Skip to content

WifiClientSecure Certificate verification failed on SSL/8883 handshakes #1337

Closed
@joey1442

Description

@joey1442

Board: ESP32 Dev Module?
Core Installation/update date: #1296
IDE name: Arduino IDE 1.8.5
Flash Frequency: 80Mhz
Upload Speed: 921600

Description:

I am using wificlientsecure to connect to the test MQTT mosquito server and failing. I have taken the cert for port 8883 available explicitly on the test.mosquitto.org site page and formatted it. The Mosquito cert is signed.
I cannot see what the issue is , the same code successfully connects to another HTTPS site with their site's signed cert on port 443, could there be problem with the Mbed SSL handling ?.
I have also had problems in using unsigned certs in the past when connecting to REST https servers.
and gave up in favour of signed Thanks in advance to anyone who can shed light on this.

Sketch:

//Change the code below by your sketch
#include <WiFiClientSecure.h>

const char* ssid = "xxxxx";
const char* password = "xxxxx";
int Port = 8883;  // MQTT port

const char*  server = "test.mosquitto.org";  // Server URL




const char* root_ca = \
"-----BEGIN CERTIFICATE-----\n" \
"MIIC8DCCAlmgAwIBAgIJAOD63PlXjJi8MA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD\n" \
"VQQGEwJHQjEXMBUGA1UECAwOVW5pdGVkIEtpbmdkb20xDjAMBgNVBAcMBURlcmJ5\n" \
"MRIwEAYDVQQKDAlNb3NxdWl0dG8xCzAJBgNVBAsMAkNBMRYwFAYDVQQDDA1tb3Nx\n" \
"dWl0dG8ub3JnMR8wHQYJKoZIhvcNAQkBFhByb2dlckBhdGNob28ub3JnMB4XDTEy\n" \
"MDYyOTIyMTE1OVoXDTIyMDYyNzIyMTE1OVowgZAxCzAJBgNVBAYTAkdCMRcwFQYD\n" \
"VQQIDA5Vbml0ZWQgS2luZ2RvbTEOMAwGA1UEBwwFRGVyYnkxEjAQBgNVBAoMCU1v\n" \
"c3F1aXR0bzELMAkGA1UECwwCQ0ExFjAUBgNVBAMMDW1vc3F1aXR0by5vcmcxHzAd\n" \
"BgkqhkiG9w0BCQEWEHJvZ2VyQGF0Y2hvby5vcmcwgZ8wDQYJKoZIhvcNAQEBBQAD\n" \
"gY0AMIGJAoGBAMYkLmX7SqOT/jJCZoQ1NWdCrr/pq47m3xxyXcI+FLEmwbE3R9vM\n" \
"rE6sRbP2S89pfrCt7iuITXPKycpUcIU0mtcT1OqxGBV2lb6RaOT2gC5pxyGaFJ+h\n" \
"A+GIbdYKO3JprPxSBoRponZJvDGEZuM3N7p3S/lRoi7G5wG5mvUmaE5RAgMBAAGj\n" \
"UDBOMB0GA1UdDgQWBBTad2QneVztIPQzRRGj6ZHKqJTv5jAfBgNVHSMEGDAWgBTa\n" \
"d2QneVztIPQzRRGj6ZHKqJTv5jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA\n" \
"A4GBAAqw1rK4NlRUCUBLhEFUQasjP7xfFqlVbE2cRy0Rs4o3KS0JwzQVBwG85xge\n" \
"REyPOFdGdhBY2P1FNRy0MDr6xr+D2ZOwxs63dG1nnAnWZg7qwoLgpZ4fESPD3PkA\n" \
"1ZgKJc2zbSQ9fCPxt2W3mdVav66c6fsb7els2W2Iz7gERJSX\n" \
"-----END CERTIFICATE-----\n";




WiFiClientSecure client;

void setup() {
  //Initialize serial and wait for port to open:
  Serial.begin(115200);
  delay(100);

  Serial.print("Attempting to connect to SSID: ");
  Serial.println(ssid);
  WiFi.begin(ssid, password);

  // attempt to connect to Wifi network:
  while (WiFi.status() != WL_CONNECTED) {
    Serial.print(".");
    // wait 1 second for re-trying
    delay(1000);
  }

  Serial.print("Connected to ");
  Serial.println(ssid);

  client.setCACert(root_ca);
  //client.setCertificate(test_client_key); // for client verification
  //client.setPrivateKey(test_client_cert);  // for client verification

  Serial.println("\nStarting connection to server...");
  if (!client.connect(server, Port))
    Serial.println("Connection failed!");
  else {
    Serial.println("Connected to server!");
    // Make a HTTP request:
  //  client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
    //client.println("Host: www.howsmyssl.com");
   // client.println("Connection: close");
    //client.println();

    while (client.connected()) {
      String line = client.readStringUntil('\n');
      if (line == "\r") {
        Serial.println("headers received");
        break;
      }
    }
    // if there are incoming bytes available
    // from the server, read them and print them:
    while (client.available()) {
      char c = client.read();
      Serial.write(c);
    }

    client.stop();
  }
}

void loop() {
  // do nothing
}

Debug Messages:

Attempting to connect to SSID: xxxxxx
.[D][WiFiGeneric.cpp:293] _eventCallback(): Event: 13 - AP_START
[D][WiFiGeneric.cpp:293] _eventCallback(): Event: 13 - AP_START
[D][WiFiGeneric.cpp:293] _eventCallback(): Event: 4 - STA_CONNECTED
..[D][WiFiGeneric.cpp:293] _eventCallback(): Event: 7 - STA_GOT_IP
Connected to BTHub6-2C8G

Starting connection to server...
[V][ssl_client.cpp:48] start_ssl_client(): Free heap before TLS 150860
[V][ssl_client.cpp:50] start_ssl_client(): Starting socket
[V][ssl_client.cpp:86] start_ssl_client(): Seeding the random number generator
[V][ssl_client.cpp:95] start_ssl_client(): Setting up the SSL/TLS structure...
[V][ssl_client.cpp:108] start_ssl_client(): Loading CA cert
[V][ssl_client.cpp:143] start_ssl_client(): Setting hostname for TLS session...
[V][ssl_client.cpp:158] start_ssl_client(): Performing the SSL/TLS handshake...
[E][ssl_client.cpp:28] handle_error(): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
[E][ssl_client.cpp:30] handle_error(): MbedTLS message code: -9984
[E][WiFiClientSecure.cpp:108] connect(): lwip_connect_r: 11
[V][ssl_client.cpp:209] stop_ssl_socket(): Cleaning SSL connection.
Connection failed!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions