The command I am using is: http_get https://SITENAME
Here are the steps I am doing:
set network.tls.ca_cert CERTNAME.cer
save
http_get https://SITENAME
So knowing that it works for google.com, It seems that AMW037 can indeed use https. But the question is why does it fail on all other sites? I have checked with postman to be sure that https://SITENAME actually returns something.
So my question is why does it work on google.com and not on the others? I would like to use the AMW037 with a specific domain which is not google :)
Error 0x7200 you are seeing is caused by a failure in TLS handshaking. It is a known issue, and we have a fix for it. Please read below.
Root cause:
A TLS connection to a server that sends fragment sizes larger than 4K fails. The connection may fail during TLS handshaking, but it may fail at any time after connection if the server sends a fragment larger than 4K.
That is a known issue in Gecko OS 2.1 and earlier. Please see the known issues here:
We just released BETA Gecko OS 2.2.5 that has fixes for the 4K issue discussed above. To get access to this release, please issue the command 'ota -b 2.2.5'.
Kindly note that this is a BETA firmware, and once we collect all the feedback from waiting customers, will flip this to release.
Thanks for the prompt answer. Unfortunetly it still does not work. I did the ota and retried the same steps. Now I get this error: (state: 4, code: -0x2700).
Thanks. Don't know why but it seems indeed the certificate was faulty, it works now for amazon.ca when re-creating the certificate.
So i'm guessing that if I can't connect to a particular site with https it means there is something wrong with their cert? The endpoint that I need to use is https://api.wisksolutions.com . I re-generated the certs in case it also got corrupted but I still can't connect. I get (state: 4, code: -0x2700)
Thank again for the help.
Dominic
0
Hi Dominic,
Would you please advise how are you retrieving the certificate? This app note shows how you can get and store the correct file (Base-64 encoded X.509):
The way you obtained the certificate is correct. I've tried using the same cert and can see the same error code. I am looking farther and will let you know shortly.
Thanks,
Ayman
0
Hi Dominic,
We've release Gecko OS 2.2.7 today that supports SHA512 (that is why connection using this cert was failing). You should be able to use http_get with this endpoint using this release:
Please give it a go and let me know if you have any other concerns.
Thanks,
Ayman
Correct Answer
0
Hi Ayman,
I can now connect using https with the new update thanks!
One last question and I should be good to go :) I know that certificates need to be renewed so that they can keep being valid (on the server side) - when the server update their certificate, will I also need to update the one on my device?
Thanks!
Dominic
0
Hi Dominic,
Please distinguish between:
1. Server certificate which is delivered as a part of TLS Server Hello message. This one is completely controlled by the server, and it does not matter if they changed it or kept it the same.. clients will receive it anyway during handshaking.
2. CA cert, which you are storing on the device flash. This one also has an expiry date, and once expired you will need to replace with a new one. This one should be under your control and you will need to replace once expired. The expiry is usually set to a few years though.
Thanks,
Ayman
0
Hi Ayman,
Thanks for the complete explanation. Very appreciated.
AMW-037 https requests
Hi,
I am trying to use https with AMW037 module. I have followed the instructions here to get / upload certificate to my device: https://docs.zentri.com/zentrios/w/latest/cmd/apps/web-page-tls-cert
For testing, I have downloaded certificate from amazon.ca, google.com, autodesk.com and one from an AWS API Gateway mockup.
For all of them except google.com. I get the following error:
Connecting: xx.xx.xx.xxx: 443
Error with TLS handshake: (state: 3, code: -0x7200)
Command failed
The command I am using is: http_get https://SITENAME
Here are the steps I am doing:
So knowing that it works for google.com, It seems that AMW037 can indeed use https. But the question is why does it fail on all other sites? I have checked with postman to be sure that https://SITENAME actually returns something.
So my question is why does it work on google.com and not on the others? I would like to use the AMW037 with a specific domain which is not google :)
Any pointer would be appreciated.
