I was trying to POST and GET some JSON data to and from the AWS cloud respectively using the SIM 800 module. I'm initially trying it out directly from my PC over a terminal UART software and inputting AT commands in manually.
HTTP GET is working fine over SSL (AT+HTTPSSL=1
) for websites like Google and Quora, as in, they return back <html>
data.
1) I looked into first going through the AWS IoT route using HTTP as mentioned in the link here. But it requires not only a single certificate for HTTP SSL but also requires the root CA certificate and the private key and I guess it is not possible to add these apart from a single certificate using AT commands on the SIM 800. If there is a way to do so then can anyone please elaborate on it like the process flow and commands to do so?
2) I then tried to go the API route. I created an API gateway in AWS which is internally linked with some cloud logic. I want to actually do HTTP POST (https technically) of JSON data to the AWS cloud but I created a test API gateway for HTTP GET which does the addition of operands written in the URL and sends back data in the form of JSON. An HTTP GET over SSL however to a URL like https://XXXX.execute-api.us-west-2.amazonaws.com/XXX/calc/4/2/+
fails with a 606 error code
. In the SSL application note of SIM 800 606 error code means
"SSL alert message with a level of fatal result in the immediate termination of the connection"
What am I doing wrong over here?
Also, I tried HTTP GET over SSL on https://httpbin.org/ip too and got the same 606 error. Is it because the SIM 800 expects an <html>
and instead it gets JSON or is it something else?
For my AT command routine on the SIM 800 from the PC via Terminal software I usually do (for API gateway method):
AT+SAPBR=3,1,"CONTYPE","GPRS"
AT+SAPBR=3,1,"APN","XXXX"
AT+SAPBR=1,1
AT+HTTPINIT
AT+HTTPSSL=1
AT+HTTPPARA="CID",1
AT+HTTPPARA="URL","https://XXXX.execute-api.us-west-2.amazonaws.com/XXX/calc/4/2/+"
AT+HTTPACTION=0
Thanks in advance.
Microsoft Azure has recently upgraded TLS requirements with the effect that "If a client tries to negotiate TLS 1.0 over such a scenario, the request will fail with connection reset". This explains why my application now fails as the SIM800 module only supports TLS 1.0.
AWS may have done the same. It seems that there is an ongoing move to deprecate TLS 1.0 and according to SSL and TLS, what is the Big Deal About June 30th? 30 June 2018 is the cutoff date at which point TLS 1.0 will not be supported if you want to claim PCI compliance.
The way to do it is method 2 i.e. API Gateway. I don't think its possible to do it through method 1 i.e. AWS IoT.
@mich and @patrick-fischer are correct with the reason and I too was suspecting the same but didn't know the solution. I and my team contacted AWS support and they told us the solution.
Apparently, you do it through AWS CloudFront. You have to go and create a CloudFront distribution with the link of your API Gateway (in my case
https://XXXX.execute-api.us-west-2.amazonaws.com/XXX/calc/4/2/+
). While creating this distribution you can mention whether to accept incoming HTTP, HTTPS or both.In one of the sections (don't remember the name of the section), it allows you to mention which TLS/SSL version to allow incoming requests from. In the case of SIM 800, TLSv1.0 is the highest supported version which has to be set in the CloudFront distribution.
What CloudFront does is allow traffic from sources with certain parameters like the version of HTTP, TLS version .etc.
I have the same issue. AWS requires
TLS1.2
while the Simcom only permitsTLS1.0
.