espconn_secure_connect: how does it work?

[ESP_Sprite]

Hello,

I'm developing an application that needs to connect to a SSL server (specifically, an XMPP server), but I'm running into trouble with espconn_secure_connect and friends. When I use espconn_connect, everything works, but with espconn_secure_connect, I either get
"client handshake start."
on the console and then nothing, or an exception:
"Fatal exception (29):
epc1=0x4000df3a, epc2=0x00000000, epc3=0x00000000, excvaddr=0x181869fe, depc=0x00000000"
What I get is dependent on the server I connect to.

Just to check: do I need something valid in cert.h and/or private_key.h? At the moment, I have what I think is a self-signed certificate in those files, but I couldn't really find any documentation on those. I also don't quite know if they're needed for a client-side connection. Could you shed some light on those things?

[ESP_Sprite]

Replying to my own post: It probably fails because the servers certificate is official and has a lot of data in it: I measured it at 30KBytes or so. That's a li'l much for the ESP chip. If I use a server which uses a self-signed cert (coming in at about 500 bytes) everything works fine.

That's all somewhat unfortunate: it makes it pretty much impossible to use SSL for anything but services that are specifically meant for the ESP. Ah well, for three bucks, I still can't complain.

[jackon]

hi, Sprite_tm
Could you provide your SSL server's ip and port?
We will have a test.

[ESP_Sprite]

hi, Sprite_tm
Could you provide your SSL server's ip and port?
We will have a test.

Sure. I've tried it on two servers, both my HTTPS as well as a SSL Jabber server I don't manage myself. Connecting to the https server makes the esp reboot, connecting to the Jabber server stalls the connection. Both connect fine using for example openssl s_client -connect spritesmods.com:443
The https server is at
https://spritesmods.com/ (port 443, as usual)
The jabber server I tried is at
jabber.hot-chilli.net:5223

[jackon]

hi, Sprite_tm
Which version SDK do you use now?
I'll give your a patch for test.

[ESP_Sprite]

I use 0.9.3, but tested it with 0.9.2 too. I also tried both the libssl.a included in the SDK as well as compiling my own from the ssl sources included in the IoT example.
I'd really like a patch for 0.9.3 to try! Thanks for looking into the problem.

[jackon]

Here is the patch, we test to connect your server, it works OK, you can check by yourself.
Just extra the libssl.a to SDK's lib folder.

Or you can modify ssl_tls1.h, line 80.

Code: Select all

#define RT_MAX_PLAIN_LENGTH 4096

Give me feedback after your test.
Thx

[ESP_Sprite]

Awesome! I still can't connect to the specific Jabber server I mentioned, but my own server and other Jabber servers do seem to work, so that may just be some weirdness in that specific server. Thank you very much!

Ah, while I'm asking questions about SSL etc, does the SDK already have a method to do opportunistic TLS? That basically involves setting up a plaintext connection, asking the server if you can continue using encryption and then doing the SSL handshake over the same socket you previously did plaintext over. If not, I may implement it myself.

[mathijs]

Dear sprite_tm,Jackon

I had the same problem when connecting to 'official signed' HTTPS servers. After changing the buffersize to 4096 instead of 1024, the HTTPS connection works fine now!

Thanks!

[younger]

Here is the patch, we test to connect your server, it works OK, you can check by yourself.
Just extra the libssl.a to SDK's lib folder.

Or you can modify ssl_tls1.h, line 80.

Code: Select all

#define RT_MAX_PLAIN_LENGTH 4096

Give me feedback after your test.
Thx

Hi jackon,
I use the patch and in SDK 0.9.5_b1 to connect ssl server(111.206.227.37:2001), still find some problems:

Code: Select all

connected with LU, channel 6
dhcp client start...
ip:192.168.2.114,mask:255.255.255.0,gw:192.168.2.1
user_esp_platform_dns_found 111.206.227.37
user_esp_platform_connect
espconn_ssl_connect 0x3fff5a30 0x3fff59d0 25352
client handshake start.
espconn_ssl_client ssl_ctx 0x3fff5d20
send_raw_packet pkt_size 56
send_raw_packet Length 56
espconn_ssl_csent 0x3fff5a30 0x3fff5dec 56
espconn_ssl_crecv 409 0x3fff5dc0 0x3fff59a8
basic_read 1366 16 0x00000000
do_clnt_handshake: 107 2
do_clnt_handshake: 107 11
Error: Invalid X509 ASN.1 file (X509 not ok)
[D],process_certificate,x509_new
send_raw_packet pkt_size 7
send_raw_packet Length 7
client handshake failed
espconn_ssl_cclose 0
espconn_ssl_cclose_cb 10 0
send_raw_packet pkt_size 7
send_raw_packet Length 7
user_esp_platform_discon_cb

Could you help me to slove the problems ? This is very important to me.
Thanks!