SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)

Viktor Duma · ‎2017-10-11

Posted on October 11, 2017 at 20:52

Hello! I have an issue with SPWF01SA11 one-way SSL/TLS connection. I am sure I check all similar cases here, but still can't solve my problem. I tried certificates from tutorial en.STSW-TLSpack example_2,

tried to generate my own certificates and got

ERROR: Unable to load CA certificate.

And now I am trying www.geotrust.com/resources/root-certificates/#.

Through teraterm send commands:

AT+S.TLSCERT2=clean,all

OK

AT+S.SETTIME=1507665904

OK

AT+S.TLSDOMAIN=f_domain,GeoTrust Global CA

OK

AT+S.TLSCERT=f_ca,1216

-----BEGIN CERTIFICATE-----

MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT

MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i

YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG

EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg

R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9

9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq

fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv

iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU

1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+

bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW

MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA

ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l

uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn

Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS

tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF

PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un

hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV

5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==

-----END CERTIFICATE-----

OK

AT+S.TLSCERT=f_content,0

# TLS loaded CERTs:

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - GeoTrust Global CA

AT+S.SOCKON=ssltest11.bbtest.net,443,s,ind

ERROR: SSL/TLS Error: Unable to connect (-308)

What is wrong? Please help me! I waste about week for that (((

gaibotti.adriano · ‎2017-10-13

Posted on October 13, 2017 at 07:44

Hello Viktor,

Error -150 means 'ASN date error, current date before'. So probably you forgot to set the current date correctly or, since you've generated new certificates, you used the old configuration and setup the date as the date of your first tests...

Viktor Duma · ‎2017-10-13

Posted on October 13, 2017 at 15:20

Thank you for your time and patience for me! Now it works. It was really difficult to save certificate properly trough the tera term. My colleague wrote the script in C#, and now I can do that with no problem. And one more question. Please suggest me the certificate for access to google.com, for example. Now I succesful download Entrust Root Certification Authority to the device but can connect only with

http://www.ssllabs.com

. Other sites device cant access and rise ERROR: SSL/TLS Error: Unable to connect (-188).

gaibotti.adriano · ‎2017-10-13

Posted on October 13, 2017 at 15:33

You're welcome!

If you want to access to another site, for example google.com, you'll need to download the Certification Authority certificate for that site (

https://www.thesslstore.com/blog/how-to-view-ssl-certificate-details-in-chrome-56/

).

Please note that, since the module has small flash size, it is able to handle just one CA at a time. If you want to connect to several servers you have to cleanup each time the Flash and load new certificate.

Regards

Viktor Duma · ‎2017-10-17

Posted on October 17, 2017 at 14:51

I am sorry, still, cant connect to google. I got the certificate from

https://pki.google.com/

. Also downloaded from the browser. Tried a lot of different certificates like Geo trust. But I can connect to

http://www.ssllabs.com

with

Entrust Root Certificate Authorityâ€�?G2.

Guys, what is wrong?

AT+S.TLSCERT2=clean,all

OK

AT+S.SETTIME=1508244012

OK

AT+S.TLSDOMAIN=f_domain,google.com

OK

AT+S.TLSCERT=f_ca,1501

-----BEGIN CERTIFICATE-----

MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC

MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS

R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1

OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT

HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu

Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0

Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx

+5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j

gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57

r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV

HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1

dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr

BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw

NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i

YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l

BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs

12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz

qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB

E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X

fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87

L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl

MqO5tzHpCvX2HzLc

-----END CERTIFICATE-----

OK

AT+S.TLSCERT=f_content,0

# TLS loaded CERTs:

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - google.com

OK

AT+S.SOCKON=www.google.com,443,s,ind

ERROR: SSL/TLS Error: Unable to connect (-322)

Viktor Duma · ‎2017-10-17

Posted on October 17, 2017 at 15:48

I did it before. -188 ASN sig error, no CA signer to verify certificate

Any ideas?

# CA Cert: YES

# Client Cert: NO

# Client Key: NO

# Domain Name: YES - www.google.com

O

Receive: K

Sent: AT+S.SOCKON=www.google.com,443,s,ind

Receive:

ERROR: SSL/TLS Error: Unable to

Receive: connect (-188)

Viktor Duma · ‎2017-10-17

Posted on October 17, 2017 at 16:26

I read that. What can you advise me when I need do that? Use mutual connection? Thank you!

gaibotti.adriano · ‎2017-10-17

Posted on October 17, 2017 at 15:36

Hi Viktor,

the error -322 means that the domain name is wrong. Try to use as domain name

http://www.google.com

Cheers

gaibotti.adriano · ‎2017-10-17

Posted on October 17, 2017 at 16:16

This happens because the certificate you have loaded is too big for the module's RAM availability...the module isn't able to handle certificates greater than 1.3 KBs when dealing with one-way authentication and, when using muthual authentication, the overall size of the certificates and private key should be less than 3KBs.

Please refer to

http://www.st.com/content/ccc/resource/technical/document/application_note/f2/8e/ae/8f/fe/77/44/aa/DM00176553.pdf/files/DM00176553.pdf/jcr:content/translations/en.DM00176553.pdf

for more informations...

gaibotti.adriano · ‎2017-10-17

Posted on October 17, 2017 at 17:13

In this case there is no solution unfortunately...the mutual authentication is used only when the server requests it (and https doesn't use any mutual authentication).

But consider that, usually, in a IoT scenario, clouds platforms (AWS, Azure etc.) use smaller certificates with respect to the ones used for https (the latter case is for desktop, while IoT clouds are intended for very constrained devices).

One advice to you is to use, in case of mutual authentication, private keys and certificates ECDSA-signed that, at the same level of security of RSA-signed certificates, are smaller. For example with Amazon AWS it is possible to use them.

Viktor Duma · ‎2017-10-18

Posted on October 18, 2017 at 14:58

I understand. Thank you for support! Yesterday I download the certificate for Amazon, according to tutorial AN4963

50/61 ,

and it works. But when I do the same for other sites - doesn't work. Certificates about 1200 kb. What the secret? )))