SPWF04SA Certificate Error: 4 on TLS Port with FRED

Mario Ghecea · ‎2018-02-28

Posted on February 28, 2018 at 21:03

I am having an issue with an IOT Provider known as FRED (sensetecnic.com) I have a sandbox up there but I can only access it via HTTPPOST and open sockets on port 80. On port 443 (TLS) I get an error with the certificate on the filesystem...

When I try to connect now from my code with the sensetecnic cert on sdcard, I get Error : 4

It’s always complaining about the cert even on a simple socket connection to 443. It only works on 80 apparently!

>>Station started in STA mode...

>>inverterLockoutCounter = 6

>>Connecting to socket

>>Socket Open OK

>>Socket ID: 0

AT+S.SOCKON=54.149.86.44,

443,

NULL,s

AT-S.Certificate Error:4

AT-S.ERROR:74:Failed to open socket

>>Socket Response Time-out!

2A : 40 00 00 79 00 00 73 00 01 00 26 19 25 21 2D 00 00 00 02 58 00 FF 00 00 00 00 00 00 E8 57 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Certificate error #4 corresponds to :

It appears that the common name has a wildcard in it…I wonder if that might be what is going on! Not sure how to get around this...I have attached the CA cert for *.sensetecnic

I also get bizarre error messages in the Google Chrome. On my home laptop I do not see these issues...

Mario Ghecea · ‎2018-02-28

Posted on March 01, 2018 at 00:00

Further investigation with CURL yields good results, so the problem must be the filesystem CA cert for sensetecnic.com

C:\wamp64\www>curl -v POST -H ''Content-Type: application/json'' -d ''{\''Data\'':\''12345\''}''

* Rebuilt URL to: POST/

* Could not resolve host: POST

* Closing connection 0

curl: (6) Could not resolve host: POST

* Trying 54.149.86.44...

* TCP_NODELAY set

* Connected to dreamsmatrix.fred.sensetecnic.com (54.149.86.44) port 443 (#1)

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 1/3)

* schannel: checking server certificate revocation

* schannel: sending initial handshake data: sending 204 bytes...

* schannel: sent initial handshake data: sent 204 bytes

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 2/3)

* schannel: failed to receive handshake, need more data

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 2/3)

* schannel: encrypted data got 3900

* schannel: encrypted data buffer: offset 3900 length 4096

* schannel: encrypted data length: 3802

* schannel: encrypted data buffer: offset 3802 length 4096

* schannel: received incomplete message, need more data

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 2/3)

* schannel: encrypted data got 196

* schannel: encrypted data buffer: offset 3998 length 4826

* schannel: received incomplete message, need more data

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 2/3)

* schannel: encrypted data got 708

* schannel: encrypted data buffer: offset 4706 length 5022

* schannel: sending next handshake data: sending 182 bytes...

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 2/3)

* schannel: encrypted data got 107

* schannel: encrypted data buffer: offset 107 length 5022

* schannel: SSL/TLS handshake complete

* schannel: SSL/TLS connection with dreamsmatrix.fred.sensetecnic.com port 443 (step 3/3)

* schannel: stored credential handle in session cache

> POST /api/public/sensata/wifi HTTP/1.1

> Host: dreamsmatrix.fred.sensetecnic.com

> User-Agent: curl/7.55.0

> Accept: */*

> Content-Type: application/json

> Content-Length: 16

>

* upload completely sent off: 16 out of 16 bytes

* schannel: client wants to read 102400 bytes

* schannel: encdata_buffer resized 103424

* schannel: encrypted data buffer: offset 0 length 103424

* schannel: encrypted data got 581

* schannel: encrypted data buffer: offset 581 length 103424

* schannel: decrypted data length: 505

* schannel: decrypted data added: 505

* schannel: decrypted data cached: offset 505 length 102400

* schannel: encrypted data buffer: offset 0 length 103424

* schannel: decrypted data buffer: offset 505 length 102400

* schannel: schannel_recv cleanup

* schannel: decrypted data returned 505

* schannel: decrypted data buffer: offset 0 length 102400

< HTTP/1.1 200 OK

< Server: nginx/1.4.6 (Ubuntu)

