SSL server certificate verification

rojer
Posts: 12
Joined: Mon Jun 15, 2015 5:51 pm

SSL server certificate verification

Postby rojer » Mon Jun 15, 2015 5:57 pm

hi

i want to use ESP to talk to an HTTPS server, and i know about espconn_secure_connect and such.
what i do not see in the SDK, however, is a way to pass CA certificates that should be trusted.
and since having SSL/TLS without actually verifying the server is like having none at all, i'm wondering - what am i missing?
i see that ESP SDK uses axTLS as the TLS library, which needs to be compiled with CONFIG_SSL_CERT_VERIFICATION to enable cert verification.
is this option enabled when SDK is built? if so, how can i call add_cert_auth with the relevant context?

thanks in advance!

Harold L.
Posts: 26
Joined: Thu Dec 18, 2014 3:24 pm

Re: SSL server certificate verification

Postby Harold L. » Tue Jun 16, 2015 10:27 pm

As far as I have tried, I think they actually did not verificate the server certificate.

Some details: http://www.esp8266.com/viewtopic.php?f=6&t=3343#p19188

If the staff from espressif see this, you are welcome to take a look and reply

ESP_Faye
Posts: 1641
Joined: Mon Oct 27, 2014 11:08 am

Re: SSL server certificate verification

Postby ESP_Faye » Wed Jun 17, 2015 10:09 am

Hi,

The latest SDK_v1.1.2 added CA verify function http://bbs.espressif.com/viewtopic.php?f=5&t=591

Document about SSL in \esp_iot_sdk_v1.1.2\document\SSL

Could it help ?

rith87
Posts: 32
Joined: Tue Mar 03, 2015 6:04 pm

Re: SSL server certificate verification

Postby rith87 » Wed Jun 17, 2015 6:55 pm

Hello folks,

I've upgraded to SDK version 1.1.2 and using the sample code at viewtopic.php?f=21&t=389 with DNS disabled, here are my findings:

1. HTTP 200 when connecting to https://iot.espressif.cn/ (115.29.202.58)
2. HTTP 405 when connecting to https://www.baidu.com/ (180.149.132.47)
3. Error -61 when connecting to https://www.espressif.com/ (192.185.229.242)
4. Error -28 when connecting to https://my.flair.zone/api/help

Poking around at the SSL certs, (1), (2) and (3) are using SHA-1 and (4) is using SHA-256. Is there really no plan to support SHA-2?

PS: I don't know if CA verification fixes this problem. My understanding is that CA verification just authenticates the server the client is talking to. If the client trusts that the server is who he really is (I'm not saying this is ideal), then it should be able to skip CA verification. HTTPS experts please correct me if I'm wrong.

rith87
Posts: 32
Joined: Tue Mar 03, 2015 6:04 pm

Re: SSL server certificate verification

Postby rith87 » Sat Jun 20, 2015 12:05 pm

Can any of the Espressif folks comment on (4)? Please? :)

"4. Error -28 when connecting to https://my.flair.zone/api/help"

Can you share why is there an SSL handshake error? What were the client/server unable to converge on?

ESP_Faye
Posts: 1641
Joined: Mon Oct 27, 2014 11:08 am

Re: SSL server certificate verification

Postby ESP_Faye » Thu Jul 09, 2015 6:17 pm

Hi,

Sorry for the inconvenience.

Please have a try with the latest SDK_v1.2.0 with SSL patch here http://bbs.espressif.com/viewtopic.php?f=5&t=708&p=2599#p2599

Thanks for your interest in Espressif Systems and ESP8266 !

rith87
Posts: 32
Joined: Tue Mar 03, 2015 6:04 pm

Re: SSL server certificate verification

Postby rith87 » Sat Jul 11, 2015 10:35 pm

Thank you for showing that Espressif cares! 给你点32赞!I can't wait to try this patch!

rith87
Posts: 32
Joined: Tue Mar 03, 2015 6:04 pm

Re: SSL server certificate verification

Postby rith87 » Sun Jul 12, 2015 10:18 pm

I tried the patch with SDK 1.2.0 but I'm still getting the following output:

got ip !!!
client handshake start.
client handshake failed
reconnect callback, error code -28 !!!


Did you folks succeed with https://my.flair.zone/api/help (54.193.48.141)? Are you using different sample code from viewtopic.php?f=21&t=389?

ESP_Faye
Posts: 1641
Joined: Mon Oct 27, 2014 11:08 am

Re: SSL server certificate verification

Postby ESP_Faye » Tue Jul 14, 2015 10:17 am

Hi,

Please call espconn_secure_set_size to enlarge your SSL buffer.

Here is a sample code as the attachment.
Attachments
user_main.zip
(2.81 KiB) Downloaded 433 times

rith87
Posts: 32
Joined: Tue Mar 03, 2015 6:04 pm

Re: SSL server certificate verification

Postby rith87 » Wed Jul 15, 2015 9:32 pm

My mistake. I probably should have tried increasing the buffer size before responding to the thread. I haven't tried verifying the CA but the handshake works and I receive a 200 OK :). Thanks a lot for the patch!

Who is online

Users browsing this forum: No registered users and 26 guests