DE910 SSL Example

11 thoughts on “DE910 SSL Example

  1. Is there an example available for SSL on the DE910? I see a simple example in Telit IP Easy User Guide, “HTTP GET over SSL / TLS Example”, but it does not work on the DE910. For example, AT+CGDCONT is not supported on the DE910 according to the command reference.

    I am trying to connect to the example.com website using HTTPS and its CA certificate “DigiCert High Assurance EV Root CA”, as follows:

    AT

    OK

    AT+CREG?

    +CREG: 0,1

    OK

    AT+CSQ

    AT+CSQ

    +CSQ: 7,99

    OK

    AT+CMEE=2

    OK

    AT#SGACT=1,0

    OK

    AT#SGACT=1,1

    #SGACT: "10.32.60.205"

    OK

    AT#SSLEN=1,1

    +CME ERROR: SSL already activated

    AT#SSLSECDATA=1,1,1,1367

    > -----BEGIN CERTIFICATE-----

    MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs

    [snip]

    +OkuE6N36B9K

    -----END CERTIFICATE-----

    OK

    AT#SSLD=1,443,"example.com"

    +CME ERROR: operation not supported

    1. AT+CGDCONT is a GPRS specific command, has no relevance and use for a CDMA module.

      What firmware version pease (At+CGMR)?

        1. @Cosmin, I am running 15.00.026.

          Hello Mat,

          Please see my log below to get the DE910 to work.

          I have also attached the DER file as well.

          Warning – the product series HE920 / UE910 V2/ DE910 do not support

          TLS_RSA_WITH_NULL_SHA and
          TLS_RSA_WITH_AES_256_CBC_SHA

          Warning – the product series HE920 / UE910 V2/ DE910 do not support

          SHA-2

          Please refer to the Telit SSL/TLS User Guide Section 3.2

          AT+CGMM
          DE910-DUAL

          OK
          AT+CGMR
          15.00.026

          OK

          AT#SSLEN?
          #SSLEN: 1,1

          OK
          AT#SSLSECDATA=1,1,1,826

          > 0‚60‚Ÿ 6″–Åã8¥ ¡Ò_L× T0
          *†H†÷

          Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
          premium-server@thawte.com0Ÿ0
          *†H†÷
          ñ¸ì±åU€¬=RÈ9ÂðÀOÖ‚uŒ½_ÒÜvšÉ¯rÃÜ%~¤MŽ¥à‡ášZá`Üd#<B.M
          OK

          AT#SSLSECCFG=1,3,1,0
          OK
          AT#SSLD=1,443,”ssltest28.bbtest.net”,0,0

          CONNECT

          OK
          AT#SSLH=1

          OK

          Cheers

          Nick Tart

          1. Thanks for the example. I seem to have some basic problems with SSLEN. When I try to enable it, I get an error stating it is already activated, but the query command shows it is not enabled. If I try to disable it, I get a “generic” error. See the following command sequence. Any ideas why this could be?

            at+cgmm

            DE910-DUAL

            OK

            at+cgmr

            15.00.026

            OK

            at#sslen?

            #SSLEN: 1,0

            OK

            at#sslen=1,1

            ERROR

            at+cmee=2

            OK

            at#sslen=1,1

            +CME ERROR: SSL already activated

            at#sslen=1,0

            +CME ERROR: SSL generic error

            at#sslseccfg?

            #SSLSECCFG: 1,0,0,1

            OK

            at#sslcfg?

            #SSLCFG: 1,1,300,90,100,50,1,0,0,0

            OK

          2. Hello Mat,

            This is error generally given when you have already activated your PDP Context as see below.

            at+gmr

            15.00.026

            OK
            at#sgact=1,1
            #SGACT: “10.204.3.66”

            OK
            at#sslen=1,1
            ERROR
            at+cmee=2
            OK
            at#sslen=1,1
            +CME ERROR: SSL already activated

            Cheers

          3. Nick,

            A few more questions:

            I have SSL/TLS User Guide rev 6, and it does not include DE910 in the list of supported devices. Is there a newer revision? Where did you find additional restrictions you stated at the front of your message?

            You are using DER format, while I was using PEM. Should that matter? I couldn’t make it past the SSLEN, so I didn’t ask in the previous reply.

            Thanks.

          4. After reloading the current firmware (15.00.026), I no longer get the “operation not supported” error, but now I get “ERROR: SSL error during handshake”. I have been able to get other SSL connections to work. Here is the complete transcript, and the PEM format certificate is attached.

            AT

            OK

            AT+CREG?

            +CREG: 0,1

            OK

            AT+CSQ

            +CSQ: 1,99

            OK

            AT+CMEE=2

            OK

            AT#SGACT=1,0

            OK

            AT#SGACT=1,1

            #SGACT: "10.32.60.205"

            OK

            AT#SSLEN=1,1

            +CME ERROR: SSL already activated

            AT#SSLSECCFG=1,0,1,1

            OK

            AT#SSLSECDATA=1,1,1,1367

            > -----BEGIN CERTIFICATE-----

            MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs

            [snip]

            +OkuE6N36B9K

            -----END CERTIFICATE-----

            OK

            AT#SSLD=1,443,"example.com",0,0

            +CME ERROR: SSL error during handshake

            What am I doing wrong?

          5. Hi Mat,

             

            Your steps appear to be correct. 

             

            A SSL handshake error can take place for several reasons. 

             

            The most common reasons are due to:

             

            1) incorrect CA certificate (not the true root) 

             

            OR more likely 

             

            2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.

             

            Can you verify and confirm that the server requires SHA-256 signature algorithm support?

          6. Hi Mat,

             

            Your steps appear to be correct. 

             

            A SSL handshake error can take place for several reasons. 

             

            The most common reasons are due to:

             

            1) incorrect CA certificate (not the true root) 

             

            OR more likely 

             

            2) During the handshake process, the server is sending a certificate that requires SHA-256 signature algorithm support, but the DE910 SSL client only supports SHA-1, so the handshake will fail.

             

            Can you verify and confirm that the server requires SHA-256 signature algorithm support?

            Cosmin,

            Thanks for the information. Is there documentation somewhere that lists limitations like SHA-1? SHA-1 is generally considered insecure. Are there any plans to update the SSL code on the module to use more modern algorithms?

            It would be nice if the error message/code were more specific!

            Regards,

            -Mat