Closed bvanpoortvliet closed 2 years ago
Hi @bvanpoortvliet
Thanks for your interest in the library and I'm glad that it's somehow useful to your use-case.
As you're experiencing, the usage of SSL (especially the drastic AWS way to update every 3 months its certificate) brings us the safety as well as the complexity to handle and manage.
SSL won't work unless we're updating the SSL certificates somehow someway.
IMHO, the best solution can be to rewrite your code to permit update the trust anchors
on-the-fly by
trust anchors
trust anchors
by writing a program / script to check with AWStrust anchors
whenever there is mismatch (using checksum, etc.) between local and server's trust anchors
. Anyway, trust anchors
is just a piece of manageable array of bytes.Another not-so-bad solution is to connect the Teeensy not directly to AWS, but via a managed local server (running on PC, etc.), then the server will forward the requests / responses from/to Teensy. PC can normally have user-friendly and transparent way to handle updated SSL certificates, without user intervention and knowledge.
As this is an interesting scenario, I'd appreciate if you can post the solution / idea / discussion so that other users can benefit from it.
As this is not a bug or issue of the library, I'm closing this now and suggest that you open a discussion for this matter.
Regards,
Teensy 4.1 stops posting whenever the server it posts to renews its SSL certificate.
We are using a Teensy 4.1 in combination with your library in combination with QNEthernet to post data to an InfluxDB instance hosted on AWS. Recently we have discovered that the Teensy stops posting whenever the (3 month valid) SSL certificate on AWS renews, generating the errors below.
(EthernetSSLClient)(SSL_ERROR)(available): Cannot operate on a closed SSL connection. (EthernetSSLClient)(SSL_ERROR)(m_print_br_error): Certificate is expired or not yet valid.
Could you inform us what would be the best way to go about this issue without having to recompile and upload to the teensy? We plan to deploy around 500 Teensy's in the field spread over various countries, this is why recompiling and uploading every quarter is not an option for us.
Steps to Reproduce
Open WebClient_SSL or WebClientMulti_SSL from examples/EthernetWebServer_SSL/QNEthernet Generate trust anchors and paste in trust_anchors.h Change request to POST and fill in correct host Compile flash and run on Teensy Check print-statements in serial monitor to check if post is successful Change server certificate Powercycle Teensy Check print-statements in serial monitor to check if post is successful
Expected behavior
Continuous posting when SSL certificate on server is renewed.
Actual behavior
No post, these errors are generated: (EthernetSSLClient)(SSL_ERROR)(available): Cannot operate on a closed SSL connection. (EthernetSSLClient)(SSL_ERROR)(m_print_br_error): Certificate is expired or not yet valid.
Information