BG96 +QHTTPGET: 701 error

I’m trying to do HTTPS GET but connection fails with error 701. Can somebody comment why. Tried both with specifying ssl certificate and without. Same error 701

RDY

ATZ
OK

ATE1
OK

ATV1
OK

AT+QGMR
BG96MAR03A06M1G_01.005.01.005
OK

AT+QFDWL="amazonca.pem"
CONNECT
-----BEGIN CERTIFICATE-----
MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEVMBMGA1UECxMMU2VydmVyIENB
IDFCMQ8wDQYDVQQDEwZBbWF6b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDCThZn3c68asg3Wuw6MLAd5tES6BIoSMzoKcG5blPVo+sDORrMd4f2AbnZ
cMzPa43j4wNxhplty6aUKk4T1qe9BOwKFjwK6zmxxLVYo7bHViXsPlJ6qOMpFge5
blDP+18x+B26A0piiQOuPkfyDyeR4xQghfj66Yo19V+emU3nazfvpFA+ROz6WoVm
B5x+F2pV8xeKNR7u6azDdU5YVX1TawprmxRC1+WsAYmz6qP+z8ArDITC2FMVy2fw
0IjKOtEXc/VfmtTFch5+AfGYMGMqqvJ6LcXiAhqG5TI+Dr0RtM88k+8XUBCeQ8IG
KuANaL7TiItKZYxK1MMuTJtV9IblAgMBAAGjggE7MIIBNzASBgNVHRMBAf8ECDAG
AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUWaRmBlKge5WSPKOUByeW
dFv5PdAwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUH
AQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRy
dXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRy
dXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3Js
LnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQCFkr41u3nPo4FCHOTjY3NTOVI1
59Gt/a6ZiqyJEi+752+a1U5y6iAwYfmXss2lJwJFqMp2PphKg5625kXg8kP2CN5t
6G7bMQcT8C8xDZNtYTd7WPD8UZiRKAJPBXa30/AbwuZe0GaFEQ8ugcYQgSn+IGBI
8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1
upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZS
yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
-----END CERTIFICATE-----
+QFDWL: 1544,5505
OK

* AT+QFLST="*"
+QFLST: "amazonca.pem",1544
+QFLST: "herer2.pem",1260
+QFLST: "herer3.pem",1228
+QFLST: "sectigca.pem",2166
+QFLST: "security/",2
OK

AT+QICSGP=1,1,"omnitel","omni","omni",0
OK

AT+QIACT=1
OK

AT+QHTTPCFG="contextid",1
OK

AT+QIACT?
+QIACT: 1,1,1,"10.139.9.231"
OK

AT+QPING=1,"8.8.8.8"
OK
+QPING: 0,"8.8.8.8",32,874,255
+QPING: 0,"8.8.8.8",32,179,255
+QPING: 0,"8.8.8.8",32,162,255
+QPING: 0,"8.8.8.8",32,179,255
+QPING: 0,4,4,0,162,874,347

AT+QHTTPCFG="sslctxid",1
OK

AT+QSSLCFG="sslversion",1,3
OK

AT+QSSLCFG="ciphersuite",1,0xFFFF
OK

AT+QSSLCFG="cacert",1,"amazonca.pem"
OK

AT+QSSLCFG="seclevel",1,1
OK

AT+QSSLCFG="sslversion",1
+QSSLCFG: "sslversion",1,3
OK

AT+QSSLCFG="ciphersuite",1
+QSSLCFG: "ciphersuite",1,0XFFFF
OK

AT+QSSLCFG="seclevel",1
+QSSLCFG: "seclevel",1,1
OK

AT+QSSLCFG="cacert",1
+QSSLCFG: "cacert",1,"UFS:amazonca.pem"
OK

AT+QHTTPURL=21,80
CONNECT
https://www.nasa.gov/
OK

AT+QHTTPGET=80

OK
+QHTTPGET: 701

without specifying CA it looks following but same error 701

AT+QICSGP=1,1,"omnitel","omni","omni",0
OK

AT+QIACT=1
OK

AT+QHTTPCFG="contextid",1
OK

AT+QIACT?
+QIACT: 1,1,1,"10.139.9.231"
OK

AT+QHTTPCFG="sslctxid",1
OK

AT+QSSLCFG="sslversion",1,3
OK

AT+QSSLCFG="sslversion",1
+QSSLCFG: "sslversion",1,3
OK

AT+QSSLCFG="ciphersuite",1,0xFFFF
OK

AT+QSSLCFG="ciphersuite",1
+QSSLCFG: "ciphersuite",1,0XFFFF
OK

AT+QSSLCFG="seclevel",1,0
OK
AT+QSSLCFG="seclevel",1
+QSSLCFG: "seclevel",1,0
OK

AT+QSSLCFG="cacert",1
OK

AT+QHTTPURL=21,80
CONNECT
https://www.nasa.gov/
OK

AT+QHTTPGET=80

OK
+QHTTPGET: 701

In case somebody would ask - modem time is synced and ignoretime is set for ssl

AT+CTZU=1
OK

AT+CCLK?
+CCLK: "20/02/18,10:58:05+08"
OK

AT+QSSLCFG="negotiatetime",1,300
OK

AT+QSSLCFG="ignorelocaltime",1,1
OK

This problem was caused by our server not having the ciphers that the BG96 wanted. Although our server had one cipher that was supposed to be available on the BG96, obviously it wasn’t working, and we would always get 701 whenever we tried to post or get from from our server using https.

To solve the problem, we increased the ciphers on our server to the following:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

If you are getting this problem from a server you do not control, then I fear you are out of luck.

2 Likes

@Matthew you are right about single compatible cipher in case with www.nasa.org and BG96 it is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Since I’m not and admin at NASA yet what is the best way to go in case I need to use some publicly available API (with BG96 modem) like google or any other vendor. In my view options are:

  1. Make HTTPS requests without specifying AT+QSSLCFG parameters. Which would mean easy man-in-the-middle attacks. And there is a question if any encryption would be in use.
  2. Wait and pray for Quectel to release new firmware and include new ciphers

I don’t think that not specifying QSSLCFG parameters will work either, as this is what I tried first. I think the only way to connect to servers in which you don’t control and are getting 701 errors when trying to connect via HTTPS are to either use HTTP, or wait for a firmware update that increases the supported ciphers.

By the way, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the same exact cipher that was the only one that matched on our server originally. I assume that cipher is not working then.

I found one more cause responsible for my problem. Bad ipex antenna cable.

I just tried everything failed but the AT+QSSLCFG=“sni”,1,1
“sni” stands for Server Name Indication. Just enabled the sni and it got successfully connected.
This seems because of the virtual server hosted on the same machine and it’s used to verify the server certificate. See https://en.wikipedia.org/wiki/Server_Name_Indication