19 Replies Latest reply on Oct 18, 2017 2:58 PM by Viktor Duma

    SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)

    Viktor Duma

      Hello! I have an issue with SPWF01SA11 one-way SSL/TLS connection. I am sure I check all similar cases here, but still can't solve my problem. I tried certificates from tutorial en.STSW-TLSpack example_2, tried to generate my own certificates and got ERROR: Unable to load CA certificate.  And now I am trying www.geotrust.com/resources/root-certificates/#.

      Through teraterm send commands:

      AT+S.TLSCERT2=clean,all

      OK
      AT+S.SETTIME=1507665904

      OK
      AT+S.TLSDOMAIN=f_domain,GeoTrust Global CA

      OK
      AT+S.TLSCERT=f_ca,1216
      -----BEGIN CERTIFICATE-----
      MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
      MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
      YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
      EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
      R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
      9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
      fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
      iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
      1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
      bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
      MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
      ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
      uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
      Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
      tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
      PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
      hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
      5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
      -----END CERTIFICATE-----

      OK

      AT+S.TLSCERT=f_content,0
      # TLS loaded CERTs:
      # CA Cert: YES
      # Client Cert: NO
      # Client Key: NO
      # Domain Name: YES - GeoTrust Global CA


      AT+S.SOCKON=ssltest11.bbtest.net,443,s,ind

       

      ERROR: SSL/TLS Error: Unable to connect (-308)

       

      What is wrong? Please help me! I waste about week for that (((

        • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
          gaibotti.adriano

          Hello Viktor,

           

          seems you put as domain name the Common Name of the Certification authority (CA).

           

          You have to put in this field the domain name of the Server you want to connect with. Very likely you will need to use this command:

           

          AT+S.TLSDOMAIN=f_domain,ssltest11.bbtest.net

           

          but check inside the server certificate if this is the actual Common Name.

           

          Regards

            • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
              Viktor Duma
              Adriano, thank you for your reply. I tried that case too before - doesn't work. Maybe you will see the problem with my local certificates. My steps:
              openssl genrsa -out rootCA.key 2048   \\ CA key
              openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt  \\ CA cert
              openssl genrsa -out server.key 2048 \\ server key
              openssl req -new -key server.key -out server.csr \\ server cert
              openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 5000  \\signature
              openssl x509 -in rootCA.crt -out rootCA.pem -outform PEM
              openssl s_server -key server.key -cert server.crt -tls1_2 -accept 4433 -www \\ runserver 
              openssl s_client -connect localhost:4433 -CAfile rootCA.pem  // Verify return code: 0 (ok)   Extended master secret: yes
              openssl x509 –text –in rootCA.pem –noout // check   Looks like keys work with server
              AT+S.TLSCERT2=clean,all
              OK
              AT+S.SETTIME=1507665904
              OK
              AT+S.TLSDOMAIN=f_domain,192.168.1.150
              OK
              AT+S.TLSCERT=f_ca,1254
              -----BEGIN CERTIFICATE-----
              MIIDYDCCAkigAwIBAgIJAMcDkGsvF9ndMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
              BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
              aWRnaXRzIFB0eSBMdGQwHhcNMTcxMDExMjAxMTA5WhcNNDUwMjI2MjAxMTA5WjBF
              MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
              ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
              CgKCAQEAqS2dgNi+60I2991mpne2R0wTiM6r/G4M7kqpg7iTyh0r3WddburetJju
              gAEPaShr19IDj6UoGgpc6+H5vA9/WnhT4Dse/X1NQxqK3rK8wM3lhieMT5xBcOpz
              AhJ3M0T4x3P5VnBpRV38ejZ2XSYdiAW0lQ05UDNg/OF+4MxnTsP9cR8suuRkBh+L
              dV2iFtV4F+1v/g4JN5SwwF/11j/LKw6ga+ZZwuh++rRQB1ZQKGXkJZbVrlQwXFLT
              WXw5IXsg0M3DPLP3l15LSZV/LkRlxoZGBPFKJ/EEURCViEWy+VY93h6zOWRiKUpw
              qE/6hJbpiRw6cJC3aWVGz/YrO2jzIwIDAQABo1MwUTAdBgNVHQ4EFgQUr90WDg24
              EeI6r/SD+sC46Ge6lScwHwYDVR0jBBgwFoAUr90WDg24EeI6r/SD+sC46Ge6lScw
              DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAEnORhWbHAMs7jAeP
              tPjd7FMestgWu9FEnZ3paX1S3HyYiiKMiwe6hsCDwg6KHf5+8Kbn+seLP8urlECC
              B0HdDKzHM50MEYqNluFaUvTWAgaIBc+9gtQP2ydK7X69pgFx1cVBax6uzdEWP20X
              uq55050Y+Oxf5l69q/7nM+0pSlU79x7HYnWGcQhJq/IArQiaRjcZiv3u0NcslGez
              HX6tiHzHs9vgUaRGJ9gkrVvtML4mHMeoBUKdhmjaJUSuSFNXwkCesvKDM/Klq9bm
              aHnNXGP8P39Ez5AO+vIebXCFdrzrijoJ+iBETizta9rOFLQSiOOvXh+Y5dCdzN30
              +j4hOA==
              -----END CERTIFICATE-----
              OK
              AT+S.TLSCERT=f_content,0
              # TLS loaded CERTs:
              #  CA Cert: YES
              #  Client Cert: NO
              #  Client Key: NO
              #  Domain Name: YES - 192.168.1.150
              OK
              AT+S.SOCKON=192.168.1.150,4433,s,ind
              ERROR: Unable to load CA certificate
              I tried load certificate like ctrl+c/ctrl+v and send a file through the tera term. But the same error. 
                • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                  gaibotti.adriano

