seems you put as domain name the Common Name of the Certification authority (CA).
You have to put in this field the domain name of the Server you want to connect with. Very likely you will need to use this command:
but check inside the server certificate if this is the actual Common Name.
Looking at your generated server certificate I've seen that you've used as Common Name (CN) field for you server certificate the string "server". Use that as your domain:
Usually this field is filled with the URL of the server, and the TLS protocol check if the server is actually the one claimed by the certificate.
Let me know if this solves the issue!
AT+S.TLSDOMAIN=f_domain,server - I tried with this parameter before, for
sure! but the same. And one of the similar topics I found the script for
generating certificates RSA1024_oneway-auth.sh. With that didn't work
Ok, let's do another try...
Your former AT-command to open the socket was this:
But in a later message you put the openssl command for start the server:
openssl s_server -key server.key -cert server.crt -tls1_2 -accept 4433
That uses another port number...you have to use the same port number, otherwise the connection cannot work!
Try this and, in case didn't work, list here all the commands and output received, also from openssl side...
There are two different ways. When it possible, please help me solve the
problem with my local certificates. AT+S.SOCKON=192.168.1.150,4433,s,ind. I
sent all my steps in my second post with attached certificates were
generated before. Please forget about the case with ssltest11.bbtest.net.
I am sorry for confusing you!
Ok, I've tried to make some tests on my side with your certificates and maybe the solution was on the Teraterm settings...
The first try I've made was unsuccessful (error reported: Unable to load CA). My Teraterm setting for carriage return was "CR".
The only way I was able to make the connection working was to set the carriage return to "CR", then put the command AT+S.TLSCERT=f_ca,1254
and press Enter. Before putting the certificate, I've switched the carriage return setting to "CR+LF" and then put the certificate inside.
With this configuration I was able to open a secure connection with the server.
Here's my output:
Did you generate the certificates on a Windows machine? Usually I generate them on Linux and this mess with the carriage return doesn't appear...
sorry I forgot one important command:
at the beginning
I created new certificates on ubuntu machine (under win10) and run the server. Now I get
ERROR: SSL/TLS Error: Unable to connect (-150)
and on server side
140682958407320:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210:"
When I try to do with the same certificates on windows machine - "ERROR: Failed to connect" and nothing from the server side.
About change "CR+LF" - "CR" - doesn't work for me. Get ERROR: Unable to load CA certificate. Now, when just copy/past or send file rootCA.pem get Error: Unable to connect (-150). I believe, when server get some response, I am on the correct way )))
Error -150 means "ASN date error, current date before". So probably you forgot to set the current date correctly or, since you've generated new certificates, you used the old configuration and setup the date as the date of your first tests...
Thank you for your time and patience for me! Now it works. It was really difficult to save certificate properly trough the tera term. My colleague wrote the script in C#, and now I can do that with no problem. And one more question. Please suggest me the certificate for access to google.com, for example. Now I succesful download Entrust Root Certification Authority to the device but can connect only with www.ssllabs.com. Other sites device cant access and rise ERROR: SSL/TLS Error: Unable to connect (-188).
If you want to access to another site, for example google.com, you'll need to download the Certification Authority certificate for that site (Here's How to View SSL Certificate Details in Chrome 56).
Please note that, since the module has small flash size, it is able to handle just one CA at a time. If you want to connect to several servers you have to cleanup each time the Flash and load new certificate.
I am sorry, still, cant connect to google. I got the certificate from Google Internet Authority G2 – Google . Also downloaded from the browser. Tried a lot of different certificates like Geo trust. But I can connect to www.ssllabs.com with Entrust Root Certificate Authority—G2. Guys, what is wrong?
# TLS loaded CERTs:
# CA Cert: YES
# Client Cert: NO
# Client Key: NO
# Domain Name: YES - google.com
ERROR: SSL/TLS Error: Unable to connect (-322)
I did it before. -188 ASN sig error, no CA signer to verify certificate
# CA Cert: YES
# Client Cert: NO
# Client Key: NO
# Domain Name: YES - www.google.com
ERROR: SSL/TLS Error: Unable to
Receive: connect (-188)
This happens because the certificate you have loaded is too big for the module's RAM availability...the module isn't able to handle certificates greater than 1.3 KBs when dealing with one-way authentication and, when using muthual authentication, the overall size of the certificates and private key should be less than 3KBs.
Please refer to http://www.st.com/content/ccc/resource/technical/document/application_note/f2/8e/ae/8f/fe/77/44/aa/DM00176553.pdf/files/… for more informations...
I read that. What can you advise me when I need do that? Use mutual connection? Thank you!
In this case there is no solution unfortunately...the mutual authentication is used only when the server requests it (and https doesn't use any mutual authentication).
But consider that, usually, in a IoT scenario, clouds platforms (AWS, Azure etc.) use smaller certificates with respect to the ones used for https (the latter case is for desktop, while IoT clouds are intended for very constrained devices).
One advice to you is to use, in case of mutual authentication, private keys and certificates ECDSA-signed that, at the same level of security of RSA-signed certificates, are smaller. For example with Amazon AWS it is possible to use them.
I understand. Thank you for support! Yesterday I download the certificate for Amazon, according to tutorial AN4963 50/61 , and it works. But when I do the same for other sites - doesn't work. Certificates about 1200 kb. What the secret? )))