ESP8266 Developer Zone The Official ESP8266 Forum 2022-05-20T18:03:19+08:00 https://bbs.espressif.com:443/feed.php?f=16&t=3381 2022-05-20T18:03:19+08:00 2022-05-20T18:03:19+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=101268#p101268 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]>
I think I understand what is going wrong, but don't know how to solve it.

I found out that ESP8266 sends an initial Random during Client Hello with UNIX Timestamp 00000000 (=Jan 1, 1970 01:00:00.000000000). This is outside the web server certificate's time frame and may be a reason for the web server to reject the connection.

I am using an ESP8266 containing:

AT version:1.7.5.0(Oct 9 2021 09:26:04)
SDK version:3.0.5(b29dcd3)
compile time:Oct 15 2021 18:05:38
Bin version(Wroom 02):1.7.5

Before sending AT+CIPSTART="SSL","servername",443 I did configure SNTP using AT+CIPSNTPCFG=1,1,"pool.ntp.org" and issued a successful SNTP request with AT+CIPSNTPTIME?. But still the time info in the Random remains 0. See wireshark extract below:

Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 47
Version: TLS 1.1 (0x0302)
Random: 000000006606ced024c458f0afad29b242403955b02a121fd48d0fc83c452f44
GMT Unix Time: (0)Jan 1, 1970 01:00:00.000000000
Random Bytes: 6606ced024c458f0afad29b242403955b02a121fd48d0fc83c452f44
Session ID Length: 0
Cipher Suites Length: 8
Cipher Suites (4 suites)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

The (Apache) webserver is allowing TLSv1.1, but responds with:

Transport Layer Security
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.1 (0x0302)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)

To test what happens if the Apache server does NOT accept TLSv1.1 I temporarily modified the server's SSL configuration. Then it responds as follows:

Transport Layer Security
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.1 (0x0302)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)

So it indicates reject because of the used TLS protocol version.

The server also accepts ciphers TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA, so this is probably not the reason for handshake failure.

So I have the strong impression that the wrong time stamp is the reason for the failed SSL connections. Any idea how this can be solved?

Thanks!

Statistics: Posted by ESP_Frank — Fri May 20, 2022 6:03 pm

]]> 2020-02-28T10:37:24+08:00 2020-02-28T10:37:24+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=73870#p73870 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]> Statistics: Posted by Her Mary — Fri Feb 28, 2020 10:37 am

]]> 2020-02-13T03:15:03+08:00 2020-02-13T03:15:03+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=73409#p73409 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]> I have my own configured Virtual Server with SSL.
I am using ESP-01 module.
Instead of CONNECT, getting CLOSED without any response

AT+CIPSTART="SSL","demo.ambiconnect.com",443
CLOSED

OK

But it is working fine for other sites.
AT+CIPSTART="SSL","www.google.com",443

CONNECT

OK

Keep Alive Settings are also Good.
Any issue on the Server side related to configurations ?

Statistics: Posted by Guest — Thu Feb 13, 2020 3:15 am

]]> 2019-02-14T18:03:14+08:00 2019-02-14T18:03:14+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=37599#p37599 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]> Statistics: Posted by Her Mary — Thu Feb 14, 2019 6:03 pm

]]> 2019-02-07T13:21:13+08:00 2019-02-07T13:21:13+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=37344#p37344 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]>
Thks
Qiang

Statistics: Posted by Guest — Thu Feb 07, 2019 1:21 pm

]]> 2017-02-27T20:47:29+08:00 2017-02-27T20:47:29+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=11382#p11382 <![CDATA[Re: AT+CIPSTART closes on some websites when using SSL]]> Our AT Framework can be used in HTTP, not HTTPs. If using HTTP, you should add some code in your project, and you can refer to the demo code as below:
https://github.com/espressif/esp8266-no ... Demo_https

Statistics: Posted by ESP_Xutao — Mon Feb 27, 2017 8:47 pm

]]> 2017-02-25T10:56:00+08:00 2017-02-25T10:56:00+08:00 https://bbs.espressif.com:443/viewtopic.php?t=3381&p=11372#p11372 <![CDATA[AT+CIPSTART closes on some websites when using SSL]]> http://www.posttestserver.com and google.com.

Does anyone know what is going wrong, or how to fix this?

The following is what we are sending, and receiving, when the code is not working.

Code:

ATE0\r\n
--> ATE0\r\r\n\r\nOK\r\n
AT\r\n
--> \r\nOK\r\n
AT+CWMODE=3\r\n
--> \r\nOK\r\n
AT+CWQAP\r\n
--> \r\nOK\r\n
AT+CWJAP="<ssid>","<password>"\r\n
--> WIFI CONNECTED\r\n
--> WIFI GOT IP\r\n
--> \r\nOK\r\n
AT+CIPSSLSIZE=4096\r\n
--> \r\nOK\r\n
AT+CIPSTART="SSL","app.sniffergps.com",443,1000\r\n
--> CLOSED\r\n\r\nOK\r\n
AT+CIPSEND=170\r\n
--> link is not valid\r\n\r\nERROR\r\n


Thanks,
Reid

Statistics: Posted by reidkersey — Sat Feb 25, 2017 10:56 am

]]>