions:
I have SSL/TLS User Guide rev 6, and it does not include DE910 in the list of supported devices. Is there a newer revision? Where did you find additional restrictions you stated at the front of your message?
You are using DER format, while I was using PEM. Should that matter? I couldn’t make it past the SSLEN, so I didn’t ask in the previous reply.
Thanks.
Hello Mat,
I have attached the most recent SSL Guide and it is a preference with format that you would like to use.
Cheers Nick Tart
After reloading the current firmware (15.00.026), I no longer get the “operation not supported” error, but now I get “ERROR: SSL error during handshake”. I have been able to get other SSL connections to work. Here is the complete transcript, and the PEM format certificate is attached.
A SSL handshake error can take place for several reasons.
The most common reasons are due to:
1) incorrect CA certificate (not the true root)
OR more likely
2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.
Can you verify and confirm that the server requires SHA-256 signature algorithm support?
Hi Mat,
Your steps appear to be correct.
A SSL handshake error can take place for several reasons.
The most common reasons are due to:
1) incorrect CA certificate (not the true root)
OR more likely
2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.
Can you verify and confirm that the server requires SHA-256 signature algorithm support?
Cosmin,
Thanks for the information. Is there documentation somewhere that lists limitations like SHA-1? SHA-1 is generally considered insecure. Are there any plans to update the SSL code on the module to use more modern algorithms?
It would be nice if the error message/code were more specific!
We use cookies to enhance your browsing experience and help us improve our websites. To improve our website, we carefully select third parties that use cookies to allow us to serve specific content and achieve the purposes set out in our cookie policy. For more information on how to make adjustments through your browser to the cookies being used on your device, please click Find Out More link. By closing this banner or continuing to browse our website, you agree to our use of such cookies. FIND OUT MORE
Is there an example available for SSL on the DE910? I see a simple example in Telit IP Easy User Guide, “HTTP GET over SSL / TLS Example”, but it does not work on the DE910. For example, AT+CGDCONT is not supported on the DE910 according to the command reference.
I am trying to connect to the example.com website using HTTPS and its CA certificate “DigiCert High Assurance EV Root CA”, as follows:
ATOKAT+CREG?+CREG: 0,1OKAT+CSQAT+CSQ+CSQ: 7,99OKAT+CMEE=2OKAT#SGACT=1,0OKAT#SGACT=1,1#SGACT: "10.32.60.205"OKAT#SSLEN=1,1+CME ERROR: SSL already activatedAT#SSLSECDATA=1,1,1,1367> -----BEGIN CERTIFICATE-----MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs[snip]+OkuE6N36B9K-----END CERTIFICATE-----OKAT#SSLD=1,443,"example.com"+CME ERROR: operation not supportedAT+CGDCONT is a GPRS specific command, has no relevance and use for a CDMA module.
What firmware version pease (At+CGMR)?
@Cosmin, I am running 15.00.026.
Hello Mat,
Please see my log below to get the DE910 to work.
I have also attached the DER file as well.
Warning – the product series HE920 / UE910 V2/ DE910 do not support
TLS_RSA_WITH_NULL_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA
Warning – the product series HE920 / UE910 V2/ DE910 do not support
SHA-2
Please refer to the Telit SSL/TLS User Guide Section 3.2
AT+CGMM
DE910-DUAL
OK
AT+CGMR
15.00.026
OK
AT#SSLEN?
#SSLEN: 1,1
OK
AT#SSLSECDATA=1,1,1,826
> 0‚60‚Ÿ 6″–Åã8¥ ¡Ò_L× T0
*†H†÷
Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
premium-server@thawte.com0Ÿ0
*†H†÷
ñ¸ì±åU€¬=RÈ9ÂðÀOÖ‚uŒ½_ÒÜvšÉ¯rÃÜ%~¤MŽ¥à‡ášZá`Üd#<B.M
OK
AT#SSLSECCFG=1,3,1,0
OK
AT#SSLD=1,443,”ssltest28.bbtest.net”,0,0
CONNECT
OK
AT#SSLH=1
OK
Cheers
Nick Tart
Thanks for the example. I seem to have some basic problems with SSLEN. When I try to enable it, I get an error stating it is already activated, but the query command shows it is not enabled. If I try to disable it, I get a “generic” error. See the following command sequence. Any ideas why this could be?
at+cgmmDE910-DUALOKat+cgmr15.00.026OKat#sslen?#SSLEN: 1,0OKat#sslen=1,1ERRORat+cmee=2OKat#sslen=1,1+CME ERROR: SSL already activatedat#sslen=1,0+CME ERROR: SSL generic errorat#sslseccfg?#SSLSECCFG: 1,0,0,1OKat#sslcfg?#SSLCFG: 1,1,300,90,100,50,1,0,0,0OKHello Mat,
This is error generally given when you have already activated your PDP Context as see below.
at+gmr
15.00.026
OK
at#sgact=1,1
#SGACT: “10.204.3.66”
OK
at#sslen=1,1
ERROR
at+cmee=2
OK
at#sslen=1,1
+CME ERROR: SSL already activated
Cheers
Nick,
A few more questions:
I have SSL/TLS User Guide rev 6, and it does not include DE910 in the list of supported devices. Is there a newer revision? Where did you find additional restrictions you stated at the front of your message?
You are using DER format, while I was using PEM. Should that matter? I couldn’t make it past the SSLEN, so I didn’t ask in the previous reply.
Thanks.
Hello Mat,
I have attached the most recent SSL Guide and it is a preference with format that you would like to use.
Cheers
Nick Tart
After reloading the current firmware (15.00.026), I no longer get the “operation not supported” error, but now I get “ERROR: SSL error during handshake”. I have been able to get other SSL connections to work. Here is the complete transcript, and the PEM format certificate is attached.
ATOKAT+CREG?+CREG: 0,1OKAT+CSQ+CSQ: 1,99OKAT+CMEE=2OKAT#SGACT=1,0OKAT#SGACT=1,1#SGACT: "10.32.60.205"OKAT#SSLEN=1,1+CME ERROR: SSL already activatedAT#SSLSECCFG=1,0,1,1OKAT#SSLSECDATA=1,1,1,1367> -----BEGIN CERTIFICATE-----MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs[snip]+OkuE6N36B9K-----END CERTIFICATE-----OKAT#SSLD=1,443,"example.com",0,0+CME ERROR: SSL error during handshakeWhat am I doing wrong?
Cosmin,
Thanks for the information. Is there documentation somewhere that lists limitations like SHA-1? SHA-1 is generally considered insecure. Are there any plans to update the SSL code on the module to use more modern algorithms?
It would be nice if the error message/code were more specific!
Regards,
-Mat