I'm facing an issue with the ESP8266HTTPClient and SSL.
#include <ESP8266HTTPClient.h>
const char* url= "https://someUrl.com";
const char* fingerPrint= "SO ME SH A1 FI NG ER PR IN T";
HTTPClient http;
http.begin(url, fingerPrint);
http.GET();
When doing this I receive the following in debug log:
State: sending Client Hello (1)
Alert: handshake failure
Error: SSL error 40
Alert: unexpected message
Error: SSL error 40
Alert: close notify
[HTTP-Client] failed connect to someUrl.com:443
I tried to check the fingerprint on grc and got the following response:
The SSL/TLS security certificate obtained from the remote server was invalid. The trouble was severe enough that we were unable to obtain the certificate's common name and/or fingerprint. There is a server answering on the HTTPS port 443 of the IP address associated with the domain name you supplied (shown above). But the server may be answering HTTPS as if it was HTTP and returning a web page rather than a proper SSL/TLS setup handshake. (We have encountered this behavior.)
Which makes me believe that there is something wrong with the SSL configuration on the host.
But there are no issues with the certificate when visiting the url with my browser (tried IE, Edge and FireFox).
According to this comment to an issue on github there are only two supported cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA
The host supports the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Is there any chance to perform a HTTPS request to this host on an ESP8266 anyway? Maybe another HttpClient library?
Unfortunately not with the Arduino ESP8266 as it uses axTLS regardless of what HTTP client library you use. They simply do not support it.
However, the SDK from Espressif switched to mbedTLS a little while back, and mbedTLS Supported Cipher Suites show that it includes support for those ciphers. Code made with the Arduino SDK will be largely uncompatible with the Espressif SDK, however.
According to https://github.com/esp8266/Arduino/issues/2771 the Arduino ESP8266 Library is now being switched to BearSSL which supposedly supports more ciphers. Unfortunately my knowledge is insufficient (been trying for 2 days now) to implement the fix, since I have the same problem (need to login to capture portal on SSL for wifi access), but hopefully I will soon find out.
Related
I am trying to communicate via SignalR with a server which requires client authentication with a certificate. Hence, i receive the following error when trying to start the connection:
"connection could not be started due to: WinHttpSendRequest: 12044: A certificate is required to complete client authentication".
My program is in cpp, so i use the SignalR-Client-Cpp which is integrate to my project via vcpkg.
My implementation is similar to the example in readme.md, you can use it as a base for a sample code.
My client-certificate is stored in Windows certificate store. How can I establish the connection with this certificate?
I am getting this error, any idea what is causing it? I read somewhere in the forum to change https to http or disconnect from VPN. I tried both, it is still failing.
However, the same collection and environment setup is working fine in my colleagues laptop.
Also, my other collection with different environment works fine.
Error: Client network socket disconnected before secure TLS connection was established
Socket error usually comes when you have proxy issues :
see if your proxy settings are correct
I have same problem.
In my case I add client certificate in Settings->Certificates->Client Certificates
I had same error - in my case the proxy configuration was not supporting HTTPS. So you might just use proxy type HTTP
Trying to create my own simple MITM-proxy for the specific app which using TLS 1.2 protocol and connecting to several IP addresses, however got in stuck with the error in the app log "Certificate verify failed". How to solve this problem?
The app using about the following code to check the cert:
X509* cert = SSL_get_peer_certificate( ssl );
X509_STORE_CTX * xCtx = X509_STORE_CTX_new();
X509_STORE_CTX_init( xCtx, (X509_STORE*)Store, cert, NULL );
int res = X509_verify_cert( xCtx );
if( !res ) { /*Certificate verify failed*/ };
I did the following steps to achieve the result:
Created CA root key and self-signed certificate according to this manual. It is a bit outdated, so i have made some changes like md5 to sha256, also I didn't use pass phrase, used different key size and other minor changes.
Created proxy key and certificate using the above Root CA to sign it.
