ERROR: SSL/TLS Error: Unable to connect (-330)

chrispawlak9 · ‎2016-05-02

Posted on May 02, 2016 at 19:56

With a SPW01SA I'm able to connect to a server using anonymous negotiation, but I often get the following error trying to open a socket before it opens successfully:

Questions:

Exactly what does (-330) indicate?

Does it makes sense that I tend to see the error more often when there is a lot of traffic on the server?
A co-worker thought that the problem may be that I don't have the wi-fi authenticating the server's certificate. If that was the problem, I shouldn't ever be able to open a socket to the server using anonymous negotiation, right?
I tried one-way authentication, but I get this error: ''ERROR: SSL/TLS Error: Unable to connect (-322).'' Could that be because I'm specifying the wrong domain in the command AT+S.TLSDOMAIN=f_domain,<server domain>? The certificate was created from godaddy so I used godaddy.com (and ca.godaddy.com, certs.godaddy.com, etc) in place of <server domain>, but I always get the error.

Note: Before setting the <server domain> I do clear out the certificate information with AT+S.TLSCERT2 and set the time (in seconds) and load the certificate (in PEM format). When I send AT+S.TLSCERT=f_content,0 I get this response

# TLS loaded CERTs:

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - godaddy.com

gaibotti.adriano · ‎2016-08-26

Posted on August 26, 2016 at 10:23

Thank you! The first thing that I've noticed is that the CA of the server is changed wrt to the CA you sent to me. You can find it attached or you can control it directly from a web browser.

I have no time today to test it but it seems to be a good candidate for your issue.

Let me know!

________________

Attachments :

GoDaddyRootCertificateAuthority-G2.pem : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006I1RA&d=%2Fa%2F0X0000000bmx%2Fmz.vSlN_f8ZUjd0dvzSEWr7ofdc.UpDd4GkBC2Ee4h8&asPdf=false

chrispawlak9 · ‎2016-08-26

Posted on August 26, 2016 at 19:33

A co-worker mentioned that the certificate we are using is a top-level certificate that completes the certificate chain, whereas the one you attached seems to be second in the chain of certificates. See attached pic.

I found another potential problem. Regarding the TLSDOMAIN command, I found that the domain ''must match the namespecified in the server certificate (Common Name or others). The Common Name in the certificate is applusobd.com, but I was using

www.

applusobd.com. So now I send:

AT+S.TLSDOMAIN=f_domain,applusobd.com<CR>

But I still get theVERIFY_SIGN_ERROR. I then loaded the certificate you attached and tried it again. I got the same error. But then I'm guessing that wouldn't work anyway if the server has a different CA certificate.

________________

Attachments :

cert_path.jpg : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006I0Is&d=%2Fa%2F0X0000000bmz%2FN40.Bfe_6fmXIhI311kJJyKo4o_RdLcJuDlIfPwcZ3g&asPdf=false

gaibotti.adriano · ‎2016-08-29

Posted on August 29, 2016 at 09:17

The certificate I've provided to you is a self-signed certificate, so it stays on top of the validation chain. It is possible that the server uses multiple certificate chains.

Try to verify yourself which certificate is used before making a connection with the SPWF01S, for example with a web browser.

Regards

chrispawlak9 · ‎2016-08-30

Posted on August 31, 2016 at 00:48

I checked the certificate chain using my browser and found the certificate that you provided (GoDaddyRootCertificateAuthority-G2.pem) was at the top of the validation chain. However, using different computers and even an Android phone, we see different certificates at the top of the chain.

Could you please try to open the socket on your side?

This is what I am sending:

AT+S.TLSCERT2=clean,all<CR>

AT+S.SETTIME=1472573549<CR>

AT+S.TLSCERT=f_ca,1390<CR><GoDaddyRootCertificateAuthority-G2.pem>

AT+S.TLSDOMAIN=f_domain,applusobd.com<CR>

AT+S.SOCKON=www.applusobd.com,443,s,ind<CR>

For me, this leads to the following error:

ERROR: SSL/TLS Error: Unable to connect (-188)

(-188) ASN_NO_SIGNER_E

ASN sig error, no CA signer to verify certificate

''This error occurs when using a certificate and the signing CA certificate was not loaded.''

We even reinstalled the certificates on the web server and tried opening the socket again. I tried 3 certificates above the server certficate. I am running out of time and my manager insists that you guys should try opening the socket on your end and tell us what is necessary to get it working. I just don't know what to do anymore.

gaibotti.adriano · ‎2016-09-01

Posted on September 01, 2016 at 11:22

Hi,

I've checked how the server's certificate is made. Its public key is RSA-4096. As specified in the Application Note AN4683 regarding TLS, the SPWF01 doesn't support these type of certificate (p.11 ''â€“ Public key algorithms: RSA (1024, 2048), ECDSA''). The module wasn't able to establish the connection because the public key was too big.

Best Regards

chrispawlak9 · ‎2016-09-01

Posted on September 01, 2016 at 23:32

Thanks so much for the response, and thanks for your patience all this time! We will request new certificates that the module supports.

voulgaristhanasis · ‎2017-04-19

Posted on April 19, 2017 at 19:47

Dear Chris,

About the

'By the way, I'm running into another issue. Sometimes when I send the SETTIME command, the module seems to lock up and then reset. It usually accepts the command when I send it a second time.'

Did you solve it?

Because i am facing the same problem.

The Wifi makes reset sometimes.