SSL handshake fail with Firebase

[mavishak]

06-07-2021 Up to a few days ago our ESP connection with firebase was working great. Then we didn't use the device for a few days and, out of the blue, the device is not succeeding to create an SSL connection with firebase.

Note: We had some Firebase billing issues that were taken care of right before this happened.

We are getting:

AT+CIPSSLSIZE=4096

OK AT+CIPSTART="SSL","project-host",443

ERROR CLOSED

It manages to pass by if the output is:

ALREADY CONNECTED

ERROR

or:

CONNECT

OK

This appeared once:

AT+CIPSSLSIZE=4096

must close SSL link

ERROR

Note: the handshake stopped working all together now, from all 4 ESP WiFi modules one day later

[mavishak]

06-07-2021 _Here is a documentation of AT+CIPSTART https://docs.espressif.com/projects/esp-at/en/latest/AT_Command_Set/TCP-IP_AT_Commands.html#cmd-start_

Try List:

• [x] RESET device - an actual reset not just AT+RST
• Tried resetting flash memory - AT+RESTORE. The response was OK but it made no difference.
• [x] Monitor device SSL handshake with firebase using communication monitoring tools
• Tried monitoring with Wireshark but did not find an SSL connection handshake - it seems that it is impossible to monitor the WiFi module unless you flash a special library to it - Connect ESP to Firebase
• [x] Enlarge SSL buffer
• This might be the solution as it is what we needed to do last time. But the buffer is as large as it can get
• [x] Change ESP baude rate to 9600
• Tried this - returned error both ESP-01 and ESP-01S. Note: the device was connected directly to the PC so it is not due to our code.
• [x] Contact firebase
• We sent an email, the response did not help. We sent another email - it did not help
• [x] Try establishing a TCP connection with the weather API
• Using basically the same functionality as the SSL request we managed to connect to the weather API with TCP - no problem... see code in comments
• [x] Check if TCP connection is caught in Wireshark monitoring
• It seems that monitoring is not enabled on ESP8266 - see link above
• [x] Change STM32 board
• This did not work
• [x] Try establishing a connection using only STM and ESP direct connection
• This did not work. We recorded the events. Note: ESP-01S worked worse (returned error on SSLSIZE) than ESP-01
• [x] Ask for someone who understands networking and Wireshark to investigate with us the recorded packet forwarding

[mavishak]

real main backup

int main(void)
{
    //set_sys_clock_to_32MHz();
    //init_MCO();

    USART1_init(); // for ESP8266
    USART2_init(); // for debugging

    TIMER2_init(); // for monitoring switch state.
    TIMER3_init(); // for sensor delay
    TIMER4_init(); // for ESP8266 timeout

    QUEUE_init();

    CONFIGURATIONS_set_device_id();

    USART2_enable_Rx(); // for ESC

    USART2_write((uint8_t*)("\033[32m\r\nPress ESC to configure\033[0m"));
    TIMER4_set_timeout(60);
    while(QUEUE_isEmpty() && !TIMER4_timeout_done());

    SENSOR_init(); // sensor interrupts are not inabled

    LED_init();

    //init_i2c1();
    USART2_write((uint8_t*)("\r\n_______________\r\n"));//For test

    while(1)
    {

        QUEUE_do_event();
        SYSTEM_CONTROL_monitor_switch_state(120); // every 2 minutes

    }
}

[mavishak]

Checking valid connection with wether API (TCP Connection) This worked!

Functionality in use:

int main(void){

    USART1_init(); // for ESP8266
    USART2_init(); // for debugging

    TIMER2_init(); // for monitoring switch state.
    TIMER3_init(); // for sensor delay
    TIMER4_init(); // for ESP8266 timeout

    //restore(1,60);// ESP8266 Restore factory flash setup
    localIP(2,6); // ESP8266 FOR MINITORRING PRINT LOCAL IP - DEBUGGING
    while(1){

        USART2_write((uint8_t*)("\r\n_______________\r\n"));//For test

        TestWifiConnection(); // TESTING WIFI CONNECTION

    }
}

/*this function is ment for testing WiFi conditions with TCP connection using whether API*/
BOOL TestWifiConnection(void){

    // before useing this function init_usart1(); and  init_usart2(); must be executed

    //Set client mode
    if(!setClientMode(2,6)){
        return FALSE;
    }
    USART2_write((uint8_t*)"1\r\n");

