For a project I am working on a mesh network on ESP32 (devkit).
I'm using the https://gitlab.com/painlessMesh/painlessMesh library for this to work.
The data received by the other ESP32's need to be sended to an REST API on Home Assistent with adres: http://192.168.1.4:8123/api/states/sensor.mesh.
To to this I am using the https://www.arduino.cc/reference/en/libraries/http/ library to send these HTTP requests.
This is my code:
#include <painlessMesh.h>
#include <WiFi.h>
#include <HTTPClient.h>
#include <Arduino.h>
#include <ArduinoJson.h>
#define MESH_PREFIX "MeshNetwork"
#define MESH_PASSWORD "MeshPassword"
#define MESH_PORT 5555
const char* ssid_wifi = "<wifissid>";
const char* password_wifi = "<wifipassword>";
painlessMesh mesh;
Scheduler userScheduler;
void receivedCallback( uint32_t from, String &msg ) {
Serial.printf("Received from %u msg=%s\n", from, msg.c_str());
// Send To Home Assistent
Serial.printf("Node %u sends to HA....\n", from);
WiFiClient client;
HTTPClient http;
String serverName = "http://192.168.1.4:8123/api/states/sensor.mesh";
http.begin(client, serverName);
http.addHeader("Content-Type", "application/json");
http.addHeader("Authorization", "Bearer <TOKEN>");
String httpRequestData = "{\"state\":"+ String(random(0,30));
Serial.println(httpRequestData + ", \"attributes\": {\"unit_of_measurement\": \"°C\"}}");
int httpResponseCode = http.POST(httpRequestData + ", \"attributes\": {\"unit_of_measurement\": \"°C\"}}");
Serial.print("HTTP Response code: ");
Serial.println(httpResponseCode);
http.end();
}
void newConnectionCallback(uint32_t nodeId) {
Serial.printf("startHere: New Connection found!, nodeId = %u\n", nodeId);
}
void changedConnectionCallback() {
Serial.printf("Changed connections\n");
}
void nodeTimeAdjustedCallback(int32_t offset) {
Serial.printf("Adjusted time %u. Offset = %d\n", mesh.getNodeTime(),offset);
}
void setup() {
Serial.begin(115200);
WiFi.begin(ssid_wifi, password_wifi);
Serial.printf("\n Connecting to Wifi: %s", ssid_wifi);
while(WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("\n Connected to Wifi! \n ");
// start Mesh Network
mesh.setDebugMsgTypes(ERROR | MESH_STATUS | CONNECTION | SYNC | COMMUNICATION | GENERAL | MSG_TYPES | REMOTE );
mesh.init( MESH_PREFIX, MESH_PASSWORD, &userScheduler, MESH_PORT);
// Set Root Node
mesh.setContainsRoot(true);
// Mesh Events
mesh.onReceive(&receivedCallback);
mesh.onNewConnection(&newConnectionCallback);
mesh.onChangedConnections(&changedConnectionCallback);
mesh.onNodeTimeAdjusted(&nodeTimeAdjustedCallback);
}
void loop() {
mesh.update();
}
When the data is sending it gives me the following error
[E][WiFiClient.cpp:258] connect(): socket error on fd 61, errno: 113, "Software caused connection abort"
HTTP Response code: -1
I don't know what to do know,I have tried a lot of things.
Can anybody help me?
Thanks!
Update: When requesting the HTTP POST in the setup() it works. Not in the loop()
I am using the WiFiSecureClient example n arduino studio. I first ran the example on my ESP 32 cam with the website howsmyssl and it works.
Then I created and hosted my own nodejs app on a domain and generated a letsencrypt certificate for it so all requests are directed to ssl.
I than exported the certificate from google chrome and changed the howsmyssl certificate to my own site's certificate.
The problem is that it does not connect and I get the message connection failed in the serial monitor.
