search

khoih-prog / EthernetWebServer_SSL

Simple TLS/SSL Ethernet WebServer, HTTP Client and WebSocket Client library for for AVR, Portenta_H7, Teensy, SAM DUE, SAMD21, SAMD51, STM32F/L/H/G/WB/MP1, nRF52 and RASPBERRY_PI_PICO boards using Ethernet shields W5100, W5200, W5500, ENC28J60 or Teensy 4.1 NativeEthernet/QNEthernet. It now supports Ethernet TLS/SSL Client. The library supports HTTP/HTTPS GET and POST requests, provides argument parsing, handles one client at a time. It supports Arduino boards (SAM DUE, Atmel SAM3X8E ARM Cortex-M3, SAMD21, SAMD51, ESP8266, ESP32, Adafruit nRF52, Teensy boards) using Wiznet W5x00 or ENC28J60 network shields. Ethernet_Generic library is used as default for W5x00 with custom SPI
GNU General Public License v3.0
46 stars 10 forks source link

Error when SSL certificate is renewed #9

Closed bvanpoortvliet closed 2 years ago

bvanpoortvliet commented 2 years ago

Teensy 4.1 stops posting whenever the server it posts to renews its SSL certificate.

We are using a Teensy 4.1 in combination with your library in combination with QNEthernet to post data to an InfluxDB instance hosted on AWS. Recently we have discovered that the Teensy stops posting whenever the (3 month valid) SSL certificate on AWS renews, generating the errors below.

(EthernetSSLClient)(SSL_ERROR)(available): Cannot operate on a closed SSL connection. (EthernetSSLClient)(SSL_ERROR)(m_print_br_error): Certificate is expired or not yet valid.

Could you inform us what would be the best way to go about this issue without having to recompile and upload to the teensy? We plan to deploy around 500 Teensy's in the field spread over various countries, this is why recompiling and uploading every quarter is not an option for us.

Steps to Reproduce

Open WebClient_SSL or WebClientMulti_SSL from examples/EthernetWebServer_SSL/QNEthernet Generate trust anchors and paste in trust_anchors.h Change request to POST and fill in correct host Compile flash and run on Teensy Check print-statements in serial monitor to check if post is successful Change server certificate Powercycle Teensy Check print-statements in serial monitor to check if post is successful

Expected behavior

Continuous posting when SSL certificate on server is renewed.

Actual behavior

No post, these errors are generated: (EthernetSSLClient)(SSL_ERROR)(available): Cannot operate on a closed SSL connection. (EthernetSSLClient)(SSL_ERROR)(m_print_br_error): Certificate is expired or not yet valid.

Information

khoih-prog commented 2 years ago

Hi @bvanpoortvliet

Thanks for your interest in the library and I'm glad that it's somehow useful to your use-case.

As you're experiencing, the usage of SSL (especially the drastic AWS way to update every 3 months its certificate) brings us the safety as well as the complexity to handle and manage.

SSL won't work unless we're updating the SSL certificates somehow someway.

IMHO, the best solution can be to rewrite your code to permit update the trust anchors on-the-fly by

  1. Creating an HTTP/HTTPS server with updated trust anchors
  2. Update the server trust anchors by writing a program / script to check with AWS
  3. Teensy will periodically check and auto-update the trust anchors whenever there is mismatch (using checksum, etc.) between local and server's trust anchors. Anyway, trust anchors is just a piece of manageable array of bytes.

Another not-so-bad solution is to connect the Teeensy not directly to AWS, but via a managed local server (running on PC, etc.), then the server will forward the requests / responses from/to Teensy. PC can normally have user-friendly and transparent way to handle updated SSL certificates, without user intervention and knowledge.

As this is an interesting scenario, I'd appreciate if you can post the solution / idea / discussion so that other users can benefit from it.

As this is not a bug or issue of the library, I'm closing this now and suggest that you open a discussion for this matter.

Regards,