    //Join access point
    if(!joinAccessPoint_T(2,10)){
        return FALSE;
    }
    USART2_write((uint8_t*)"2\r\n");

    /*Default: AT+CIPMUX=0 (according to: AT instruction set- 5.2.15)*/

    //Connect HOST IP
    if(!connectWeatherAPI(2, 30)){
        return FALSE;
    }
    USART2_write((uint8_t*)"3\r\n");

    createTestMsg();
    USART2_write((uint8_t*)"4\r\n");

    //Send number of data bytes
    if(!sendRequest(1,1,30,40)){
        connection_closed = closeConnection(2,6);
        return FALSE;
    }
    USART2_write((uint8_t*)"5\r\n");

    USART1_write((uint8_t*)http);

    //Read response
    if(!readResponse(60)){//timeout set t0 3 minutes
        connection_closed = closeConnection(2,6);//added 30.4.21
        return FALSE;
    }

    USART2_write((uint8_t*)"6\r\n");

    //Close cunnection with firebase - this might be useless as firebase already closes connection with "CLOSED" response
    closeConnection(3,3);
    USART2_write((uint8_t*)"7\r\n");

    return TRUE;

}

Special functions:

• joinAccessPoint_T() is basically the same as joinAccessPoint() just with SSID_T and PWD_T

• connectWeatherAPI(2, 30), basically the same as connectFirebaseHose() just with out AT+CIPSSLSIZE SSL connenction, port 443

  
  BOOL connectWeatherAPI(uint32_t tries, uint32_t timeout){
  
  //Connect to API
  memset((char*)command, '\0', COMMAND_SIZE*sizeof(uint8_t));
  sprintf((char*)command, "AT+CIPSTART=\"TCP\",\"%s\",80\r\n", (char*)weather_api);
  
  found = STANDBY;
  USART1_write((uint8_t*)command);
  while(tries > 0){
      TIMER4_set_timeout(timeout);
      while(found == STANDBY && !TIMER4_timeout_done()){
          if(USART1_NEW_LINE_FOUND_get()){
              found = USART1_search_buffer_Rx((uint8_t *)AT_OK, (uint8_t *)AT_ERROR);
              if(found == STANDBY){
                  found = USART1_search_buffer_Rx((uint8_t *)AT_ALREADY_CONNECTED, (uint8_t *)AT_ERROR);// CRITICAL!
              }
              USART1_NEW_LINE_READ_set();
          }
      }
      if(found == PASS){
          return TRUE;
      }
      else{ // FAIL OR TIMEOUT
          tries--;
          found = STANDBY; // reset found
          USART1_write((uint8_t*)command);
      }
  }
  return FALSE;

}

- createTestMsg

void createTestMsg(void){

//Set HTTP request
memset((char*)http, '\0', HTTP_SIZE*sizeof(uint8_t));
sprintf((char*)http,("GET /data/2.5/weather?q=London,uk&appid=%s HTTP/1.0\r\nHost: %s\r\n\r\n\r\n"),weather_api_key,weather_api); // HTTP/1.0- Allow only one request
http_len = strlen((char*)http)-strlen("\r\n"); // the last \r\n is for the AT command, and not included in the request's length

}

_**the rest is the same**_

[mavishak]

11-07-2021 We opened a new project and copied only the relevant code to it.

• TCP connection to Firebase returns '404 bad request'
• SSL returns 'ERROR CLOSED' - the last time it happened was because the SSL buffer was not large enough (can't make it any larger it's at its max limit).
• We managed to do an SSL handshake with our college domain. Firebase still not working. We suspect that the SSL buffer is no longer large enough or that the certification of the ESP8266 has expired

[mavishak]

12-07-2021 It turns out we have two types of ESP8266 boards one is ESP-01 (which we used up until now) the other is ESP-01S wich seems to work even worse :/ see: https://www.esp8266.com/viewtopic.php?t=11657

• We connected the device directly to the PC this did not help. We concluded the problem is not in our code:
  1. It could be a Firebase new SSL configuration that we are not aware of
  2. It could be an expired SSL certificate in the hardware
  3. It could be something else in the hardware
  4. It could be one or two or all three :)

Some other things we tried:

• Hardcoding the IP destination address
• Opened a new Firebase project (free)
• Tried creating a proxy using Postman - didn't seem to work, we think. It does not capture the WiFi module traffick

[NaomiCreate]

• We created a channel in ThingSpeak, and we managed to send POST requests to it (with TCP connection). (There is a graphic display in ThingSpeak that the request received)

• We wanted to try to shake hands with Firebase and send it GET/POST requests without using the module Wi-Fi. In order to send the requests we used: OpenSSL via the command prompt: C:\Program Files\Git\usr\bin>openssl s_client -connect project-name-default-rtdb.firebaseio.com:443 As a result, CONNECTEDand other information (for example Server certificate) were written in the command prompt.

