SPWF04SA SSL CONNECTION ISSUE

Viktor Duma · ‎2017-12-05

Posted on December 05, 2017 at 20:40

Hello!

Using the SPWF04SA with the new 1.1 firmware, we have one site that we can't get to work: www.ssllabs.com.

While we can connect using SOCKON without issue, when we send even the most basic http request, we get back a '400 Bad Request' error from the server. If we send the exact same request using 'openssl s_client -connect www.ssllabs.com:443'; on a desktop, we get back the data that we expect. Connecting with browsers works but then when trying to send the exact same request they do, the module still gets back bad request.

The commands that we are sending:

AT+S.SOCKON=www.ssllabs.com,443,,ssllabs.com<cr>

AT+S.SOCKW=0,41<cr>

GET / HTTP/1.1<cr><lf>

Host: www.ssllabs.com<cr><lf>;

If we instead connect to just 'ssllabs.com', no 'www', we get back the expected '302 Found' response. The certificate we loaded has the subject key ID '68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D'.

Gerardo GALLUCCI · ‎2017-12-05

Posted on December 05, 2017 at 21:15

Dump full logs for both SOCKON and HTTPGET (?) commands. Attach the certificate too.

Viktor Duma · ‎2017-12-06

Posted on December 06, 2017 at 15:37

See attached for the log, the certificate used, and the http request sent. Both the certificate and http request were sent using the Tera Term send file function, with the binary option checked, after the TLSCERT and SOCKW commands.

________________

Attachments :

Entrust Root Certification Authority.cer.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006HyGs&d=%2Fa%2F0X0000000b5G%2FHerTNbpa60vrvM4Fy1AYQvJkBR0qrKt7Df60VJPOqxA&asPdf=false

HTTP Request.txt.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006Hy3u&d=%2Fa%2F0X0000000b5J%2FSyTt1fxCvlvV8MF18WY0TN9IT7PSY27DCb8QN_qG1qI&asPdf=false

Log.txt.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006HyGn&d=%2Fa%2F0X0000000b5I%2Fsw2WdTp1JHu7cO.nxuAhxE1VF_LytLN8dqhfMarbkfg&asPdf=false

Gerardo GALLUCCI · ‎2017-12-06

Posted on December 06, 2017 at 16:47

'AT-S.Certificate Error:5' means 'Common name does not match'. UM2114 rev2, pag 56.

Into SOCKON you can specify the Common Name you want; into HTTPGET you cannot. AN4963 rev2, pag 32: 'In order to use AT+S.HTTPGET, AT+S.HTTPPOST and AT+S.SMTP with TLS, the Common Name (CN) reported in the server certificate must be exactly the same as that passed to the <host> parameter.'

Attached certificate is the Root CA.

Viktor Duma · ‎2017-12-06

Posted on December 06, 2017 at 17:59

Correct. The failure in the one HTTPGET is expected. That was just to show the various HTTP commands we tried.

The only issue we're having is the HTTP request we're sending with SOCKON and SOCKW. We can correctly open the socket, but get back 400 Bad Request from the server. While on the desktop we have no issue getting back the actual page content, either in the browser or sending the same file we attached earlier using OpenSSL.

Gerardo GALLUCCI · ‎2017-12-06

Posted on December 06, 2017 at 18:27

Sorry but cannot help you on SOCKW content. It's up to you to build a good payload for that command.

You can sniff with wireshark a good request (from PC, or from HTTPGET), and copy/past into a SOCKW payload.

Viktor Duma · ‎2017-12-06

Posted on December 06, 2017 at 21:06

That is what we did. A good request from the PC, verified in Wireshark, fails on the SPWF04SA using SOCKW.

Gerardo GALLUCCI · ‎2017-12-06

Posted on December 07, 2017 at 00:11

SOCKW cannot modify 41 bytes you are sending (attach wiresharks HTTP and SOCKW for double-checking).

Don't know if can help:

https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html

a 400 (

Bad Request) explained.