Open timoschuetz opened 4 years ago
Links2004
commented
4 years ago the error is coming from the SSL lib of the ESP8266 core (SSL_ALERT_HANDSHAKE_FAILURE) https://github.com/esp8266/Arduino/blob/eea9999dc5eaf464a432f77d5b65269f9baf198d/libraries/ESP8266WiFi/src/include/ssl.h#L138
hard to say what is wrong, but my bet is on TLS/SSL versions supported by cloudflare are not supported by the ESP TLS lib.
are you on the latest version of the ESP8266 core?
Tusharkumar0012
commented
2 years ago same behaviour
everything is working on localhost . wen i close proxy on cloudflare esp connects to server but when proxy is on esp does not connect.
Tusharkumar0012
commented
2 years ago the error is coming from the SSL lib of the ESP8266 core (SSL_ALERT_HANDSHAKE_FAILURE) https://github.com/esp8266/Arduino/blob/eea9999dc5eaf464a432f77d5b65269f9baf198d/libraries/ESP8266WiFi/src/include/ssl.h#L138
hard to say what is wrong, but my bet is on TLS/SSL versions supported by cloudflare are not supported by the ESP TLS lib.
are you on the latest version of the ESP8266 core?
yes you got it right.
cloudflare by default enables HTTP3/QUIK protocol for the website . i think this is not supported by esp8266 core library. when i disable this HTTP3/QUIK under network tab in cloudflare , ESP8266 is able to connect with ssl no problems at all. I believe http2 & tls1.3 along with ip masking provided by cloudflare is good security .
Tusharkumar0012
commented
2 years ago UPDATE::
it suddenly stopped working after even disabling HPPT3/QUIK . I spent some hours troubleshooting (actually an entire day ) , It appears to me that ESP8266 does not support TLS1.3 . now i got the esp8266 to connect again after setting the minimum TLS version to TLS1.2 in cloudflare under SSL/TLS => Edge Certificates => Minimum TLS Version .
will keep on updating--- hope it ends here as anything under http2 and TTLS1.2 would be a security problem
When using Cloudflare infront of a websocket server (I am using the ws package for nodejs), it breaks the SSL connection and I get an SSL error 40. Cloudflare is set on full (strict) SSL mode. Other libraries e.g. the nodejs ones work perfectly fine with it. The server is not the problem, as a direct SSL connection to the server is working, but not through cloudflare. I have set up the websocket server with Cloudflare's origin certificates. Using the SSLClient example for the ESP8266 code for testing.
What needs to get adjusted in Cloudflare to get this working?
Here is the debug log from the ESP8266:
16:44:24.330 -> [WS-Client] connect wss... 16:44:24.330 -> [hostByName] request IP for: my.domain 16:44:24.330 -> [hostByName] Host: my.domain IP:
16:44:24.363 -> :ref 1
16:44:24.397 -> :ref 2
16:44:24.397 -> :wr 90 90 0
16:44:24.397 -> :wrc 90 90 0
16:44:24.431 -> :ack 90
16:44:24.431 -> :rn 7
16:44:24.431 -> :rcl
16:44:24.431 -> :abort
16:44:24.431 -> :rd 5, 7, 0
16:44:24.431 -> :rdi 7, 5
16:44:24.431 -> :rd 2, 7, 5
16:44:24.431 -> :rdi 2, 2
16:44:24.431 -> :c0 2, 7
16:44:24.431 -> Error: SSL error 40
16:44:24.431 -> :ur 2
16:44:24.431 -> [WS-Client] connection to my.domain:8443 Failed
16:44:24.465 -> :ur 1
16:44:24.465 -> :del
16:44:24.465 -> [WS-Client] client disconnected.
16:44:24.465 -> [WSc] Disconnected!