Module: EG21-G
Firmware version: (EG21GGBR07A11M1G_01.002.01.002)
Issue:
I’m configuring the EG21-G to present a client certificate during an HTTPS request (mTLS-style client authentication), but I have evidence suggesting the client certificate is not actually being sent during the TLS handshake at seclevel=0, despite clientcert/clientkey being correctly configured.
Context:
My target server validates client certificates when one is presented (confirmed independently via Postman: attaching a correct client cert succeeds, attaching a mismatched/wrong client cert is rejected by the server). So the server side is known to behave correctly and consistently.
Test sequence (AT commands):
AT+QICSGP=1,1,“”,“”,“”,1
AT+QIACT=1
AT+QIACT?
+QIACT: 1,1,1,“”
AT+QFDEL=“UFS:cert.pem”
AT+QFDEL=“UFS:key.pem”
AT+QFUPL=“UFS:cert.pem”,570,30
CONNECT
<570 bytes of valid client cert.pem>
+QFUPL: 570,547f
OK
AT+QFUPL=“UFS:key.pem”,227,30
CONNECT
<227 bytes of matching client key.pem>
+QFUPL: 227,6272
OK
AT+QSSLCFG=“sslversion”,1,4
AT+QSSLCFG=“seclevel”,1,0
AT+QSSLCFG=“clientcert”,1,“UFS:cert.pem”
AT+QSSLCFG=“clientkey”,1,“UFS:key.pem”
AT+QSSLCFG=“ignorelocaltime”,1,1
AT+QHTTPCFG=“contextid”,1
AT+QHTTPCFG=“sslctxid”,1
AT+QHTTPCFG=“requestheader”,0
AT+QHTTPCFG=“contenttype”,4
AT+QHTTPURL=49,60
CONNECT
OK
AT+QHTTPGET=80
OK
+QHTTPGET: 0,200
The test that demonstrates the problem:
-
Ran the above with my correct, valid 570-byte client certificate →
+QHTTPGET: 0,200(success). -
Deleted the cert, uploaded a different, deliberately mismatched 240-byte file as
cert.pem(confirmed genuinely different via the+QFUPLchecksum changing from547fto237e— not a re-upload of the same file), reconfiguredclientcertto point at it, and re-sent the same request to the same URL → still got+QHTTPGET: 0,200(success).
Since the server is independently confirmed (via Postman) to reject mismatched client certificates when one is actually presented and checked, getting an identical success result regardless of which certificate is loaded onto the modem suggests the certificate configured via AT+QSSLCFG="clientcert"/"clientkey" is not actually being transmitted during the EG21-G’s TLS handshake when seclevel=0.
Questions:
-
Is the client certificate expected to be sent during the handshake when
seclevel=0, or doesseclevel=0suppress client certificate presentation as well as server certificate verification? -
If client cert presentation should work at
seclevel=0, is there an additional required step (e.g., explicitAT+QSSLOPEN/socket-level handling) that theAT+QHTTPGET/AT+QHTTPPOSThigh-level commands don’t perform automatically? -
Is
seclevel=2(combined with a CA cert for server verification, which I can’t currently provide due to this server’s ECDSA chain) the only way to guarantee client cert presentation on this module?
Any clarification on the actual handshake behavior at each seclevel would be very helpful. Happy to provide full AT command logs (with sensitive cert data redacted) if useful for debugging.