OPEnSLab-OSU / SSLClient

🔒Add SSL/TLS functionality to any Arduino library
https://openslab-osu.github.io/SSLClient/index.html
GNU General Public License v3.0
153 stars 46 forks source link

Let's Encrypt's new ISRG Root X1 -> failure #100

Open joysfera opened 6 months ago

joysfera commented 6 months ago

Describe the bug Built an application for ESP32 with SIM800L in early 2021, has been working fine for almost 3 years and then it broke.

I assume it's related to the server's Let's Encrypt certificate and their recent shortening of chain of trust: https://letsencrypt.org/2023/07/10/cross-sign-expiration.html

I went ahead and re-generated the certificate so it now looks as follows - but it didn't help:

/* This file is auto-generated by the pycert_bearssl tool.  Do not change it manually.
 * Certificates are BearSSL br_x509_trust_anchor format.  Included certs:
 *
 * Index:    0
 * Label:    ISRG Root X1
 * Subject:  CN=ISRG Root X1,O=Internet Security Research Group,C=US
 * Domain(s): iot.t-mobile.cz
 */

Screenshots/Serial Output when calling http.post("server", 443, "/path") I now get the following SSL errors:

(SSLClient)(SSL_ERROR)(connected): Not connected because write error is set
(SSLClient)(SSL_ERROR)(m_print_ssl_error): SSL_BR_WRITE_ERROR
(SSLClient)(SSL_ERROR)(m_start_ssl): Failed to initlalize the SSL layer
(SSLClient)(SSL_ERROR)(m_print_br_error): Unknown error code: 0

Context (please complete the following information):

joysfera commented 6 months ago

Well, after three days of hair-pulling I'm kinda giving up :-/

My code is working just fine (HTTP downloading of large binary firmware and HTTP POSTing of large JSONs) without the SSLClient library (i.e. plain HTTP to port 80) but as soon as I wrap the TinyGSM's client in the SSLClient wrapper (and change port to 443) everything stops working completely while the SSLClient library prints the following debug messages:

mConnectSSL: Start connection.
mConnectSSL: Wait for SSL handshake.
mUpdateEngine: State RECVREC
mUpdateEngine: State RECVREC
mRunUntil: SSL state changed.
mRunUntil: State RECVREC
mRunUntil: Expected bytes count: 5
                             <---------------------- here it is waiting for about 60 seconds
mRunUntil: SSL internals timed out!
mConnectSSL: Failed to initlalize the SSL layer.

The same code works fine when the TinyGSM library is thrown away and ESP32's WiFi Client is used instead. That means the SSLClient itself is OK. It just does not talk to (or cannot hear anything from) my TinyGSM for some reason (while the TinyGSM itself seems fine as it works OK unless wrapped in the SSLClient).

I'm leaving it here as kind of a heads up for others... Wish you better luck.