Skip to main content
chrispawlak9
chrispawlak9
Associate
May 2, 2016
Question

ERROR: SSL/TLS Error: Unable to connect (-330)

  • May 2, 2016
  • 16 replies
  • 2984 views
Posted on May 02, 2016 at 19:56

With a SPW01SA I'm able to connect to a server using anonymous negotiation, but I often get the following error trying to open a socket before it opens successfully:

ERROR: SSL/TLS Error: Unable to connect (-330)

Questions:

Exactly what does (-330) indicate?

  1. Does it makes sense that I tend to see the error more often when there is a lot of traffic on the server?
  2.  A co-worker thought that the problem may be that I don't have the wi-fi authenticating the server's certificate. If that was the problem, I shouldn't ever be able to open a socket to the server using anonymous negotiation, right?
  3. I tried one-way authentication, but I get this error: ''ERROR: SSL/TLS Error: Unable to connect (-322).'' Could that be because I'm specifying the wrong domain in the command AT+S.TLSDOMAIN=f_domain,<server domain>? The certificate was created from godaddy so I used godaddy.com (and ca.godaddy.com, certs.godaddy.com, etc) in place of <server domain>, but I always get the error.
Note: Before setting the <server domain> I do clear out the certificate information with AT+S.TLSCERT2 and set the time (in seconds) and load the certificate (in PEM format). When I send AT+S.TLSCERT=f_content,0 I get this response

# TLS loaded CERTs:

#  CA Cert: YES

#  Client Cert: NO

#  Client Key: NO

#  Domain Name: YES - godaddy.com

    This topic has been closed for replies.

    16 replies

    Show previous replies
    chrispawlak9
    chrispawlak9Author
    Associate
    August 26, 2016
    Posted on August 26, 2016 at 19:33

    A co-worker mentioned that the certificate we are using is a top-level certificate that completes the certificate chain, whereas the one you attached seems to be second in the chain of certificates. See attached pic.

    I found another potential problem. Regarding the TLSDOMAIN command, I found that the domain ''must match the namespecified in the server certificate (Common Name or others). The Common Name in the certificate is applusobd.com, but I was using

    www.

    applusobd.com. So now I send:

    AT+S.TLSDOMAIN=f_domain,applusobd.com<CR>

    But I still get theVERIFY_SIGN_ERROR. I then loaded the certificate you attached and tried it again. I got the same error. But then I'm guessing that wouldn't work anyway if the server has a different CA certificate.

    ________________

    Attachments :

    cert_path.jpg : https://st--c.eu10.content.force.com/sfc/dist/version/download/?oid=00Db0000000YtG6&ids=0680X000006I0Is&d=%2Fa%2F0X0000000bmz%2FN40.Bfe_6fmXIhI311kJJyKo4o_RdLcJuDlIfPwcZ3g&asPdf=false
    gaibotti.adriano
    gaibotti.adriano
    Visitor II
    August 29, 2016
    Posted on August 29, 2016 at 09:17

    The certificate I've provided to you is a self-signed certificate, so it stays on top of the validation chain. It is possible that the server uses multiple certificate chains.

    Try to verify yourself which certificate is used before making a connection with the SPWF01S, for example with a web browser.

    Regards

    chrispawlak9
    chrispawlak9Author
    Associate
    August 30, 2016
    Posted on August 31, 2016 at 00:48

    I checked the certificate chain using my browser and found the certificate that you provided (GoDaddyRootCertificateAuthority-G2.pem) was at the top of the validation chain. However, using different computers and even an Android phone, we see different certificates at the top of the chain.

    Could you please try to open the socket on your side? 

    This is what I am sending:

    AT+S.TLSCERT2=clean,all<CR>

    AT+S.SETTIME=1472573549<CR>

    AT+S.TLSCERT=f_ca,1390<CR><GoDaddyRootCertificateAuthority-G2.pem>

    AT+S.TLSDOMAIN=f_domain,applusobd.com<CR>

    AT+S.SOCKON=www.applusobd.com,443,s,ind<CR>

    For me, this leads to the following error:

    ERROR: SSL/TLS Error: Unable to connect (-188)

    (-188) ASN_NO_SIGNER_E  

    ASN sig error, no CA signer to verify certificate

    ''This error occurs when using a certificate and the signing CA certificate was not loaded.''

    We even reinstalled the certificates on the web server and tried opening the socket again. I tried 3 certificates above the server certficate. I am running out of time and my manager insists that you guys should try opening the socket on your end and tell us what is necessary to get it working. I just don't know what to do anymore.
    gaibotti.adriano
    gaibotti.adriano
    Visitor II
    September 1, 2016
    Posted on September 01, 2016 at 11:22

    Hi,

    I've checked how the server's certificate is made. Its public key is RSA-4096. As specified in the Application Note AN4683 regarding TLS, the SPWF01 doesn't support these type of certificate (p.11 ''– Public key algorithms: RSA (1024, 2048), ECDSA''). The module wasn't able to establish the connection because the public key was too big.

    Best Regards

    chrispawlak9
    chrispawlak9Author
    Associate
    September 1, 2016
    Posted on September 01, 2016 at 23:32

    Thanks so much for the response, and thanks for your patience all this time! We will request new certificates that the module supports.

    voulgaristhanasis
    voulgaristhanasis
    Associate
    April 19, 2017
    Posted on April 19, 2017 at 19:47

    Dear Chris,

    About the

    'By the way, I'm running into another issue. Sometimes when I send the SETTIME command, the module seems to lock up and then reset. It usually accepts the command when I send it a second time.'

    Did you solve it?

    Because i am facing the same problem.

    The Wifi makes reset sometimes.

    Terms & ConditionsAccessibility statement