< Date: Wed, 28 Feb 2018 22:33:18 GMT

< Content-Type: application/json; charset=utf-8

< Content-Length: 45

< Connection: keep-alive

< x-powered-by: Express

< vary: Origin

< x-content-type-options: nosniff

< etag: W/''2d-da/5GfuSQy5HVkxT86mZqzXvw1s''

< set-cookie: sts.fred-community.sid=s%3AvIkIRLGpKS2T_PTOItcpJCkBJdl9zZKe.fvs7DFwkjOqYc7IlecdT0d%2Bc

0D%2BtBV41d%2BSpAhiI1CQ; Domain=.fred.sensetecnic.com; Path=/; HttpOnly

<

{''buttonInverter'':''ON'',''buttonCharger'':''OFF''}* Connection #1 to host dreamsmatrix.fred.sensetecnic.c

om left intact

Payload checks OK in cloud...So no issues that I can see connecting to FRED via socket 443 on TLS.

I try the same thing in console on STM32CubeExpansion_WIFI1_V3.0.2

AT+S.HTTPPOST=dreamsmatrix.fred.sensetecnic.com,/api/public/magnum/wifi?Data=12345,80,0,,,,

{''buttonInverter'':''ON'',''buttonCharger'':''OFF''}AT-S.OK

AT+S.HTTPPOST=dreamsmatrix.fred.sensetecnic.com,/api/public/sensata/wifi?Data=12345,443,2,,,,

AT-S.Certificate Error:19

AT-S.Http Client Error:2

AT-S.ERROR:111:Request failed

Why would the certificate be unsupported ?!

Mario Ghecea · ‎2018-02-28

Posted on March 01, 2018 at 03:47

I have tried the lastest FOTA and same results on ignored FRED cloud server cert! This is starting to look bad in the sense that wildcard certificates do not seem to be supported ??? This kinda hangs me out to dry if I cannot use the server cert! It looks to me like the server cert from sensetecnic.com is automatically blocked...I need a firm answer on this issue...Amazon works on .PEM and .DER certs on TLS, but the sensetecnic wildcard cert does not, regardless of what it do...It is cut and dry rejected! What's the workaround ?

AT+S.HTTPPOST=dreamsmatrix.fred.sensetecnic.com,/api/public/sensata/wifi?Data=12345,443,2,,,,

AT-S.Certificate Error:19

AT-S.Http Client Error:2

AT-S.ERROR:111:Request failed

AT+S.SOCKON=www.amazon.com,443,,s

AT-S.Loading:1:1

AT-S.On:13.33.70.153:0

AT-S.OK

Rob Muir · ‎2018-03-01

Posted on March 01, 2018 at 17:45

Adding a few more details and context from Sense Tecnic.

We operate the FRED service (

https://fred.sensetecnic.com/

), a cloud hosted version of Node-RED. This is a platform for rapid development and hosting of IoT applications.

For incoming HTTPS and secure Websocket connections to the individual user runtimes we use a wildcard certificate, since each runtime has a user specific URL (e.g. robmuir.fred.sensetecnic.com)

If the ST device will not accept wildcard certificates this will be extremely problematic for our users.

Elio Cometti · ‎2018-03-14

Posted on March 14, 2018 at 16:23

Hello,

wildcard certificate are actually supported.

The Certificate Error:4 was issued because the server domain name check against the CN in server certificate was failing (the server name must match the common name specified in the certificate).

On the other hand, the signature in both 'COMODO RSA Domain Validation Secure Server CA' and 'COMODO RSA Certification Authority' (sha384WithRSAEncryption) is not supported. The support for this signature will be available in the next SPWF04 firmware.

Mario Ghecea · ‎2018-03-14

Posted on March 14, 2018 at 20:43

I made great progress with the SPF04SA...Is it true what I hear that this

part is getting phased out ?

Mario

On Wed, Mar 14, 2018 at 8:24 AM, Elio Cometti <