SSL via the XT GPRS network

Forums › Spark New Zealand (including Skinny and BigPipe) › SSL via the XT GPRS network

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#80010 25-Mar-2011 16:11

Hello,

I was wondering if someone can help me with a Sierra Wireless modem Q26 Extreme which has in-built ARM9 processor and incorporates the openssl library as part of it is API.

I have been talking to someone at Telecom but they have directed me to helpdesk to sort out the issue but with no avail as the person does not have any clue using TCP or UDP.

Sierra Wireless provides examples source code written in C for the TCP client and SSL client. To test the code for TCP, I written a C# TCP server and ran in my desktop PC. The modem I change the Telecom APN and connect to my server address and port. This works fine without any issues. Data is transmitted to the server correctly.

For the SSL setup, I use the openssl server in my desktop and the SSL client in the modem. This connects to the APN but fails when it tries to connect to the openssl server. The openssl output is "gethostbyname failure". I have retested the code and use Vodafone simcard and APN, this works fine without any issues. It connects and transmit data to the openssl server. I have tested the openssl server with a openssl client in a different machine and that connects without any issues.

Both openssl server and modem uses the same CA cert. The server and client certs are generated using the CA cert provided by the customer. The certs are tested in openssl to ensure the certificates are working correctly. Also tested in the Vodafone network works fine.

Regards
Paul

coffeebaron

6304 posts

Uber Geek
+1 received by user: 3566

Trusted

Lifetime subscriber

#451840 25-Mar-2011 17:26

XT is 3G only, it does not support 2G GPRS technology

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

johnr

19282 posts

Uber Geek
+1 received by user: 2526
Inactive user

#451848 25-Mar-2011 17:58

coffeebaron: XT is 3G only, it does not support 2G GPRS technology

I was waiting for that reply but the OP means packet switch network either over 2G or 3G I guess

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#451904 25-Mar-2011 21:52

Which Vodafone APN are you testing with, and are you testing with direct.telecom.co.nz or internet.telecom.co.nz. Also what sort of traffic does it create. Have you tried using wireshark or some other lan tracing tool to see working traffic.

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#452010 26-Mar-2011 12:00

coffeebaron: XT is 3G only, it does not support 2G GPRS technology

I know XT is 3G. As indicated this modem can be used with 2G and 3G and I have tested with XT APN using TCP packets but it doesn't work with SSL.

Here is the modem.

http://www.sierrawireless.com/en/productsandservices/AirPrime/Wireless_Modules/Smart/Connectorized/Q26_Extreme.aspx

My supplier has tested in Australia using the 3G network and connects to my SSL server without any issues. They also suggest it could be the XT network. I have also shared my desktop with the supplier (in case of any mistakes at my end) to verify that I am compiling the example code and loading into the device correctly, and he can't see any problems with my setup. I have also showed it to the supplier colleague based in NZ and he verify my setup. The only issue I can think of is the XT network is blocking my device from using SSL. TCP works fine without any issues.

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#452014 26-Mar-2011 12:03

BarTender: Which Vodafone APN are you testing with, and are you testing with direct.telecom.co.nz or internet.telecom.co.nz. Also what sort of traffic does it create. Have you tried using wireshark or some other lan tracing tool to see working traffic.

I have tried both APNs and both gives the same error in openssl (gethostbyname). I have also tried to capture in wireshark but it doesn't seem show any SSL packets being captured. I can capture the hello messages between the client and server, authentication etc.. using the Vodafone APN.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#452045 26-Mar-2011 13:20

pseudogeek2009:
BarTender: Which Vodafone APN are you testing with, and are you testing with direct.telecom.co.nz or internet.telecom.co.nz. Also what sort of traffic does it create. Have you tried using wireshark or some other lan tracing tool to see working traffic.

I have tried both APNs and both gives the same error in openssl (gethostbyname). I have also tried to capture in wireshark but it doesn't seem show any SSL packets being captured. I can capture the hello messages between the client and server, authentication etc.. using the Vodafone APN.

Is it connecting to the remote end on a strange port? Tried using 443? I assume it's connecting over tcp?

I would assume you should have more success using the direct APN rather than internet.

a gethostbyname normally indicates that it can't do a local dns name lookup. Have you specified the correct dns server (or are you getting it via dhcp). What happens if you specify a manual DNS server?

Is there any way you can run tcpdump or similar on the embedded device side?

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#452077 26-Mar-2011 15:08

BarTender:
pseudogeek2009:
BarTender: Which Vodafone APN are you testing with, and are you testing with direct.telecom.co.nz or internet.telecom.co.nz. Also what sort of traffic does it create. Have you tried using wireshark or some other lan tracing tool to see working traffic.

I have tried both APNs and both gives the same error in openssl (gethostbyname). I have also tried to capture in wireshark but it doesn't seem show any SSL packets being captured. I can capture the hello messages between the client and server, authentication etc.. using the Vodafone APN.

Is it connecting to the remote end on a strange port? Tried using 443? I assume it's connecting over tcp?

I would assume you should have more success using the direct APN rather than internet.

a gethostbyname normally indicates that it can't do a local dns name lookup. Have you specified the correct dns server (or are you getting it via dhcp). What happens if you specify a manual DNS server?

Is there any way you can run tcpdump or similar on the embedded device side?

In openssl you can set which port to use my typing the following command:

openssl s_server -accept 6502 -cert server-cert.pem -key server-key.pem -CAfile ca-cert.pem -www

openssl s_client -connect 192.168.1.92:6502 -cert client-cert.pem -key client-key.pem -CAfile ca-cert.pem

Both server and client are running at separate PC.

