BC660K SSL issue (Is SSL certificate handling broken?)

Technical Subjects Software Internet Protocol
1

Important: I have tried to file the bug to Quectel (a week ago), but I am still waiting for an answer. But it is such an urgent issue for me (and perhaps other people using BC660K), that I would like to know, if other people is seeing the same problem/Issue – when using SSL connection.

I connect to a Microsoft service, which is hosted at “azurewebsites.net” domain using SSL encryption. Until recently I was able to connect to service using QSSL, but the last few weeks it does not work anymore. QSSL report “exception”. I have not changed anything in the commands I use for the module, and the server application has not been updated either. But I believe the “azurewebsites.net” got its certificate renewed recently. The certificate now has a new root certificate “DigiCert Global Root G2”. Previously the root certificate was “Baltimore CyberTrust Root”. I do send both root certificates to BC660K, which has been working before.

Other services from Microsoft using “Baltimore CyberTrust Root” still works on BC660K. Eg. “test.azure-devices.net”, port 443.

A simple connection to “a.azurewebsites.net”, port 443 shows the issue.

I have looked at the logs from the debug port of BC660K, which clearly shows, that the SSL negotiation stops, when using a service with new root certificate.

I have tried to think what the issue is, and it could be due to a bug in SSL library MBED-TLS, which has been reported and fixed “SHA384 cipher suites are offered when MBEDTLS_SHA512_NO_SHA384 is enabled” (SHA384 cipher suites are offered when MBEDTLS_SHA512_NO_SHA384 is enabled · Issue #4499 · Mbed-TLS/mbedtls · GitHub).

This issue probably would tell the server, that SHA384 cipher is supported – but implementation is actually missing!!!

I hope for another explanation – because if that is actually the issue, it can be devastating for products in the field. Because how to update firmware remotely, if device cannot connect to online services / control server?

Any input to the issue I am seeing is appreciated… Thanks

PS: The firmware version of BC660K is: “BC660KGLAAR01A04_01.001.01.001”

2

SHA384 is not inportant for Azure
use SHA256 or SHA512 and check your password token

3

The failure happens long before any HTTP content (like password tokens) are exchanged. Just opening the SSL connection causing this issue. So it is much more low level than any HTTP request and headers.

As I wrote, the initiation of a SSL connection is failing. Open thee same SSL connection 1 month ago was successful.
Only change is the certificate, which Microsoft updated.
I am not able to change that certificate. It is all controlled by Microsoft.

As I also wrote, the used SSL library in BC660K is MBED-TLS, and in a version which time-wise might be the version (MBED-TLS V2.2x) used in BC660K, the bug will actually tell the server, that TLS cipher suites that use SHA-384 is supported. But in fact SHA-384 is not supported in the library.
Therefore the server might choose to use a TLS SHA-384 cipher (because BC660K says it is supported), but then the SSL handshake will fail.

Since I have no knowledge about the MBED-TLS, or any insight in the BC660K code, it is my best guess.

4

BC66 is as BC660 … same SoC, same stack

5

https://wiz.azure-devices.net/ uses “old” Microsoft certificates, which has the root: “Baltimore CyberTrust Root”.

That certificate also works on the BC660K.

But the new certificates, which Microsoft uses now (which will also be used for IoT pretty soon: “Azure IoT TLS: Critical changes are almost here! (…and why you should care) - Microsoft Tech Community”) is the one causing issues for BC660K: “DigiCert Global Root G2”.

BC660K connects perfectly to azure-devices.net, which I also wrote in the intro to this issue…

Regarding BC66 / BC660: It all depends on the SSL stack. If BC66 does not have a faulty verison of MBED-TLS, it might work.
Are you able to make a GET request to “a.azurewebsites.net”? Because I am not…

And I am supplying both root certificates (“Baltimore CyberTrust Root” and “DigiCert Global Root G2”)

6

I see
so, write issue to Quectel support

7

A new firmware for BC660K is in progress.

ANYONE using BC660K using Microsoft services should take action - because soon connection to eg. IoT Hub will not be possible due to the upcoming certificate change (originally scheduled for June 1st, 2022!!!).

8

please refer the document
Quectel_BG95_Series_AWS_IoT_Platform_Access_User_Guide_V1.0_Preliminary_20200825.pdf (1.4 MB)

9

Hi Herbert,

Thank you for the user guide.

But the issue is not due to mistakes on my side.
And I already got a BETA firmware, where the issue is fixed.
I am trying to help other people by telling, that the released firmware for BC660K is not able to process the new server certificates, which Microsoft has started to use.
When the new certificates from Microsoft will reach Azure IoT Hub, the BC660K will not be able to connect anymore.
For some people it will be devastating and might even mean, that a remote firmware update of the BC660K is no longer possible (due to lost control of the IoT device).
Therefore it is important to be open about such issues - and inform the customers!
I am looking forward to see how Quectel informs the customers :slight_smile: