Hi,
If using v1.3.0 without SSL memory leak patch it does work with iot.espressif.cn.
If using v1.3.0 WITH SSL patch - it does work with stock v1.3.0 but doesn't work with ssl patch.
Works with ssl patch if i call secure_ca_enable after setting the buffer size.
espconn_secure_set_size(ESPCONN_CLIENT,SSLBUF);
secure_ca_enable(1,0x3d);
but if the call chain is in reverse doesn't work.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the above observations may be messed up since
now i see that you made changes on iot.espressif.cn
openssl s_client -connect iot.espressif.cn:443
Results in:
Verify return code: 20 (unable to get local issuer certificate)
I did the same on my server /removed the issuer certificate from the chain/ and the handshake went ok.
So seems the issue is with the issuer certificate verification.
Memory Leak/Usage
Re: Memory Leak/Usage
Regards,
zaxl
zaxl
Re: Memory Leak/Usage
Hi,
Please have a try with this new libssl, based on esp_iot_sdk_v1.3.0
Please have a try with this new libssl, based on esp_iot_sdk_v1.3.0
- Attachments
-
- libssl.zip
- (151.31 KiB) Downloaded 682 times
Re: Memory Leak/Usage
Hi, Faye!
I'm sorry but it didn't work.
Test with only the server cert - OK
Test with server and issuer cert - Fail
But there is a little improvement - now it fails immediately - does not wait for server close.
Espressif_Faye wrote:Hi,
Please have a try with this new libssl, based on esp_iot_sdk_v1.3.0
I'm sorry but it didn't work.
Test with only the server cert - OK
Test with server and issuer cert - Fail
But there is a little improvement - now it fails immediately - does not wait for server close.
Regards,
zaxl
zaxl
Re: Memory Leak/Usage
Hi,
There are two new APIs in the new lib that may help, please have a try.
There are two new APIs in the new lib that may help, please have a try.
Re: Memory Leak/Usage
Hi, Faye!
If i got it right - tested with:
espconn_secure_cert_req_disable(3); // disable client certificates in server and client
The result is the same as the previous test.
I do not use client certificates /but it's a very welcome addition!/ - i want to verify that the server i'm connected to is authentic.
May be an option to consider self signed certificates valid would help in my case.
Espressif_Faye wrote:Hi,
There are two new APIs in the new lib that may help, please have a try.
If i got it right - tested with:
espconn_secure_cert_req_disable(3); // disable client certificates in server and client
The result is the same as the previous test.
I do not use client certificates /but it's a very welcome addition!/ - i want to verify that the server i'm connected to is authentic.
May be an option to consider self signed certificates valid would help in my case.
Regards,
zaxl
zaxl
Re: Memory Leak/Usage
Hi,
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
How to get "esp_ca_cert.bin", please refer to documentation "5A-ESP8266__SDK__SSL_User_Manual" in \esp_iot_sdk_v1.3.0\document, tools in \esp_iot_sdk_v1.3.0\tools.
How to get "esp_cert_private_key.bin", please refer to the attachment.
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
Code: Select all
espconn_secure_ca_enable(ESPCONN_CLIENT, CA_FLASH_ADDR); // flash sector which stored "esp_ca_cert.bin"
espconn_secure_cert_req_enable(ESPCONN_CLIENT, CERT_FLASH_ADDR); // flash sector which stored "esp_cert_private_key.bin"
espconn_secure_connect(&conn);
How to get "esp_ca_cert.bin", please refer to documentation "5A-ESP8266__SDK__SSL_User_Manual" in \esp_iot_sdk_v1.3.0\document, tools in \esp_iot_sdk_v1.3.0\tools.
How to get "esp_cert_private_key.bin", please refer to the attachment.
- Attachments
-
- Certificate Request.zip
- (1.9 MiB) Downloaded 699 times
Re: Memory Leak/Usage
Hi, Faye!
Having two scripts called make_cert.py is a bit confusing.
When acting as a client it doesn't make sense to have all the certs and keys issued merged -
so i used a simple
cat private.key certificate.key > esp_cert_private_key.bin
the script does exactly the same.
{ code }
int sect;
sect = 0x6b;
os_printf("cachain at %x\n", sect);
espconn_secure_ca_enable(ESPCONN_CLIENT, sect);
sect = 0x6c;
os_printf("client key at %x\n", sect);
espconn_secure_cert_req_enable(ESPCONN_CLIENT, sect);
{ end code }
cachain at 6b
client key at 6c
E:M 51440
Fatal exception (28):
epc1=0x4000e1e0, epc2=0x00000000, epc3=0x00000000, excvaddr=0x00000000, depc=0x00000000
/ 0x4000e1e0 is at pm_set_sleep_time but i'm not sure if i got it right /
Espressif_Faye wrote:Hi,
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
Check your private messages about my server and ca cert details.Code: Select all
espconn_secure_ca_enable(ESPCONN_CLIENT, CA_FLASH_ADDR); // flash sector which stored "esp_ca_cert.bin"
espconn_secure_cert_req_enable(ESPCONN_CLIENT, CERT_FLASH_ADDR); // flash sector which stored "esp_cert_private_key.bin"
espconn_secure_connect(&conn);
How to get "esp_ca_cert.bin", please refer to documentation "5A-ESP8266__SDK__SSL_User_Manual" in \esp_iot_sdk_v1.3.0\document, tools in \esp_iot_sdk_v1.3.0\tools.
How to get "esp_cert_private_key.bin", please refer to the attachment.
Having two scripts called make_cert.py is a bit confusing.
When acting as a client it doesn't make sense to have all the certs and keys issued merged -
so i used a simple
cat private.key certificate.key > esp_cert_private_key.bin
the script does exactly the same.
{ code }
int sect;
sect = 0x6b;
os_printf("cachain at %x\n", sect);
espconn_secure_ca_enable(ESPCONN_CLIENT, sect);
sect = 0x6c;
os_printf("client key at %x\n", sect);
espconn_secure_cert_req_enable(ESPCONN_CLIENT, sect);
{ end code }
cachain at 6b
client key at 6c
E:M 51440
Fatal exception (28):
epc1=0x4000e1e0, epc2=0x00000000, epc3=0x00000000, excvaddr=0x00000000, depc=0x00000000
/ 0x4000e1e0 is at pm_set_sleep_time but i'm not sure if i got it right /
Regards,
zaxl
zaxl
Re: Memory Leak/Usage
Hi,
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
Re: Memory Leak/Usage
Hi, Faye!
No, i've send you the real server and both .bin files in a private message.
I see it is in my outbox and not in the send items.
Please, take a look.
Espressif_Faye wrote:Hi,
Is the "https://ssl.test.com" your SSL server ? We can not access to it by browser.
What is the IP, port and CA cert of your SSL server?
No, i've send you the real server and both .bin files in a private message.
I see it is in my outbox and not in the send items.
Please, take a look.
Regards,
zaxl
zaxl
Re: Memory Leak/Usage
Hi,
Sorry that we only support ROOT CA, do not support Intermediate CA + root CA right now.
But your request is very important to us, we will think over it and support it in the future.
Thanks for your interest in ESP8266 !
Sorry that we only support ROOT CA, do not support Intermediate CA + root CA right now.
But your request is very important to us, we will think over it and support it in the future.
Thanks for your interest in ESP8266 !
Who is online
Users browsing this forum: No registered users and 3 guests