Beantwoord

Test uplink error: javax.net.ssl.SSLException hostname in certificate didn't match: != OR OR

  • 21 maart 2017
  • 25 reacties
  • 1619 keer bekeken
I
Reputatie 1
Badge
  • IAS
  • Vedette
  • 27 reacties
Can anyone explain what this error means? According to SSLtest the site has a valid certificate and supports TLS 1.2

https://www.ssllabs.com/ssltest/analyze.html?d=www.telecontrolnet.nl

Uplink test results in:
"javax.net.ssl.SSLException hostname in certificate didn't match: != OR OR"
icon

Beste antwoord door Infra 28 maart 2017, 16:43

Well, I managed to get data into our backend!



The webserver does host multiple SSL sites and/or proxies.



I manually changed all the vhosts files and added a proxy to the application server backend.

I then tested ALL these URL's with the "test uplink" function in the developer portal.



It appears that the FIRST SSL vhost created on the webserver works. NO SSL errors anymore.



Of course, this is only a temporary solution for us.

I really think that this is an SNI problem in the KPN developer portal, which is fixed soon I hope!



Does this problem also exist for the ThingPark portal?
Bekijk origineel

25 reacties

I
We have exactly the same errormessage, and also a valid (PCI DSS) SSL certificate.

I get this error if I try to send a payload in the developer portal.

Our problem is that we see data coming in from our LoRa sensors in the developer portal, but absolutely nothing in our application.

I read somewhere that SNI is not supported. Of course our webserver/proxy that receives the KPN messages hosts multiple (sub)domains, so SNI is required from the KPN side.

I hope anyone has a solution to this problem.
I
Reputatie 1
Badge
Can anyone @KPN acknowledge this issue please?
I
Well, I managed to get data into our backend!

The webserver does host multiple SSL sites and/or proxies.

I manually changed all the vhosts files and added a proxy to the application server backend.
I then tested ALL these URL's with the "test uplink" function in the developer portal.

It appears that the FIRST SSL vhost created on the webserver works. NO SSL errors anymore.

Of course, this is only a temporary solution for us.
I really think that this is an SNI problem in the KPN developer portal, which is fixed soon I hope!

Does this problem also exist for the ThingPark portal?
Tim
Rank
Reputatie 7
Badge +11
Thanks for your posts, I'll verify this with our supplier.
Can it be the case the old certificate is still installed?
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
I
Reputatie 1
Badge
@Tim Most likely the portal gives up because the SSL certificate for the domain used in the portal is not the first certificate in the SNI chain.

Like @Infra says, and I can confirm that: it works as soon as you use the domain from the first SSL certificate. So it seems to me that the Java library used by the portal cannot handle a typical business situation where a single IP address has multiple SSL certificates for multiple domains (SNI) and the user refers to a domain that's not in the first certificate.
I
@Tim, I verified this with our Java developers and they explained that this is a clear Java "SSL SNI not properly implemented" problem, as @IAS also found out.

Any Java developer with SSL/SNI knowledge or the ability to look up the solution on for example stackexchange can solve this problem 🆒,

SNI is supported by Java clients (JSSE) since version 7 (2011, http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html):
"Server Name Indication (SNI) for JSSE client: The Java SE 7 release supports the Server Name Indication (SNI) extension in the JSSE client. SNI is described in RFC 4366. This enables TLS clients to connect to virtual servers."

Is it possible to give an ETA when this problem is solved in the developer portal?
And confirmation - as we don't use the ThingPark portal yet - that this problem does not exist in the ThingPark portal?
Tim
Rank
Reputatie 7
Badge +11
Thanks for all the feedback! :)
I'll have this examined by specialists and/or the supplier. It's hard to give an ETA, but let's say I'll try my best to give you clearness asap, probably on monday or tuesday.

I'm not aware of this problem exist in ThingPark.
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
I
Thanks for all the feedback! :)
I'll have this examined by specialists and/or the supplier. It's hard to give an ETA, but let's say I'll try my best to give you clearness asap, probably on monday or tuesday.

That's fine with me.
I will keep the 4 (sub)domains I used for testing active, so once fixed, it will be very easy to verify that it is working as expected. I guess @IAS will also be able to verify the fix!

I'm not aware of this problem exist in ThingPark.

Great!
I
Reputatie 1
Badge
Also fine with me and I will indeed be able to verify if the fix works. Thanks in advance.
Tim
Rank
Reputatie 7
Badge +11
Unfortunately SSL is not supported by a REST post (this is used to send a message to the server to the client). This is why get SNI users are getting an error.
This will mean that the platform must be upgraded to support this feature. We do expect an update from the supplier by the end of this month. When more information is available, like an ETA, I'll post an update.