Here is my code,
Essentially its the same code as in the example but for some reason the server is not connecting. Would appreciate any advise on how to debug/correct this.:
/*
Wifi secure connection example for ESP32
Running on TLS 1.2 using mbedTLS
Suporting the following chipersuites:
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_DHE_RSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8","TLS_DHE_RSA_WITH_AES_256_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_DHE_RSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8","TLS_DHE_RSA_WITH_AES_128_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_GCM_SHA384","TLS_DHE_PSK_WITH_AES_256_CCM","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384","TLS_DHE_PSK_WITH_AES_256_CBC_SHA384","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_DHE_WITH_AES_256_CCM_8","TLS_DHE_PSK_WITH_AES_128_GCM_SHA256","TLS_DHE_PSK_WITH_AES_128_CCM","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256","TLS_DHE_PSK_WITH_AES_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_DHE_WITH_AES_128_CCM_8","TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CCM","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CCM_8","TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_128_CCM","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CCM_8","TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_RSA_PSK_WITH_AES_256_GCM_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_128_GCM_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA","TLS_PSK_WITH_AES_256_GCM_SHA384","TLS_PSK_WITH_AES_256_CCM","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CBC_SHA","TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CCM_8","TLS_PSK_WITH_AES_128_GCM_SHA256","TLS_PSK_WITH_AES_128_CCM","TLS_PSK_WITH_AES_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CCM_8","TLS_PSK_WITH_3DES_EDE_CBC_SHA","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
2017 - Evandro Copercini - Apache 2.0 License.
*/
#include <WiFiClientSecure.h>
const char* ssid = "myap"; // your network SSID (name of wifi network)
const char* password = "mypass"; // your network password
const char* server = "growgreen.life"; // Server URL
// www.howsmyssl.com root certificate authority, to verify the server
// change it to your server root CA
// SHA1 fingerprint is broken now!
const char* test_root_ca= \
"-----BEGIN CERTIFICATE-----\n" \
"MIIFNTCCBB2gAwIBAgISA923aMjf7A21sbQ131UqqWdiMA0GCSqGSIb3DQEBCwUA\n" \
"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n" \
"EwJSMzAeFw0yMTA3MTIwNTI3MzJaFw0yMTEwMTAwNTI3MzFaMBkxFzAVBgNVBAMT\n" \
"Dmdyb3dncmVlbi5saWZlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n" \
"ocNfRneLCVSsl6ZOHaQQ9wQqtEjfuX/rn625xP/VWmikNlPkFrhP6Hm5HbXkpMSB\n" \
"+vGX3ms6tjoIWgipeusHo3shz+RsqVDGpfdxsNbKApHL8JxaIWjYaAlJDfw7SPOP\n" \
"lv+wqJXR7it83l5DuPrgu2jxbmDgrWdWbbXJYTs2kLbMANIMplYgHua3wGSovpGt\n" \
"PcK8LeohsEJk1cntqtcaznJFxA6s54hKtv/L03WgkNUlONX2BWrwv/OBsGkCN123\n" \
"5JmZ7iyocjaH6x5ixp7ULAtPKpsI5OQ+2zcgQIBRxLW3Tv4rBF0p7JAXlJHjuAqH\n" \
"52LW8pySppIeLsR+FM6O+wIDAQABo4ICXDCCAlgwDgYDVR0PAQH/BAQDAgWgMB0G\n" \
"A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud\n" \
"DgQWBBT9KWvWs7GmeyfSgnS/eWMmku/5sTAfBgNVHSMEGDAWgBQULrMXt1hWy65Q\n" \
"CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y\n" \
"My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn\n" \
"LzAtBgNVHREEJjAkgg5ncm93Z3JlZW4ubGlmZYISd3d3Lmdyb3dncmVlbi5saWZl\n" \
"MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH\n" \
"AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB\n" \
"9ASB8QDvAHUARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF6mWY+\n" \
"9QAABAMARjBEAiAhHEeGYKpneNn2/GnYzvgXtflgAap8sRpzzu5h123/YwIgQ0jb\n" \
"xgImVVDW2usWjENjmgnIUYk4W03p8AdyuKchtgsAdgD2XJQv0XcwIhRUGAgwlFaO\n" \
"400TGTO/3wwvIAvMTvFk4wAAAXqZZj7vAAAEAwBHMEUCIQCIMPL8yUXTwl9dFvsT\n" \
"Fy+WKRlPEImFQiiNYkyAXUmFLgIgJlTi2679ZvYIlLUq4wS/CXJHsYIzFI6qILfu\n" \
"V+7d0BIwDQYJKoZIhvcNAQELBQADggEBAKOXihmS7Byw5Q4cYXbVmqFZqLuXJod5\n" \
"1GZYIfsfmeH6By93Hjlqcm58L5/DLNA6Yfqnu9mmWrAPd0MYz7PGvlxzDbN/ggGK\n" \
"fD0PjwuREln5vgHXKOysYCJ7ho58g9DN4mkS2679FD2WiYXMpntYQtQP24noIaw1\n" \
"DmeS8h6xXQcDIEVVWki9Rst/S3dvI/LQUaQ0UCe8EeDbrYgKj9eMZH32ENqcb5NE\n" \