Both certificates have been added to the Local Computer Certificates in Personal and Trusted Root Certification Authorities (not sure if this was necessary). Btw, I'm using Windows 10.
Wrote a simple proxy server using sample code from here. Cert.pem and Key.pem took from the second step.
Changed all IP addresses in the app to 127.0.0.1:443 to see if TLS connection established successfully and we can receive first message with an Application Data.
I believe that connection established properly, because WireShark shows common sequence for establishing a TLS connection: Client/Server hello, Certificate, Client key exchange, two encrypted handshake messages. Moreover, using OpenSSL for testing connection:
openssl s_client -connect localhost:443
allow me to write some message and later successfully receive it using SSL_Read() in proxy server. However, there are some errors:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
Using OpenSSL client to directly connect to the original IP addresses give the same errors, but application works great.
Also the output:
openssl verify -CAfile "signing-ca-1.crt" "cert.crt"
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
e:\MyProg\SSL_serv\Debug\cert.crt: OK
It seems that I missed something important. Could you please tell me how to solve this problem with cert?
One of the very purposes of having certificates, along with certificate authorities, is to prevent MITM. The app you are trying trick does the proper thing and checks the certificate. And it doesn't like your's. Its really that simple.
Is it possible to circumvent it and run MITM on an app anyway? Absolutely! Is it going to be easy? Probably not. What you need to do is to patch the app and remove this certificate check.
I downloaded Asio Standalone and would like to run the ssl example (client and server) provided with the Asio source code on my local computer. I managed to get the library running. The code compiles without errors. But I think the client has a problem reading the server certificate from the certificate store on my debian system in /etc/ssl/certs. Because I get the following error:
Handshake failed: certificate verify failed
What I did so far:
I created the server certificate and key as descripted in my last post and added the crt file to /etc/ssl/certs
I set the verify_path on client side as following:
asio::ssl::context ctx(asio::ssl::context::tlsv11);
ctx.set_default_verify_paths();
I start the server on port 8877 on my local computer
I start the client with host IP 127.0.0.1 and port 8877
then I get the error as mentioned above.
Am I right that asio finds my certificate? (because otherwise I would expect an error 'file_not_found' or something like that) Why is the certificate not valid? Because I self-signed it or because I don't use 127.0.0.1 as a 'Common Name' in the certificate ? But I guess the client should accept a self-signed certificate in it's local certificate store...
I would like to authenticate securely from C++ client application with OpenLDAP server, for example, using SSL/TLS or SASL. I use Windows 7 64-bit operating system.
I tried this example:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366105%28v=vs.85%29.aspx
But it fails in this function call:
ULONG ldapConn = ldap_connect(pLdapConnection, NULL);
The return code from ldap_connect is 81 (dec).
I have installed OpenLDAP to my computer from here:
http://www.userbooster.de/en/download/openldap-for-windows.aspx
I use 127.0.0.1 (localhost) as the host.
OpenLDAP debug log looks like this:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: activity on 1 descriptor
daemon: waked
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
daemon: WSselect: listen=3 active_threads=0 tvp=NULL
According to the log it seems that this is somehow related to certificates. The OpenLDAP configuration is the about default from the installation package, for example:
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile ./secure/certs/server.pem
TLSCertificateKeyFile ./secure/certs/server.pem
TLSCACertificateFile ./secure/certs/server.pem
Does someone know why ldap_connect fails?
Or does someone know a useful tutorial or C++ code example concerning this topic? It is especially unclear to me how the client certificates are linked to the client code. In other words, how it is defined in the client C++ code, where the certificates are obtained during the authentication.
BR,
Tuomo
Found this article: http://www.openldap.org/lists/openldap-technical/200903/msg00061.html. Looks like you might want to change out TLSCipherSuite HIGH:MEDIUM:-SSLv2 to TLSCipherSuite HIGH:MEDIUM:+SSLv2.