As there won't be a fix available very soon. I'm happy to extend your trial period so your accounts won't expire. Please contact me for this.
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
J
Due to some troubles on the LoRa nodes I am using I didn't use the developers portal the last month.
When I tried to test the uplink message I got the same SSL error.
A check with Yourhosting showed that their SSL implementation works.

From the above I got the impression that this error is a new one, but it shure worked flawless one month ago.

Can this be confirmed?

As my trial period is about to end I would love to get it extended.
Tim
Rank
Reputatie 7
Badge +11
Before, the test uplink didn't use SSL. We noticed many users had a working application server setup with the test uplink, But when connecting LoRa devices, SSL will be used and some setups dind't work anymore.

We introduced SSL for the test uplink so there is no difference when using LoRa devices.

The workaround for now is that the certificate used for the lora device must be placed at the top of the webservice like users @Infra and @IAS also found out.
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
I
Reputatie 1
Badge
@Tim Update: I'm afraid the SSL connection isn't working for me yet. While the error has changed, just using the first certificate isn't enough to get the message through to our application server. I'm getting the rather unhelpful error:

Server returned HTTP response code -1
Response info:
URL not reachable for 10 times.. escaping

When I use the exact URL in other POST tests (like http://www.hurl.it) then I see the POST message coming through to the application server. I've checked many times for typo's, and while the destination URL provided to the development portal is definitely reachable, messages from the developer portal aren't coming through.
J
When I tried the connection this morning I experienced the same, however using the url via a browser gave the expected result.
Jeroen10
Reputatie 3
Badge +1
@IAS & @jawove with the last update there was a feature added for unreachable applicationservers. When the applicationserver is unreachable 10 times in total (in this case because of a ssl certificate problem) the Dev Portal will stop sending POST messages. You can reset this count on the developer portal.
I
Reputatie 1
Badge
Awesome @Jeroen10! Resetting the counter in de developer portal solved this issue. Thanks!
Tim
Rank
Reputatie 7
Badge +11
Very clever @Jeroen10, thanks! I've highlighted your post.

Perhaps more users face this problem while setting up the application server 😳
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
J
After a lng struggle with managed hosting I succeeded in getting a first Lora device (Seeeduino LoraWAN /GPS) operation at the KPN network without any problems.
I must admit, I got my learning curve with TTN (thanks for that).

Comparing TTN LoraWAN, KPN LoraWAN and Sigfox I notice that with TTN and Sigfox I'm unable to get indoor coverage. With KPN I have indoor coverage SF12 - SF10.
Location is Hengelo (7558RN)
Tim
Rank
Reputatie 7
Badge +11
With KPN I have indoor coverage SF12 - SF10.
Great to hear you've got indoor coverage! 😃 Thanks for sharing
Met vriendelijke groet, Tim | - Blij met een reactie? Met een Like geeft u waardering! -
tonb
Reputatie 1
Badge
I'm experiencing trouble when using an endpoint hosted on Amazon's AWS API Gateway.

Response info:
Error in sending rest post to developer url https://xxxxx.execute-api.eu-central-1.amazonaws.com/test/lora, for device xxxxxxxx, payloadhex 000000. Error details: javax.net.ssl.SSLHandshakeException Received fatal alert: handshake_failure

From reading above posts, the most probable cause is the improper support for SNI by KPN, is that a correct assumption?
Rick S.
Rank
Reputatie 6
Badge +6
Hi Tonb,

As we already discussed in our private conversation the problem is indeed caused by the lack of support for SNI.

This will solved by the next update of the Developer portal. I am waiting for the answer from the developers with the date of releasing the new update.
Met vriendelijke groet, Rick | - Is uw vraag beantwoord? Markeer de reactie met de oplossing als 'Beste antwoord' -
I
Is there any news about the SNI update?

It has been 3 months already...
Rick S.
Rank
Reputatie 6
Badge +6
Hi @Infra

After my last post in this topic, I did not get a new update from the developers. I will immediately report back and ask for the release date of the new update (including support of SNI).
Met vriendelijke groet, Rick | - Is uw vraag beantwoord? Markeer de reactie met de oplossing als 'Beste antwoord' -
Rick S.
Rank
Reputatie 6
Badge +6
Hi @Infra,

First, I want to apologize for my very late answer.
This morning I discussed this again with the developers, but we still can't determine a date that the update will be pushed.

I can imagine that this answer isn't satisfying at all 😟 I will keep pushing with my colleagues to get the update as soon as possible.
Met vriendelijke groet, Rick | - Is uw vraag beantwoord? Markeer de reactie met de oplossing als 'Beste antwoord' -

Reageer