search

khoih-prog / EthernetWebServer_SSL

Simple TLS/SSL Ethernet WebServer, HTTP Client and WebSocket Client library for for AVR, Portenta_H7, Teensy, SAM DUE, SAMD21, SAMD51, STM32F/L/H/G/WB/MP1, nRF52 and RASPBERRY_PI_PICO boards using Ethernet shields W5100, W5200, W5500, ENC28J60 or Teensy 4.1 NativeEthernet/QNEthernet. It now supports Ethernet TLS/SSL Client. The library supports HTTP/HTTPS GET and POST requests, provides argument parsing, handles one client at a time. It supports Arduino boards (SAM DUE, Atmel SAM3X8E ARM Cortex-M3, SAMD21, SAMD51, ESP8266, ESP32, Adafruit nRF52, Teensy boards) using Wiznet W5x00 or ENC28J60 network shields. Ethernet_Generic library is used as default for W5x00 with custom SPI
GNU General Public License v3.0
46 stars 10 forks source link

How to compute trusted anchor array #25

Closed simogaspa84 closed 1 year ago

simogaspa84 commented 1 year ago

Hi @khoih-prog ..

I have created a new decice in aws for testing your amazing lib... I am getting this error ... (EthernetSSLClient)(SSL_ERROR)(available): Cannot operate on a closed SSL connection Reading from you example tou say that you obtain the trusted anchor array from this website

https://www.amazontrust.com/repository/AmazonRootCA1.pem

but when I try to use the tool on the website the resulting array is different

image

Instead in the code it is

image

Can you explain the difference ?

If I create a new board on aws i have to change

1- THingName 2- Endpoint 3-Device certificate 4- Private key ..

Do I have to modify also the trusted anchor array ?

The endpoint in the new device is in europe

zzzzzzzzzz-ats.iot.eu-central-1.amazonaws.com

My CA Certificate

AWS_CERT_CA: -----BEGIN CERTIFICATE----- MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM 9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L 93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU 5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy rqXRfboQnoZsG4q5WTP468SQvvG5 -----END CERTIFICATE-----

Do I have to generate a different trusted anchor arraY?

Thanks a lot as always

khoih-prog commented 1 year ago

Hi @simogaspa84

I don't think I have time to deal with the matter, just gave some general way to get the basic data.

https://github.com/khoih-prog/EthernetWebServer_SSL/blob/fc79ef0399f898ac6fa0f3897305d52cd6f85db0/examples/AWS_IoT/AWS_Root_CA.h#L9-L15

https://github.com/khoih-prog/EthernetWebServer_SSL/blob/fc79ef0399f898ac6fa0f3897305d52cd6f85db0/examples/AWS_IoT/AWS_IoT.ino#L11-L22

Anyway, it's possible the SSL certificates have been changed, and it's your jobs to update as necessary if not working anymore

The SSL Cerificates is dynamic, and don't expect they are not changed (expired, optional update, etc.).

You can also ask the question on related Forums (Arduino, Amazon, etc.)

simogaspa84 commented 1 year ago

Thanks @khoih-prog .. So starting from the Certificate and running the python script I should obtain the trusted anchor arrays... Is it correct ?

Regards