Forums - SSL Connection failures

The issue is due to incorrect rootCA, the device hang in SSL handshake process.

However, inorder to verify multiple connections, kinldy use below rootCA files:

https://global-root-ca.chain-demos.digicert.com/info/index.html
net cert get digicertglobalrootca.pem 10.177.245.215 -s digicertglobalrootca -t pem_ca_list
> net httpc conn 1 global-root-ca.chain-demos.digicert.com 443 1500
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded


https://global-root-ca.chain-demos.digicert.com/info/index.html
net cert get digicertglobalrootca.pem 10.177.245.215 -s digicertglobalrootca -t pem_ca_list
> net httpc conn 1 developer.qualcomm.com 443
Net: conn to developer.qualcomm.com:443 succeeded

https://www.identrust.com/dst-root-ca-x3
> net cert get DST_root_ca_x3.pem 10.177.245.215 -s DST_root_ca_x3 -t pem_ca_list
> net httpc conn 1 slashdot.org 443
Net: conn to slashdot.org:443 succeeded

https://ev-root.chain-demos.digicert.com/info/index.html
> net  cert get digicert_HAEV_rootca.pem 10.177.245.215 -s dc_haev -t pem_ca_list
Net> httpc conn 1 www.apple.com 443
Net: conn to www.apple.com:443 succeeded

https://www.digicert.com/digicert-root-certificates.htm
> net cert get baltimore_CyberTrust_Root.pem 10.177.245.215 -s baltimore_root  -t pem_ca_list
> net httpc conn 1 www.microsoft.com 443
Net: conn to www.microsoft.com:443 succeeded
 

Ignore anything that Qualcomm tells you about this problem because they don't know what the hell they are talking about. I told them about this problem back in October and they still haven't figured it out. I'll save you the months of back-and-forth with Qualcomm where they say you are using the wrong root CA then ignore you and pretend the problem went away. 

You are using the wrong 3.1 SDK. You need to use the other 3.1 SDK or move to the 3.2 SDK. You are using the 3.1 SDK that was released in May 2019. In September 2019 Qualcomm released a new SDK with major bug fixes and new features. In their infinite  wisdom the geniuses at Qualcomm labeled this new SDK "3.1" because that's not at all confusing. (On a related note, in the SDK there is a qapi_ver.h that reports a version as 2.0.1. If qap_ver.h isn't meant to indicate the SDK version I don't know what it is for since it hasn't been updated in the 3.0, 3.1, 3.1, and 3.2 SDKs.)

You will find that your May 3.1 SDK will fail on any server using OpenSSL 1.1.1. At the time I figured out the problem the Release Notes for the September 3.1 SDK weren't anywhere to be found. Apparently, Qualcomm was hding the release notes from themselves too or they just didn't bother to read it. Had Qualcomm read their own release notes and knew what changes there were in OpenSSL 1.1.1 (which can be found with a 5 second Google search) they would have seen that the September 3.1 SDK fixed 3 or 4 SSL bugs that were triggered by the changes in OpenSSL.

Avoid the confusion with two SDKs labeled 3.1 and move to 3.2 and test everything because I've found some things that behave differently.

Raja, who at Qualcomm do I send the invoice to for my consulting fees? 

That one might be a root CA problem. What I did was download all the Root CAs that Firefox uses and picked out the one or two I needed plus a few more to cover some popular websites so I could have a general purpose HTTPS client. Check out https://curl.haxx.se/docs/caextract.html You can concateneate all the PEMs you need into a single file. If you go to the website in your browser and poke around at the certificate it uses you can find which root CA you need. I find Firefox makes this the easiest.

Net> httpc conn 1 www.qualcomm.com 443

 

Net: conn to www.qualcomm.com:443 succeeded

Actually, since the connection succeeded the certificate must have validated so it wouldn't be a root CA issue. Does the GET keep failing? It could be a timeout or a bad request. I don't know what error code -6 is.