Closed PerMalmberg closed 5 years ago
jitin17
commented
5 years ago @PerMalmberg Since openssl s_client yields expected results, I speculate that the problem is not with something related to ESP32 but with a self-signed certificate.
To see if this is true, can you supply -k(allows insecure connections) option to the curl command, something like this curl -k --cacert root_ca.crt -vv <url>
PerMalmberg
commented
5 years ago @jitin17 Without -k, curl is expected to reject the certificate, as per above output it doesn't get far enough in the handshake to do that. But, just for the record, here is the output you asked for:
> curl -vv -k https://192.168.10.94:8443
* Expire in 0 ms for 6 (transfer 0x5558316384f0)
* Trying 192.168.10.94...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5558316384f0)
* Connected to 192.168.10.94 (192.168.10.94) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.10.94:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.10.94:8443
negativekelvin
commented
5 years ago What is the mbedtls debug output from esp32?
PerMalmberg
commented
5 years ago What is the mbedtls debug output from esp32?
Right, I thought I wrote a note about that in the original post. I've been unable to enable mbedTLS debugging on the ESP, even after enabling it via menuconfig. I can't get it to link (undefined references to the debug functions). I've tried hard coding it to be enabled in the mbedtls component, but I can't get it to output anything.
PerMalmberg
commented
5 years ago I can now answer my own question: No, I'm not naive to think the same implementation of mbedTLS should works on both Linux and ESP32.
The problem has turned out to be that the TLS handshake takes nearly 5 seconds and I had a timeout of 1.5s and didn't log when the socket was closed.
Hi,
Some background for those that don't know: I develop a C++ framework for the ESP32 on top of ESP-IDF, with the main purpose of being event driven, nearly memory static and allowing applications being compiled/development natively on Linux (to allow the use of Adress Sanitizers etc) before being compiled using xtensa-gcc8 and then run on the ESP32.
I've just implemented server-side socket management which I've used to build an HTTP-server. I also added support for TLS (using mbedTLS).
Now, to my problem:
192.168.10.94is the ESP32, using a self-signed certificate.Things are working just fine both with and without TLS as long things run natively on Linux. Non-TLS works fine on the ESP32, but anything using TLS on the ESP32 fails.
https://localhost:8443displays/downloads the expected webpage including the 1000 images it links to.http://localhost:8080, i.e. non-TLS works.Compiling the same code and running it on the the ESP32 the result is this:
http://l192.168.10.94:8080works as expected.https://192.168.10.94:8443a connection cannot be established:What baffles me is that OpenSSL is able to do a handshake from the same machine curl and wget are run:
openssl s_client -connect 192.168.10.94:8443 -CAfile root_ca.crtQuestion: Am I being naive thinking that if my usage of mbedTLS works on native Linux, it should also work on the ESP32? If yes, what are the differences between how sockets and mbedTLS works on the ESP32 vs native Linux that I've missed? I have read the docs for both IDF and mbedTLS more times than I care to count, but I've seen no mention of such differences.
The most relevant code is SecureSocket, but I don't really expect anyone to read through it all since it requires the entire framework to build and run.
For the brave and curious, here's a short summary of whats needed to get it to run:
Clone the https://github.com/PerMalmberg/Smooth/tree/feature/15-ServerSocket branch, and then build the
http_server_test(pre-selected in smooth/test/CMakeList.txt) by running these commands in<location of repo>/build. Be sure to use the IDF-version and gcc mentioned at the beginning of this post.You'll have to prepare an SDCard with the
web_rootfolder, for example the one found insmooth/test/http_server_test/static_contentor just create your ownindex.htmlpage. I'm using a WROOVER DevKit 3.x board so if your SD Card uses different pins on the ESP32 you can changes those on line 148 ofsmooth/test/http_server_test/http_server_test.cppAlso, change the SSID and password in
smooth/test/http_server_test/wifi_creds.h.To build it for native Linux, just compile it from the same location as any other CMake project.