SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)

Viktor Duma · ‎2017-10-11

Posted on October 11, 2017 at 20:52

Hello! I have an issue with SPWF01SA11 one-way SSL/TLS connection. I am sure I check all similar cases here, but still can't solve my problem. I tried certificates from tutorial en.STSW-TLSpack example_2,

tried to generate my own certificates and got

ERROR: Unable to load CA certificate.

And now I am trying www.geotrust.com/resources/root-certificates/#.

Through teraterm send commands:

AT+S.TLSCERT2=clean,all

OK

AT+S.SETTIME=1507665904

OK

AT+S.TLSDOMAIN=f_domain,GeoTrust Global CA

OK

AT+S.TLSCERT=f_ca,1216

-----BEGIN CERTIFICATE-----

MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT

MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i

YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG

EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg

R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9

9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq

fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv

iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU

1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+

bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW

MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA

ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l

uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn

Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS

tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF

PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un

hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV

5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==

-----END CERTIFICATE-----

OK

AT+S.TLSCERT=f_content,0

# TLS loaded CERTs:

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - GeoTrust Global CA

AT+S.SOCKON=ssltest11.bbtest.net,443,s,ind

ERROR: SSL/TLS Error: Unable to connect (-308)

What is wrong? Please help me! I waste about week for that (((

gaibotti.adriano · ‎2017-10-12

Posted on October 12, 2017 at 09:17

Hello Viktor,

seems you put as domain name the Common Name of the Certification authority (CA).

You have to put in this field the domain name of the Server you want to connect with. Very likely you will need to use this command:

AT+S.TLSDOMAIN=f_domain,ssltest11.bbtest.net

but check inside the server certificate if this is the actual Common Name.

Regards

Viktor Duma · ‎2017-10-12

Posted on October 12, 2017 at 15:07

Adriano, thank you for your reply. I tried that case too before - doesn't work. Maybe you will see the problem with my local certificates. My steps:

openssl genrsa -out rootCA.key 2048 \\ CA key

openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt \\ CA cert

openssl genrsa -out server.key 2048 \\ server key

openssl req -new -key server.key -out server.csr \\ server cert

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000 \\signature

openssl x509 -in rootCA.crt -out rootCA.pem -outform PEM

openssl s_server -key server.key -cert server.crt -tls1_2 -accept 4433 -www \\ runserver

openssl s_client -connect localhost:4433 -CAfile rootCA.pem // Verify return code: 0 (ok) Extended master secret: yes

openssl x509 –text –in rootCA.pem –noout // check Looks like keys work with server

AT+S.TLSCERT2=clean,all

OK

AT+S.SETTIME=1507665904

OK

AT+S.TLSDOMAIN=f_domain,1.150

OK

AT+S.TLSCERT=f_ca,1254

-----BEGIN CERTIFICATE-----

MIIDYDCCAkigAwIBAgIJAMcDkGsvF9ndMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV

BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

aWRnaXRzIFB0eSBMdGQwHhcNMTcxMDExMjAxMTA5WhcNNDUwMjI2MjAxMTA5WjBF

MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50

ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEAqS2dgNi+60I2991mpne2R0wTiM6r/G4M7kqpg7iTyh0r3WddburetJju