Thanks
Dominic
(Device version: SILABS-AMW037-2.1.5, Gecko OS-2.1.5, AMW007-W00001)
Hi Dominic,
Summary:
Error 0x7200 you are seeing is caused by a failure in TLS handshaking. It is a known issue, and we have a fix for it. Please read below.
Root cause:
A TLS connection to a server that sends fragment sizes larger than 4K fails. The connection may fail during TLS handshaking, but it may fail at any time after connection if the server sends a fragment larger than 4K.
That is a known issue in Gecko OS 2.1 and earlier. Please see the known issues here:
https://docs.silabs.com/gecko-os/2/amw007-w00001/latest/release-notes#known-issues
Solution:
We just released BETA Gecko OS 2.2.5 that has fixes for the 4K issue discussed above. To get access to this release, please issue the command 'ota -b 2.2.5'.
Kindly note that this is a BETA firmware, and once we collect all the feedback from waiting customers, will flip this to release.
Similar issues:
https://www.silabs.com/community/wireless/wi-fi/forum.topic.html/amw007_error_withtl-CIId
Thank you,
Ayman
Hi Ayman,
Thanks for the prompt answer. Unfortunetly it still does not work. I did the ota and retried the same steps. Now I get this error: (state: 4, code: -0x2700).
Please see attachment.
Thanks
Dominic
Hi Dominic,
Maybe you are using the incorrect certificate?
Here is the result when I used VireSign cert (attached):
Thanks,
Ayman
Hi Ayman,
Thanks. Don't know why but it seems indeed the certificate was faulty, it works now for amazon.ca when re-creating the certificate.
So i'm guessing that if I can't connect to a particular site with https it means there is something wrong with their cert? The endpoint that I need to use is https://api.wisksolutions.com . I re-generated the certs in case it also got corrupted but I still can't connect. I get (state: 4, code: -0x2700)
Thank again for the help.
Dominic
Hi Dominic,
Would you please advise how are you retrieving the certificate? This app note shows how you can get and store the correct file (Base-64 encoded X.509):
https://docs.zentri.com/zentrios/wz/latest/cmd/apps/web-page-tls-cert
Please let me know if that works for you.
Thanks,
Ayman
Hi Ayman,
Here is how I get the cert: https://s3.amazonaws.com/teckdevops.com/certificate.mp4. Then I upload it through the web setup. Don't know why but I still get the error.
Thanks!
Dominic
Hi Dominic,
The way you obtained the certificate is correct. I've tried using the same cert and can see the same error code. I am looking farther and will let you know shortly.
Thanks,
Ayman
Hi Dominic,
We've release Gecko OS 2.2.7 today that supports SHA512 (that is why connection using this cert was failing). You should be able to use http_get with this endpoint using this release:
> save Success > http_get https://api.wisksolutions.com Connecting: 130.211.31.43: 443 [Opened: 0] 0 > read 0 100 {"message":"Missing authentication token for \/","code":401,"status":"error"} > read 0 100Please give it a go and let me know if you have any other concerns.
Thanks,
Ayman
Hi Ayman,
I can now connect using https with the new update thanks!
One last question and I should be good to go :) I know that certificates need to be renewed so that they can keep being valid (on the server side) - when the server update their certificate, will I also need to update the one on my device?
Thanks!
Dominic
Hi Dominic,
Please distinguish between:
1. Server certificate which is delivered as a part of TLS Server Hello message. This one is completely controlled by the server, and it does not matter if they changed it or kept it the same.. clients will receive it anyway during handshaking.
2. CA cert, which you are storing on the device flash. This one also has an expiry date, and once expired you will need to replace with a new one. This one should be under your control and you will need to replace once expired. The expiry is usually set to a few years though.
Thanks,
Ayman
Hi Ayman,
Thanks for the complete explanation. Very appreciated.
I can now happily use https :)
Thanks!
Dominic
No worries. Great it works for you now :)
Cheers,
Ayman