AT+CIPSTART closes on some websites when using SSL

[reidkersey]

I have been running into an interesting problem. When loading some websites, after sending the AT+CIPSTART we receive CLOSED. Other websites work just fine. Websites that have been tested working are http://www.posttestserver.com and google.com.

Does anyone know what is going wrong, or how to fix this?

The following is what we are sending, and receiving, when the code is not working.

Code: Select all

ATE0\r\n
--> ATE0\r\r\n\r\nOK\r\n
AT\r\n
--> \r\nOK\r\n
AT+CWMODE=3\r\n
--> \r\nOK\r\n
AT+CWQAP\r\n
--> \r\nOK\r\n
AT+CWJAP="<ssid>","<password>"\r\n
--> WIFI CONNECTED\r\n
--> WIFI GOT IP\r\n
--> \r\nOK\r\n
AT+CIPSSLSIZE=4096\r\n
--> \r\nOK\r\n
AT+CIPSTART="SSL","app.sniffergps.com",443,1000\r\n
--> CLOSED\r\n\r\nOK\r\n
AT+CIPSEND=170\r\n
--> link is not valid\r\n\r\nERROR\r\n


Thanks,
Reid

[ESP_Xutao]

Hi：
Our AT Framework can be used in HTTP, not HTTPs. If using HTTP, you should add some code in your project, and you can refer to the demo code as below:
https://github.com/espressif/esp8266-no ... Demo_https

[patrick1957]

How can I use AT command to access https website? Use SSL instead of TCP for AT+CIPSTART command?

Thks
Qiang

[Her Mary]

I guess so. Maybe SSL certificates are also needed.

[prashant]

I am facing same issue.
I have my own configured Virtual Server with SSL.
I am using ESP-01 module.
Instead of CONNECT, getting CLOSED without any response

AT+CIPSTART="SSL","demo.ambiconnect.com",443
CLOSED

OK

But it is working fine for other sites.
AT+CIPSTART="SSL","www.google.com",443

CONNECT

OK

Keep Alive Settings are also Good.
Any issue on the Server side related to configurations ?

[Her Mary]

AT+CIPSSLSIZE=4096 maybe enlarge the SSL buffer can help.

[ESP_Frank]

Hi,

I think I understand what is going wrong, but don't know how to solve it.

I found out that ESP8266 sends an initial Random during Client Hello with UNIX Timestamp 00000000 (=Jan 1, 1970 01:00:00.000000000). This is outside the web server certificate's time frame and may be a reason for the web server to reject the connection.

I am using an ESP8266 containing:

AT version:1.7.5.0(Oct 9 2021 09:26:04)
SDK version:3.0.5(b29dcd3)
compile time:Oct 15 2021 18:05:38
Bin version(Wroom 02):1.7.5

Before sending AT+CIPSTART="SSL","servername",443 I did configure SNTP using AT+CIPSNTPCFG=1,1,"pool.ntp.org" and issued a successful SNTP request with AT+CIPSNTPTIME?. But still the time info in the Random remains 0. See wireshark extract below:

Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 47
Version: TLS 1.1 (0x0302)
Random: 000000006606ced024c458f0afad29b242403955b02a121fd48d0fc83c452f44
GMT Unix Time: (0)Jan 1, 1970 01:00:00.000000000
Random Bytes: 6606ced024c458f0afad29b242403955b02a121fd48d0fc83c452f44
Session ID Length: 0
Cipher Suites Length: 8
Cipher Suites (4 suites)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

The (Apache) webserver is allowing TLSv1.1, but responds with:

Transport Layer Security
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.1 (0x0302)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)

To test what happens if the Apache server does NOT accept TLSv1.1 I temporarily modified the server's SSL configuration. Then it responds as follows:

Transport Layer Security
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.1 (0x0302)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)

So it indicates reject because of the used TLS protocol version.

The server also accepts ciphers TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA, so this is probably not the reason for handshake failure.

So I have the strong impression that the wrong time stamp is the reason for the failed SSL connections. Any idea how this can be solved?

Thanks!