                  Looking at your generated server certificate I've seen that you've used as Common Name (CN) field for you server certificate the string "server". Use that as your domain:

                   

                  AT+S.TLSDOMAIN=f_domain,server

                   

                  Usually this field is filled with the URL of the server, and the TLS protocol check if the server is actually the one claimed by the certificate.

                   

                  Let me know if this solves the issue!

                   

                  Bye

                    • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                      Viktor Duma

                      AT+S.TLSDOMAIN=f_domain,server - I tried with this parameter before, for

                      sure! but the same. And one of the similar topics I found the script for

                      generating certificates RSA1024_oneway-auth.sh. With that didn't work

                      either

                       

                       

                        • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                          gaibotti.adriano

                          Ok, let's do another try...

                           

                          Your former AT-command to  open the socket was this:

                             AT+S.SOCKON=ssltest11.bbtest.net,443,s,ind

                           

                          But in a later message you put the openssl command for start the server:

                             openssl s_server -key server.key -cert server.crt -tls1_2 -accept 4433

                           

                          That uses another port number...you have to use the same port number, otherwise the connection cannot work!

                           

                          Try this and, in case didn't work, list here all the commands and output received, also from openssl side...

                            • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                              Viktor Duma

                              There are two different ways. When it possible, please help me solve the

                              problem with my local certificates. AT+S.SOCKON=192.168.1.150,4433,s,ind. I

                              sent all my steps in my second post with attached certificates were

                              generated before. Please forget about the case with ssltest11.bbtest.net.

                              I am sorry for confusing you!

                               

                                • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                                  gaibotti.adriano

                                  Ok, I've tried to make some tests on my side with your certificates and maybe the solution was on the Teraterm settings...

                                   

                                  The first try I've made was unsuccessful (error reported: Unable to load CA). My Teraterm setting for carriage return was "CR".

                                   

                                  The only way I was able to make the connection working was to set the carriage return to "CR", then put the command AT+S.TLSCERT=f_ca,1254

                                  and press Enter. Before putting the certificate, I've switched the carriage return setting to "CR+LF" and then put the certificate inside.

                                  With this configuration I was able to open a secure connection with the server.

                                   

                                  Here's my output:

                                   

                                  at+s.tlscert2=clean,f_ca
                                  OK

                                  at+s.tlscert=f_ca,1254
                                  -----BEGIN CERTIFICATE-----
                                  MIIDYDCCAkigAwIBAgIJAMcDkGsvF9ndMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
                                  BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
                                  aWRnaXRzIFB0eSBMdGQwHhcNMTcxMDExMjAxMTA5WhcNNDUwMjI2MjAxMTA5WjBF
                                  MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
                                  ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
                                  CgKCAQEAqS2dgNi+60I2991mpne2R0wTiM6r/G4M7kqpg7iTyh0r3WddburetJju
                                  gAEPaShr19IDj6UoGgpc6+H5vA9/WnhT4Dse/X1NQxqK3rK8wM3lhieMT5xBcOpz
                                  AhJ3M0T4x3P5VnBpRV38ejZ2XSYdiAW0lQ05UDNg/OF+4MxnTsP9cR8suuRkBh+L
                                  dV2iFtV4F+1v/g4JN5SwwF/11j/LKw6ga+ZZwuh++rRQB1ZQKGXkJZbVrlQwXFLT
                                  WXw5IXsg0M3DPLP3l15LSZV/LkRlxoZGBPFKJ/EEURCViEWy+VY93h6zOWRiKUpw
                                  qE/6hJbpiRw6cJC3aWVGz/YrO2jzIwIDAQABo1MwUTAdBgNVHQ4EFgQUr90WDg24
                                  EeI6r/SD+sC46Ge6lScwHwYDVR0jBBgwFoAUr90WDg24EeI6r/SD+sC46Ge6lScw
                                  DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAEnORhWbHAMs7jAeP
                                  tPjd7FMestgWu9FEnZ3paX1S3HyYiiKMiwe6hsCDwg6KHf5+8Kbn+seLP8urlECC
                                  B0HdDKzHM50MEYqNluFaUvTWAgaIBc+9gtQP2ydK7X69pgFx1cVBax6uzdEWP20X
                                  uq55050Y+Oxf5l69q/7nM+0pSlU79x7HYnWGcQhJq/IArQiaRjcZiv3u0NcslGez
                                  HX6tiHzHs9vgUaRGJ9gkrVvtML4mHMeoBUKdhmjaJUSuSFNXwkCesvKDM/Klq9bm
                                  aHnNXGP8P39Ez5AO+vIebXCFdrzrijoJ+iBETizta9rOFLQSiOOvXh+Y5dCdzN30
                                  +j4hOA==
                                  -----END CERTIFICATE-----

