Skip to content

SSL connection fails with espconn_secure_ca_enable on current master #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gilpinheiro opened this issue Jan 22, 2020 · 3 comments
Open

SSL connection fails with espconn_secure_ca_enable on current master #292

gilpinheiro opened this issue Jan 22, 2020 · 3 comments

Comments

@gilpinheiro
Copy link

Latest master build always drops connection when espconn_secure_ca_enable is set.

I've reproduced this a few different ways and can confirm that the code worked previously (and correctly validated the server's key was signed by the CA certificate).

When working master@ed302d1eab70f17848e7c7b671bc2ecc1336b851:

client handshake start.
espconn_mbedtls.c 662, type[certificate],length[928]
espconn_mbedtls.c 662, type[certificate],length[928]
espconn_mbedtls.c 662, type[private_key],length[887]
espconn_mbedtls.c 662, type[TLS.ca_x509.cer],length[920]
client handshake ok!

(I've verified that the server is being properly validated - connection fails as expected if I use a server certificate not signed by the CA certificate)

on master@HEAD build:

client handshake start.
espconn_mbedtls.c 662, type[certificate],length[928]
espconn_mbedtls.c 662, type[certificate],length[928]
espconn_mbedtls.c 662, type[private_key],length[887]
espconn_mbedtls.c 662, type[TLS.ca_x509.cer],length[920]
client handshake failed!
Reason:[-0x2700]
INFO connection.c:99 (reconnect_cb) reconnection occurred [UNKNOWN_ERROR?] (-39)

May be related to #275 (it looks like maybe he is also using a CA certificate to authenticate)
@gilpinheiro
Copy link
Author

Test code looks like:

    bool ca_error = false;
    info("About to start CA_ENABLE");
    ca_error = espconn_secure_ca_enable(1, locate_ca_sector());
    if (ca_error == false)
        error("espconn_secure_ca_enable has failed");

    info("About to start cert_req");
    ca_error = espconn_secure_cert_req_enable(1, locate_ca_sector() + 1);
    if (ca_error == false)
        error("espconn_secure_cert_req_enable has failed");


    info("... starting connection");
    err = espconn_secure_connect(&connection);

gilpinheiro referenced this issue Jan 22, 2020
@xcguang
Merge branch 'feature/ssl_send_data_fail' into 'master'
c580bee 
Feature/ssl send data fail

See merge request sdk/ESP8266_NONOS_SDK!224
@davydnorris
Copy link

Yes - I am sure this is related. I have rolled back the mbedtls lib to before the issue I reported and everything works fine. All other updates since then are OK but that change in #275 broke SSL and it's still not fixed

@davydnorris
Copy link

The other thing that they did in that update was re-enable SSL3, which is really dangerous as it has known security flaws

@davydnorris davydnorris mentioned this issue Jan 27, 2020
Open
davydnorris referenced this issue Mar 22, 2020
@xcguang
Merge branch 'feature/update_lib' into 'master'
c39a83d 
fix(pp): Wi-Fi tx hangs when Q2_RST_INT and Q0_TX_COMPLETE come at the same time

See merge request sdk/ESP8266_NONOS_SDK!270
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gilpinheiro @davydnorris