"LikNcXQpl/cgAbb3xczFAMBL7Vo8QxAM9bMiyfp58zh0bcFJkH9bNDEQ9uQdkHTP\n" \
"nukplj5DC7V5+FHPyBvTdUCRTPKf9cjHEvbCLCMicCMbeCjZ69cYhSo=\n" \
"-----END CERTIFICATE-----\n";
// You can use x.509 client certificates if you want
//const char* test_client_key = ""; //to verify the client
//const char* test_client_cert = ""; //to verify the client
WiFiClientSecure client;
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
client.setCACert(test_root_ca);
//client.setCertificate(test_client_key); // for client verification
//client.setPrivateKey(test_client_cert); // for client verification
Serial.println("\nStarting connection to server...");
if (!client.connect(server, 443))
Serial.println("Connection failed!");
else {
Serial.println("Connected to server!");
// Make a HTTP request:
client.println("GET https://growgreen.life");
client.println("Host: growgreen.life");
client.println("Connection: close");
client.println();
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
client.stop();
}
}
void loop() {
// do nothing
}
I changed the leaf certificate with the root certificate and now I am able to connect to the server. But for some reason I am getting the bad request 400 response...following is the response in the serial monitor:
Starting connection to server...
Connected to server!
headers received
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
const char* host="Your host server" ;
const int httpsPort = 443;
//use below inside the function u want to connect with server
WiFiClientSecure client;
client.setInsecure();
HTTPClient http;
client.connect(host, httpsPort);
http.begin(client, host);
String payload;
if (http.GET() == HTTP_CODE_OK)
payload = http.getString();
I'm using an ESP32 controller to send Get requests to a page. I can get 1 response per second using the http protocol and one response every three seconds using HTTPS. I would like to get as many as 3 responses per second if possible. Is there a faster way to get these responses and is the problem with my ESP32, the code, or the server itself? I'm not sure if it helps but my ESP32 is sending the Get request to an ASP.NET application running on a Windows server through an Amazon Web Services EC2 instance. My API is simply returning true or false.
Here is the code running on the ESP32:
#include <Arduino.h>
#include <WiFi.h>
#include <WiFiMulti.h>
#include <HTTPClient.h>
#define USE_SERIAL Serial
WiFiMulti wifiMulti;
//Certificate when using HTTPS
/*
const char* ca = \
"-----BEGIN CERTIFICATE-----\n" \
"examplecertificate\n" \
"-----END CERTIFICATE-----\n" \
*/
void setup() {
USE_SERIAL.begin(115200);
for(uint8_t t = 4; t > 0; t--) {
USE_SERIAL.printf("[SETUP] WAIT %d...\n", t);
USE_SERIAL.flush();
delay(1000);
}
wifiMulti.addAP("ssid", "password");
}
void loop() {
// wait for WiFi connection
if((wifiMulti.run() == WL_CONNECTED)) {
HTTPClient http;
//USE_SERIAL.print("[HTTP] begin...\n");
//http.begin("https://example.com/webapi/controller/getstatus/0", ca); //Using HTTPS takes 3 seconds
http.begin("http://example.com/webapi/controller/getstatus/0"); //Using HTTP takes 1 second
//USE_SERIAL.print("[HTTP] GET...\n");
// start connection and send HTTP header
int httpCode = http.GET();
// httpCode will be negative on error
if(httpCode > 0) {
// file found at server
if(httpCode == HTTP_CODE_OK) {
String payload = http.getString();
USE_SERIAL.println(payload);
}
} else {
USE_SERIAL.printf("[HTTP] GET... failed, error: %s\n", http.errorToString(httpCode).c_str());
}
http.end();
}
}
os : win7 64bits
ldap server : openldap for windows 2.4.34
compiler : vc2008
I can query the data of the server by this command
ldapsearch -H ldaps://CS-GAMEBOY-PC -x -b dc=micmiu,dc=com -D cn=Manager,dc=micmiu,dc=com -w secret
But I can't query the data by the example codes of winldap(I remove most of the error handles and resource cleaning to simplify the codes)
#include <iostream>
#include <windows.h>
#include <winldap.h>
#include <winber.h>
int main()
{
char *LdapServer = "CS-GAMEBOY-PC";
LDAP *ldap = ldap_sslinitA(LdapServer, LDAP_SSL_PORT, 1);
unsigned long version = LDAP_VERSION3;
ldap_set_option(ldap,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
// If SSL is not enabled, enable it.
ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
// Connect to the server.
unsigned long connectSuccess = ldap_connect(ldap, NULL);
if(connectSuccess == LDAP_SUCCESS){
std::cout<<"ldap_connect succeeded \n";
}else{
std::cout<<"ldap_connect failed with "<<ldap_err2string(connectSuccess)<<std::endl;
std::cout<<"error codes = 0x"<<std::hex<<connectSuccess<<std::endl;
return -1;
}
}
The ldap_connect fail and give me the error codes "0X51"
The server site give me the errors as
........
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
........
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS: can't accept: (unknown).
How should I fix this problem?
//
static bool VerifyCert(void/*LDAP* ld, PCCERT_CONTEXT pServerCert*/)
{
return true;
}
//
..
// Set the version to 3.0 (default is 2.0). and than ->
ldap_set_option(pLdapConnection, LDAP_OPT_SERVER_CERTIFICATE, &VerifyCert);
// Now you can Bind.
..
My app connects to a IMAP email server. One client configured his server to reject SSLv2 certificates, and now my app fails to connect to the server. All other email clients connect to this server successfully. My app uses openssl.
I debugged by creating minimal openssl client and attempt to connect to the server. Below is the code with connects to the mail server (using Windows sockets, but same problem is with unix sockets).
Server sends its initial IMAP greeting message, but after client sends 1st command, server closes connection. In Wireshark, I see that after sending command to server, it returns TLSv1 error message 21 (Encrypted Alert) and connection is gone.
I'm looking for proper setup of OpenSSL for this connection to succeed.
Thanks
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <winsock2.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define CHK_NULL(x) if((x)==NULL) exit(1)
#define CHK_ERR(err,s) if((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
SSL *ssl;
char buf[4096];
void write(const char *s){
int err = SSL_write(ssl, s, strlen(s));
printf("> %s\n", s);
CHK_SSL(err);
}
void read(){
int n = SSL_read(ssl, buf, sizeof(buf) - 1);
CHK_SSL(n);
if(n==0){
int e = SSL_get_error(ssl, 0);
printf("Read error %i\n", e);
exit(1);
}
buf[n] = 0;
printf("%s\n", buf);
}
void main(){
int err=0;
SSLeay_add_ssl_algorithms();
SSL_METHOD *meth = SSLv23_client_method();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
WSADATA data;
WSAStartup(0x202, &data);
int sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
CHK_ERR(sd, "socket");
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("195.137.27.14");
sa.sin_port = htons(993);
err = connect(sd,(struct sockaddr*) &sa, sizeof(sa));
CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP connection. Start SSL negotiation. */
ssl = SSL_new(ctx); CHK_NULL(ssl);
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl); CHK_SSL(err);
// Following two steps are optional and not required for data exchange to be successful.
/*
printf("SSL connection using %s\n", SSL_get_cipher(ssl));
X509 *server_cert = SSL_get_peer_certificate(ssl); CHK_NULL(server_cert);
printf("Server certificate:\n");
char *str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
printf(" subject: %s\n", str);
OPENSSL_free(str);
str = X509_NAME_oneline(X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf(" issuer: %s\n", str);
OPENSSL_free(str);
// We could do all sorts of certificate verification stuff here before deallocating the certificate.
X509_free(server_cert);
*/
printf("\n\n");
read(); // get initial IMAP greeting
write("1 CAPABILITY\r\n"); // send 1st command
read(); // get reply to cmd; server closes connection here
write("2 LOGIN a b\r\n");
read();
SSL_shutdown(ssl);
closesocket(sd);
SSL_free(ssl);
SSL_CTX_free(ctx);
}
It seems that the host you are trying to connect to has a buggy TLS implementation. Using the openssl command-line tool, I have discovered the following.