                                  OK
                                  at+s.settime=1507822368
                                  OK
                                  at+s.sockon=192.168.0.3,4433,s,ind
                                  ID: 00

                                  OK
                                  at+s.sockon=192.168.0.3,4433,s,ind
                                  ID: 00

                                  OK

                                  +WIND:55:Pending Data:0:ENC
                                  at+s.sockq=0
                                  DATALEN: 5

                                  OK
                                  at+s.sockr=0,5

                                  ciao

                                  OK

                                   

                                  Did you generate the certificates on a Windows machine? Usually I generate them on Linux and this mess with the carriage return doesn't appear... 

                      • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                        Viktor Duma

                        I created new certificates on ubuntu machine (under win10) and run the server. Now I get 

                        ERROR: SSL/TLS Error: Unable to connect (-150)

                         

                        and on server side 

                         

                        "bad gethostbyaddr
                        140682958407320:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210:"

                         

                        When I try to do with the same certificates on windows machine - "ERROR: Failed to connect" and nothing from the server side.

                         

                        About change "CR+LF" - "CR" - doesn't work for me. Get ERROR: Unable to load CA certificate. Now, when just copy/past or send file rootCA.pem get Error: Unable to connect (-150). I believe, when server get some response, I am on the correct way )))

                        • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                          Viktor Duma

                              Thank you for your time and patience for me! Now it works. It was really difficult to save certificate properly trough the tera term. My colleague wrote the script in C#, and now I can do that with no problem. And one more question. Please suggest me the certificate for access to google.com, for example.  Now I succesful download Entrust Root Certification Authority to the device but can connect only with www.ssllabs.com. Other sites device cant access and rise ERROR: SSL/TLS Error: Unable to connect (-188). 

                          • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                            Viktor Duma

                            I am sorry, still, cant connect to google. I got the certificate from Google Internet Authority G2 – Google . Also downloaded from the browser.  Tried a lot of different certificates like Geo trust. But I can connect to www.ssllabs.com with Entrust Root Certificate Authority—G2. Guys, what is wrong? 

                             

                            AT+S.TLSCERT2=clean,all

                            OK
                            AT+S.SETTIME=1508244012

                            OK
                            AT+S.TLSDOMAIN=f_domain,google.com

                            OK
                            AT+S.TLSCERT=f_ca,1501
                            -----BEGIN CERTIFICATE-----
                            MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
                            MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
                            R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
                            OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
                            HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
                            A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
                            Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
                            Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
                            +5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
                            gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
                            r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
                            HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
                            dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
                            BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
                            NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
                            YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
                            BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
                            12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
                            qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
                            E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
                            fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
                            L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
                            MqO5tzHpCvX2HzLc
                            -----END CERTIFICATE-----
                            OK
                            AT+S.TLSCERT=f_content,0
                            # TLS loaded CERTs:
                            # CA Cert: YES
                            # Client Cert: NO
                            # Client Key: NO
                            # Domain Name: YES - google.com

                            OK

                             

                            AT+S.SOCKON=www.google.com,443,s,ind

                            ERROR: SSL/TLS Error: Unable to connect (-322)

                            • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                              Viktor Duma

                              I did it before.  -188 ASN sig error, no CA signer to verify certificate

                              Any ideas? 

                               

                              # CA Cert: YES
                              # Client Cert: NO
                              # Client Key: NO
                              # Domain Name: YES - www.google.com

                              O
                              Receive: K

                              Sent: AT+S.SOCKON=www.google.com,443,s,ind
                              Receive:
                              ERROR: SSL/TLS Error: Unable to
                              Receive: connect (-188)

                              • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                                Viktor Duma

                                I read that. What can you advise me when I need do that? Use mutual connection? Thank you!

                                  • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                                    gaibotti.adriano

                                    In this case there is no solution unfortunately...the mutual authentication is used only when the server requests it (and https doesn't use any mutual authentication).

                                     

                                    But consider that, usually, in a IoT scenario, clouds platforms (AWS, Azure etc.) use smaller certificates with respect to the ones used for https (the latter case is for desktop, while IoT clouds are intended for very constrained devices).

                                     

                                    One advice to you is to use, in case of mutual authentication, private keys and certificates ECDSA-signed that, at the same level of security of RSA-signed certificates, are smaller. For example with Amazon AWS it is possible to use them.

                                  • Re: SPWF01SA11 ERROR: SSL/TLS Error: Unable to connect (-308)
                                    Viktor Duma

                                    I understand. Thank you for support! Yesterday I download the certificate for Amazon, according to tutorial AN4963 50/61 , and it works. But when I do the same for other sites - doesn't work. Certificates about 1200 kb. What the secret? )))