SSL server certificate verification

[rojer]

hi

i want to use ESP to talk to an HTTPS server, and i know about espconn_secure_connect and such.
what i do not see in the SDK, however, is a way to pass CA certificates that should be trusted.
and since having SSL/TLS without actually verifying the server is like having none at all, i'm wondering - what am i missing?
i see that ESP SDK uses axTLS as the TLS library, which needs to be compiled with CONFIG_SSL_CERT_VERIFICATION to enable cert verification.
is this option enabled when SDK is built? if so, how can i call add_cert_auth with the relevant context?

thanks in advance!

[Harold L.]

As far as I have tried, I think they actually did not verificate the server certificate.

Some details: http://www.esp8266.com/viewtopic.php?f=6&t=3343#p19188

If the staff from espressif see this, you are welcome to take a look and reply

[ESP_Faye]

Hi，

The latest SDK_v1.1.2 added CA verify function http://bbs.espressif.com/viewtopic.php?f=5&t=591

Document about SSL in \esp_iot_sdk_v1.1.2\document\SSL

Could it help ?

[rith87]

Hello folks,

I've upgraded to SDK version 1.1.2 and using the sample code at viewtopic.php?f=21&t=389 with DNS disabled, here are my findings:

1. HTTP 200 when connecting to https://iot.espressif.cn/ (115.29.202.58)
2. HTTP 405 when connecting to https://www.baidu.com/ (180.149.132.47)
3. Error -61 when connecting to https://www.espressif.com/ (192.185.229.242)
4. Error -28 when connecting to https://my.flair.zone/api/help

Poking around at the SSL certs, (1), (2) and (3) are using SHA-1 and (4) is using SHA-256. Is there really no plan to support SHA-2?

PS: I don't know if CA verification fixes this problem. My understanding is that CA verification just authenticates the server the client is talking to. If the client trusts that the server is who he really is (I'm not saying this is ideal), then it should be able to skip CA verification. HTTPS experts please correct me if I'm wrong.

[rith87]

Can any of the Espressif folks comment on (4)? Please?

"4. Error -28 when connecting to https://my.flair.zone/api/help"

Can you share why is there an SSL handshake error? What were the client/server unable to converge on?

[ESP_Faye]

Hi,

Sorry for the inconvenience.

Please have a try with the latest SDK_v1.2.0 with SSL patch here http://bbs.espressif.com/viewtopic.php?f=5&t=708&p=2599#p2599

Thanks for your interest in Espressif Systems and ESP8266 !

[rith87]

Thank you for showing that Espressif cares! 给你点32赞！I can't wait to try this patch!

[rith87]

I tried the patch with SDK 1.2.0 but I'm still getting the following output:

got ip !!!
client handshake start.
client handshake failed
reconnect callback, error code -28 !!!

Did you folks succeed with https://my.flair.zone/api/help (54.193.48.141)? Are you using different sample code from viewtopic.php?f=21&t=389?

[ESP_Faye]

Hi,

Please call espconn_secure_set_size to enlarge your SSL buffer.

Here is a sample code as the attachment.

[rith87]

My mistake. I probably should have tried increasing the buffer size before responding to the thread. I haven't tried verifying the CA but the handshake works and I receive a 200 OK . Thanks a lot for the patch!