gAEPaShr19IDj6UoGgpc6+H5vA9/WnhT4Dse/X1NQxqK3rK8wM3lhieMT5xBcOpz

AhJ3M0T4x3P5VnBpRV38ejZ2XSYdiAW0lQ05UDNg/OF+4MxnTsP9cR8suuRkBh+L

dV2iFtV4F+1v/g4JN5SwwF/11j/LKw6ga+ZZwuh++rRQB1ZQKGXkJZbVrlQwXFLT

WXw5IXsg0M3DPLP3l15LSZV/LkRlxoZGBPFKJ/EEURCViEWy+VY93h6zOWRiKUpw

qE/6hJbpiRw6cJC3aWVGz/YrO2jzIwIDAQABo1MwUTAdBgNVHQ4EFgQUr90WDg24

EeI6r/SD+sC46Ge6lScwHwYDVR0jBBgwFoAUr90WDg24EeI6r/SD+sC46Ge6lScw

DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAEnORhWbHAMs7jAeP

tPjd7FMestgWu9FEnZ3paX1S3HyYiiKMiwe6hsCDwg6KHf5+8Kbn+seLP8urlECC

B0HdDKzHM50MEYqNluFaUvTWAgaIBc+9gtQP2ydK7X69pgFx1cVBax6uzdEWP20X

uq55050Y+Oxf5l69q/7nM+0pSlU79x7HYnWGcQhJq/IArQiaRjcZiv3u0NcslGez

HX6tiHzHs9vgUaRGJ9gkrVvtML4mHMeoBUKdhmjaJUSuSFNXwkCesvKDM/Klq9bm

aHnNXGP8P39Ez5AO+vIebXCFdrzrijoJ+iBETizta9rOFLQSiOOvXh+Y5dCdzN30

+j4hOA==

-----END CERTIFICATE-----

OK

AT+S.TLSCERT=f_content,0

# TLS loaded CERTs:

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - 1.150

OK

AT+S.SOCKON=1.150,4433,s,ind

ERROR: Unable to load CA certificate

I tried load certificate like ctrl+c/ctrl+v and send a file through the teraterm. But the same error.

https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif

________________

Attachments :

rootCA.pem.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006HyNK&d=%2Fa%2F0X0000000b6o%2Fs6NAlyek5hjcVD8JInYbsyAZOEZVyOiSvLpi_BTQUMo&asPdf=false

server.crt.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006HyEd&d=%2Fa%2F0X0000000b6l%2Fvkte839fKhmoxdkgkn_9fpDbmu3td3P4uvrBy1SBjek&asPdf=false

server.key.zip : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006HyNF&d=%2Fa%2F0X0000000b6n%2FwBi0llE1t155WunwsUa1S_q7rbrYZUbkrZleNu7ysDg&asPdf=false

gaibotti.adriano · ‎2017-10-12

Posted on October 12, 2017 at 15:32

Looking at your generated server certificate I've seen that you've used as Common Name (CN) field for you server certificate the string 'server'. Use that as your domain:

AT+S.TLSDOMAIN=f_domain,server

Usually this field is filled with the URL of the server, and the TLS protocol check if the server is actually the one claimed by the certificate.

Let me know if this solves the issue!

Bye

Viktor Duma · ‎2017-10-12

Posted on October 12, 2017 at 16:07

AT+S.TLSDOMAIN=f_domain,server - I tried with this parameter before, for

sure! but the same. And one of the similar topics I found the script for

generating certificates RSA1024_oneway-auth.sh. With that didn't work

either

gaibotti.adriano · ‎2017-10-12

Posted on October 12, 2017 at 16:34

Ok, let's do another try...

Your former AT-command to open the socket was this:

AT+S.SOCKON=ssltest11.bbtest.net,

443

,s,ind

But in a later message you put the openssl command for start the server:

openssl s_server -key server.key -cert server.crt -tls1_2 -accept

4433

That uses another port number...you have to use the same port number, otherwise the connection cannot work!

Try this and, in case didn't work, list here all the commands and output received, also from openssl side...

Viktor Duma · ‎2017-10-12

Posted on October 12, 2017 at 16:43

There are two different ways. When it possible, please help me solve the

problem with my local certificates. AT+S.SOCKON=192.168.1.150,4433,s,ind. I

sent all my steps in my second post with attached certificates were

generated before. Please forget about the case with ssltest11.bbtest.net.

I am sorry for confusing you!

Viktor Duma · ‎2017-10-12

Posted on October 12, 2017 at 19:18

I created new certificates on ubuntu machine (under win10) and run the server. Now I get

ERROR: SSL/TLS Error: Unable to connect (-150)

and on server side

'bad gethostbyaddr

140682958407320:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210:'

When I try to do with the same certificates on windows machine - 'ERROR: Failed to connect' and nothing from the server side.

About change

'CR+LF'

- 'CR' - doesn't work for me. Get ERROR: Unable to load CA certificate. Now, when just copy/past or send file rootCA.pem get Error: Unable to connect (-150). I believe, when server get some response, I am on the correct way )))

gaibotti.adriano · ‎2017-10-12

Posted on October 12, 2017 at 17:50

Ok, I've tried to make some tests on my side with your certificates and maybe the solution was on the Teraterm settings...

The first try I've made was unsuccessful (error reported: Unable to load CA). My Teraterm setting for carriage return was 'CR'.

The only way I was able to make the connection working was to set the carriage return to 'CR', then put the command AT+S.TLSCERT=f_ca,1254

and press Enter. Before putting the certificate, I've switched the carriage return setting to 'CR+LF' and then put the certificate inside.

With this configuration I was able to open a secure connection with the server.

Here's my output:

at+s.tlscert2=clean,f_ca

OK

at+s.tlscert=f_ca,1254