I imagine XT should handle the hostname side. The modem only requires the APN and the server it connects to, which is my company IP address and port number. There is no way of setting the DNS server in the modem. Would you have to setup the DNS when connecting to the internet via GPRS in a Iphone or android. In my mobile phone, you just need an APN and as described in the vodafone forum (http://forum.vodafone.co.nz/topic/6060-android-apn-mobile-network-settings/). This is essentially how the modem works, you just need an APN to connect to the internet via GPRS. From one of the XT forum topics for setting up Android device to work on the XT network, it only requires an APN. No setup for DNS.

The problem is why does it work with Vodafone APN not the XT APN when using SSL. The other thing is why does it work with TCP using the XT APN not SSL.

In the TCP setup, I ran a TCP server in my desktop using port 6502. In the modem, the software is configured to connect the XT APN and connect to the company IP address at port 6502. The company router is setup to port forward to my PC. When I ran my application, it connects to the server and send the data correctly. This has work without any issues. There are no setup require for DNS.
The modem SSL library is based on openssl. I have change the sim card to use the Vodafone sim card. Software was changed to use the Vodafone APN and when I ran the application, it works without any issues when connecting to the openssl server so it isn't the modem SSL library or the DNS or port 443.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#452214 26-Mar-2011 22:06

pseudogeek2009: I imagine XT should handle the hostname side. The modem only requires the APN and the server it connects to, which is my company IP address and port number. There is no way of setting the DNS server in the modem. Would you have to setup the DNS when connecting to the internet via GPRS in a Iphone or android. In my mobile phone, you just need an APN and as described in the vodafone forum (http://forum.vodafone.co.nz/topic/6060-android-apn-mobile-network-settings/). This is essentially how the modem works, you just need an APN to connect to the internet via GPRS. From one of the XT forum topics for setting up Android device to work on the XT network, it only requires an APN. No setup for DNS.

I assume you are running this all on an embedded Linux system? So in theory you could run tcpdump across the IP stack to see what is happening ok with Vodafone but isn't with XT.

To me a gethostbyname is a local lookup of the connecting and probably trying to do a reverse dns lookup.

I would if you could try hard-coding the dns server to the xtra one 202.27.158.40.

Plus I would really like to see the results of a tcpdump when running the two different sim's.

If you're based in Wellington there may be more that I can do too. PM me if you are and we could talk further.

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#452237 26-Mar-2011 23:16

BarTender:
pseudogeek2009: I imagine XT should handle the hostname side. The modem only requires the APN and the server it connects to, which is my company IP address and port number. There is no way of setting the DNS server in the modem. Would you have to setup the DNS when connecting to the internet via GPRS in a Iphone or android. In my mobile phone, you just need an APN and as described in the vodafone forum (http://forum.vodafone.co.nz/topic/6060-android-apn-mobile-network-settings/). This is essentially how the modem works, you just need an APN to connect to the internet via GPRS. From one of the XT forum topics for setting up Android device to work on the XT network, it only requires an APN. No setup for DNS.

I assume you are running this all on an embedded Linux system? So in theory you could run tcpdump across the IP stack to see what is happening ok with Vodafone but isn't with XT.

To me a gethostbyname is a local lookup of the connecting and probably trying to do a reverse dns lookup.

I would if you could try hard-coding the dns server to the xtra one 202.27.158.40.

Plus I would really like to see the results of a tcpdump when running the two different sim's.

If you're based in Wellington there may be more that I can do too. PM me if you are and we could talk further.

The sierra wireless device uses their platform called OpenAT. It does not use an embedded linux platform like the Telit part. Also the reason for choosing this part as the device supposedly more reliable based on a another customer's experience with both the Telit and Sierra Wireless device.

Sorry, I am based in Auckland.

hashbrown

463 posts

Ultimate Geek
+1 received by user: 131

#452302 27-Mar-2011 10:28

So if I understand correctly you are connecting to the IP address (not a dns record) for your companies server?

In this case a gethostbyname error makes no sense, as there should be no calls to do name resolution. This points to perhaps a parsing error, but then you should have got the same result when using a voda SIM.

Is there anyway to increase the debugging level on the device? It would be nice to know what hostname openssl thinks it needs to resolve.

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#452376 27-Mar-2011 13:21

hashbrown: So if I understand correctly you are connecting to the IP address (not a dns record) for your companies server?

In this case a gethostbyname error makes no sense, as there should be no calls to do name resolution. This points to perhaps a parsing error, but then you should have got the same result when using a voda SIM.

Is there anyway to increase the debugging level on the device? It would be nice to know what hostname openssl thinks it needs to resolve.

That is correct I am connecting to an IP address and a port number. The port is port forward to my PC by changing the settings in the router. The problems is I don't get the same problem with Vodafone sim even when I use the Q2687 (2G version). The other confusing issues is the TCP works fine using the 3G modem.

When I get back to work tomorrow I can modify the code to allow more debugging features.

Dyson

Shop now for Dyson appliances (affiliate link).

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#452382 27-Mar-2011 13:31

I agree with hashbrown i am wondering what could be different. If you could pm me some links where to find the code. I assume that the code works fine on a box over the xt connection so it shouldn't be a firewall issue on the telecom side.

I also wonder why the code does a gethostbyname since it should all just be ip to ip traffic.

The only thing i also could think of was a missing reverse dns entry for the ip. or the client does a ping of the dns service and its blocking icmp but not dns Is there a local hosts you could try adding the assigned ip into?

pseudogeek2009

66 posts

Master Geek
+1 received by user: 9

#584447 21-Feb-2012 12:11

Just want to note, it was resolved at the Telecom side. The device or sample code was not at fault.