Ciphersuite Issue


#1

Hi,
I have successfully provisioned and sent data to the Murano server via curl command.
Now, I am trying to post data from my device using Https, But unfortunately
the device(Quectel UC20) does not support the cipher “ECDHE-RSA-AES128-GCM-SHA256” used in
Exosite Murano.
Is there any workaround for this?
The device support only the below ciphers…
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256

Any help would be appreciated.

Thanks,

John


#2

Hi John,

Can you provide a little more detail on how you’re connecting?

What is the hostname you’re trying to connect to with this device? If you don’t want to share your hostname publicly, you can send me a private message by clicking on my avatar.

Providing any relevant logs might be useful as well.

Thanks,

~Will


#3

Hi Will,

We use an embedded device, which has a GSM module (Quectel UC20) to connect to the Murano server,
We use the on chip stack in the module, but since it wont support the “ECDHE-RSA-AES128-GCM-SHA256” Ciphersuite we are unable to connect to the server.

The host name is : z16ux1r0qemm80000.m2.exosite.io

I’ll share the log as private message.

Thanks,
John


#4

Hi Will,

Any updates on this?
Also, how do we generate CA and other certificates to be used from an embedded device? The document provided doesn’t give much explanation regarding this.

Thanks
John


#5

John,

Based on the list of supported ciphers you provided, we think that your device is compatible with Murano.

You can see the supported list of ciphers of Murano by checking out our sslabs.com profile: your product ssl info

I see that there are a few of your ciphers are listed so you should be good to go.

Can you tell me more about the project you’re working on? I looked up the quectel part and it looks like its a cel modem with alot of features, but I have to wait for quectel to approve my account so I couldn’t read the AT commands manual.

Are you using an MCU with this modem for running your embedded application? Or is your iot application running on the quectel chip?

Are you getting this set up for eventually integrating with a PKI vendor for a CA to sign your client certs (i.e. device cert)?


#6

Hi Will,

Thank you for the reply,

We are using an MCU with the Quectel modem for running our application. We are trying to POST data to Exosite Murano IoT platform via our embedded device.

We think the problem is regarding the CA certificate, can you kindly instruct us to generate a CA certificate which will support our device for accessing the Murano Platform.

Thanks
John


#7

Gotcha. I think I can help with this.

In the doc http://docs.exosite.com/tutorials/provisioning/ there is openssl command:

openssl req -x509 -nodes -days 365 -sha256 -subj /C=US/ST=MN/L=Mpls/O=Exosite/CN=00000002 -newkey rsa:2048 -keyout adc-key.pem -out adc-cert.pem

I was able to read through a couple docs I found on the UC20 here:

Are you using the FILE AT (referenced in SSL_AT_Commands_Manual chapter 5.1) command to load adc-key.pem and adc-cert.pem onto the UC20? Can you share the results of the following command to verify the cert:?

openssl x509 -in adc-cert.pem  -text -noout

In the SSL_AT_Commands_Manual I saw in chapter 5.1 there are some troubleshooting tips. Also, it looks like the UC20 does some level of cert verification so I would double check a couple of potential gotchas:

  • Are the system clocks on the computer creating the key/cert pair and the UC20 in sync? The cert has a timespan of validity (e.g. if the computer creating the cert/key thinks it’s today but the UC20 thinks it’s 1970 then it won’t work). This is covered in chapter 1.4 of the SSL_AT_Commands_Manual.
  • Verify the cert/key pair that you’re loading onto the UC20 has the correct file encoding. Some modules don’t know how to decode unicode, for instance. ASCII/ANSI is likely a safe bet.

You can verify basic parameters of the cert with

openssl x509 -in certificate.crt -text -noout

Let me know if this helps.

Thanks!


#8

Hello Will,

A new firmware update for the Qucetel UC20 solved the issue.

Thanks
John