  Then we wrote the command:

  GET /devices/<device_ID>/history.json?auth=<auth_key> HTTP/1.1
  Host: project-name-default-rtdb.firebaseio.com
  Content-Type: text/plain
  Content-Length: 35

  As a result, all the data that was under the devices//history node was printed.

[mavishak]

During the last week we have been reaching out to different sources:

Here are the questions we posted

• Stack overflow: https://stackoverflow.com/questions/68274011/ssl-handshake-with-firebase-realtime-db-stopped-working-sequentially-to-a-blaze
• esp32: https://esp32.com/viewtopic.php?f=42&t=22115

[mavishak]

The official Problem

For the last 5 months, we have successfully managed to create an SSL connection to Firebase via ESP8266 (ESP-01). A week and a half ago the connection stopped working aside for a few individual times. A day after we couldn't connect at all. -> AT+CIPSTART responded ever since with

ERROR

CLOSED

We tried switching between different WiFi networks and got the same results. Moreover, we are successfully connecting to other HTTPS hosts, such as 'www.google.com'

Details:

1. We are managing to connect to other HTTPS websites using an SSL connection, such as 'www.google.com'.
2. The WiFi module is connected to an STM32 microcontroller, which is connected to the PC. The communication is established by using AT commands via UART (serial connection with baud rate 115200).
3. We are connecting to our Firebase project to interact with the Realtime DB by running the AT+CIPSTART command without any certificate file.
4. We have four ESP8266 (ESP-01) WiFi modules, and one ESP8266MOD WiFi module. They all reacted the same.
5. We set the SSL buffer size to 4096 (the maximum size).
6. We didn't flash firmware or AT libraries to the WiFi modules, and left them with their original state.
7. This is the output of the command AT+GMR (version information): ESP8266 (ESP-01)

   AT+GMR AT version:1.1.0.0(May 11 2016 18:09:56) SDK version:1.5.4(baaeaebb) compile time:May 20 2016 15:08:19

ESP8266MOD

AT+GMR AT version:1.3.0.0(Jul 14 2016 18:54:01) SDK version:2.0.0(5a875ba) v1.0.0.3 Mar 13 2018 09:37:06

AT commands details

AT+RST (reset the module) AT+CWMODE=1 (set the Wi-Fi mode to station mode) AT+CWJAP="SSID","PWD" (connect to a Wi-Fi network) AT+CIFSR (get the Wi-Fi module IP) AT+CIPSSLSIZE=4096 (change the SSL buffer size) AT+CIPSTART="SSL","project-name-rtdb.firebaseio.com",443 (establish a SSL connection) AT+CIPSEND=300 (send data)

Devices Wi-Fi module: https://www.makerfocus.com/products/4pcs-esp8266-esp-01-serial-wireless-wifi-transceiver-module-compatible-with-arduino STM32 microcontroller: https://www.st.com/en/evaluation-tools/nucleo-f103rb.html

Reference https://github.com/espressif/esp-at/blob/v2.0.0.0_esp8266/docs/ESP_AT_Commands_Set.md https://www.espressif.com/sites/default/files/documentation/4a-esp8266_at_instruction_set_en.pdf

Screenshots AT commands

ESP8266 Images

If anyone can help, we would appreciate it very much.

Thank you in advance!

[NaomiCreate]

Documentation of successful SSL connection: 1 hour run output 29-06-2021.log

[NaomiCreate]

In the ESP8266 Community Forum, someone informed us that: "Firebase switched to TLS 1.2 and AT firmware doesn't support it".

We still need to confirm it with Firebase, but it sounds reasonable.

[mavishak]

We entered our database url in to: https://www.cdn77.com/tls-test. This is what we got

This is what we found when we searched wether ESP supports TLS 1.2 https://forum.arduino.cc/t/can-i-do-tls-1-2-on-esp-01-with-at-commands/689671