BG96 - unable to verify Client certification in server side

yamagi-h · March 10, 2021, 9:30am

[BG96]unable to verify Client certification in server side

Hello.
I’m trying to verify server certificate in SSL connection on BG96.
Result, No required SSL certificate was sent (400 error) and the html of the error page prepared on the server side was obtained.

test case1: server no certificate authentication.
Results, connection is successful(200 OK).

test case2: browser used false certificates for server access.
Results, failures (403 error).

AT command log.(XXX omit)

[LOG]34.293: AT+QSSLCFG="cacert",2,"ufs:CaCert"
[LOG]34.294: OK
[LOG]34.703: AT+QSSLCFG="clientcert",2,"ufs:ClientCert"
[LOG]34.704: OK
[LOG]35.112: AT+QSSLCFG="clientkey",2,"ufs:ClientKey"
[LOG]35.113: OK
[LOG]35.928: AT+QSSLCFG="sslversion",2,4
[LOG]35.929: OK
[LOG]35.520: AT+QSSLCFG="ciphersuite",2,0Xffff
[LOG]35.521: OK
[LOG]36.336: AT+QSSLCFG="seclevel",2,2
[LOG]36.336: OK
[LOG]38.374: AT+QICSGP=1,1,"XXX","XXX","XXX",2
[LOG]38.375: OK
[LOG]42.268: AT+QIACT?
[LOG]42.269: OK
[LOG]42.674: AT+QIACT=1
[LOG]42.675: OK
[LOG]43.082: AT+QHTTPCFG="contextid",1
[LOG]43.082: OK
[LOG]44.712: AT+QHTTPURL=57,60
[LOG]44.713: CONNECT
[LOG]44.813: https://XXX
[LOG]45.124: OK
[LOG]46.578: AT+QHTTPPOST=942,60,60
[LOG]46.579: CONNECT
[LOG]46.680: --- DATA START ---
[LOG]XXX
[LOG]46.690: ---- DATA END ----
[LOG]49.121: OK
[LOG]49.122: +QHTTPPOST: 0,400,246
[LOG]49.222: AT+QHTTPREAD=60
[LOG]49.240: CONNECT
[LOG]49.240: <html>
[LOG]XXX <= 400 error page information is displayed here
[LOG]49.256: </html>
[LOG]49.259: OK

using AT commando Reference “Quectel_BG96_HTTP(S)_AT_Commands_Manual_V1.0.pdf > 3.1.2.1. Post Body Object from UART/USB”.

Need more information to problem?

Stephen.Li-Q · March 12, 2021, 3:50am

http errcode 400 means that “ (wrong request) the server does not understand the syntax of the request.”

it is not the module fault ，pls check at server side

pls send one empty data to double check it.

anymore confusion , pls reach to support@quectel.com ，thanks

yamagi-h · March 12, 2021, 4:53am

Thank reply.
I’m Contact to server side.
checking transmission data.

yamagi-h · March 12, 2021, 9:37am

server side says that the client certificate has not been sent.

I’m using AT command below for ClientCert.
[LOG]34.293: AT+QSSLCFG=“cacert”,2,“ufs:CaCert”
[LOG]34.294: OK
[LOG]34.703: AT+QSSLCFG=“clientcert”,2,“ufs:ClientCert”
[LOG]34.704: OK
[LOG]35.112: AT+QSSLCFG=“clientkey”,2,“ufs:ClientKey”
[LOG]35.113: OK

How checking correct AT+QSSLCFG settings?

JimmyWick · November 5, 2021, 4:25pm

Maybe this will help you to understand:

-Server certificates uniquely identify a server (or domain), client certificates uniquely identify a client. And just like server certificates must be signed by someone the client trusts, client certificates must be signed by someone the server trusts.

Usually, when you configure a server to accept client certificates, you specify a signing certificate that must be used to sign the client’s cert. This lets the server know that the client is “authorized”, whatever that might mean in your context since presumably you’ll only sign certificates for “authorized” users.
Allowing client certificates without doing any sort of verification is generally possible with most servers, but sort of defeats the whole purpose.

Greetings,
J Wick