First of all, the file imap contains a silly IMAP session:
A1 CAPABILITY
A2 LOGIN foo bar
Then, the command:
openssl s_client -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Fails as follows:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 9F1200004D888506211A976BF1CC755C873789D8256936638BF9C9E66DAA9438
Session-ID-ctx:
Master-Key: A67DE8C76371B8034AA60447ECB97ED631E55E4E713F64FAA49D2DBAC07A6339719F4C4DD4E1FD2BC5E41EDCC2CF22FE
Key-Arg : None
Start Time: 1332595025
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
closed
But the command:
openssl s_client -bugs -ign_eof -crlf -pause -connect 195.137.27.14:993 < imap
Succeeds:
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6TCCA9GgAwIBAgIDA+NwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTExMTA2MTQ1MDQwWhcNMTQxMTA4MTUwNTIwWjCB9zEpMCcGA1UEBRMgaUdY
emdESnBENnQ4bTVqUU5ZMHh3d2NDaXd3bFh6RVQxCzAJBgNVBAYTAkdCMSEwHwYD
VQQKExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWsxEzARBgNVBAsTCkdUNTczNjk2
MTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTExLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSEwHwYDVQQDExhtYWlsMS5maXJlZHVwZ3JvdXAuY28udWswggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC80HlFa86b8C4N9NEpu904iluVyYEH
rwZaIYNR6cvfHl/QXut+h4080UoIxxFmSsuVI9YBJBf/J6ZnJoFTZsJITuoI89G/
4/nmcuGPOeJIrlMnWHZE56N5bVNDFDsNeroE2ieQKiJN2IT9lUA7uZHtJuokXlfz
Xg6DEWBXokAjPc3VeS2eBDfajY2SLZNdRxGYzyQkaW43pMaz4FR9WKljsRvvvKUI
G0Hnsy1vpjCDw3io4C+IY8tClZFVnLthQQEbceD93LS/AUsaZEZWf4pppFviYHze
HuiZ6IlYvLzLaYtCurNaJhs2Yf6kNPDbfCFSWbCrfdf86feQxt/JyR4HAgMBAAGj
ggE2MIIBMjAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc
MBqCGG1haWwxLmZpcmVkdXBncm91cC5jby51azBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQUC0oWYx2XW3qtt3Xq6mUljQlYb+UwDAYDVR0TAQH/BAIwADBJ
BggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEu
Z2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAXX5N
EYNlVqiu8LIn39JODWCUbqZQOHOSquC+VxTyLRaUjrkrnU0oCDqKTs/C6qGBqiqC
7gaZKn2k+KjTMu2rTtgO/BHve6y9kKz7oLgXqfjZp6965O+x4BV5/GyVbwmV5gyU
dRZ5U83Vhwut5MxbiMyxnZHtuz9jGMC08O3Gc84N1Ox18FwOE8HpQIHOO99ISxOi
8TgVe/NJvd4f/nn7GPTyVDQpGOJ2dqHYUNpAMMVXKmCeNq+u0nXXZFXUkkkVxmrC
aINtUJuelF6V4vxtyERwReviAct9vcIrg3011p7NYbZ5fVA8thSYcnacfe1jyp5Z
XSPY6tC26zmbIPmHHg==
-----END CERTIFICATE-----
subject=/serialNumber=iGXzgDJpD6t8m5jQNY0xwwcCiwwlXzET/C=GB/O=mail1.firedupgroup.co.uk/OU=GT57369617/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=mail1.firedupgroup.co.uk
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3300 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 261200008CB526A49A014E97D510AA7FDA08DDAC797B8B78B3ABEEF4A64B3228
Session-ID-ctx:
Master-Key: 457E9FFB43C77E028211A0FDB9915FCB374A55445ED15498E2C5AFDBEA52C9A413CC8D79EE29ECA823E038A93363B9D6
Key-Arg : None
Start Time: 1332595088
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK firedupgroup.co.uk IMAP4rev1 MDaemon 9.6.2 ready
* CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN IDLE ACL UNSELECT UIDPLUS
A1 OK CAPABILITY completed
A2 NO LOGIN failed
Which means you need to enable OpenSSL's bug workarounds, as described in the SSL_CTX_set_options(3) manual page.