Quecopen SSL example BG95 - Error "The certificate is not trusted"

IoT Modules LPWA Module
1

I am developing Quecopen Application to run on top of ThreadX for BG95.

The SDK version i have is Quectel_BG95_QuecOpen_SDK_Package_V1.1.0_BETA20200610 with ThreadX_LLVM_TX3.0

I am able to compile the examples and flash it using the QEFS explorer. There is no problem there. I have problems with the Network security APIs. I am working with the SSL example and the Mqtt example.

With the SSL example, I try to open SSL socket to an Amazon endpoint https://docs.aws.amazon.com/ (176.32.98.189). I use the Amazon Root CA 1 certificate. I am unable to connect to SSL. I always get “The certificate is not trusted” error. Please tell me the ideal format of the Certificates to use.

2020-07-16_13h59_37
2020-07-16_13h59_371021×1015 35.7 KB

2

the AmazonRootCA1.pem i use is

2020-07-16_13h58_07
2020-07-16_13h58_071281×574 58.2 KB

3

the example_ssh.h file in my case is

2020-07-16_14h01_11
2020-07-16_14h01_111433×1348 64.7 KB

4

the SSL config i have is

static qapi_Status_t ssl_conn_obj_config(SSL_INST *ssl)

{
qapi_Status_t ret_val = QAPI_OK;

/* default eight encryption suites */
ssl->config.cipher[0] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
ssl->config.cipher[1] = QAPI_NET_TLS_RSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[2] = QAPI_NET_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[3] = QAPI_NET_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
ssl->config.cipher[4] = QAPI_NET_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[5] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
ssl->config.cipher[6] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[7] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;

ssl->config.max_Frag_Len = 4096;
ssl->config.max_Frag_Len_Neg_Disable = 0;
ssl->config.protocol = QAPI_NET_SSL_PROTOCOL_TLS_1_2;
ssl->config.verify.domain = 0;
ssl->config.verify.match_Name[0] = '\0';
ssl->config.verify.send_Alert = 0;
ssl->config.verify.time_Validity = 0;	/* Don't check certification expiration */

return ret_val;

}

2020-07-16_14h05_49
2020-07-16_14h05_49920×614 36.2 KB

5

Not sure if you resolved this but I can probably advise here. You have used Amazon Root CA1 as your rootCA file

This is actually an intermediate CA and is not the root of trust.

You need to use Starfield CA (I believe owned by Amazon) as this is the final root of trust. I discovered this a while ago and fed back to AWS