-->
Page 1 of 4

Three Questions About SSL support on ESP8266 module

PostPosted: Fri Dec 06, 2019 5:30 am
by esp8266_abc
Hi Experts,

1. Where could I find the definitions of those reason codes, e.g. below print by sdk:
client handshake failed!
Reason:[-0x4310]
Some of them could be found from SSL protocols, but some could be not be found like above -0x4310

2. Is there a way or an API to capture the reason codes if peer sends to us, other than SDK print?
e.g. SDK debug print “client's data invalid protocol Reason:[-0x7880]” which means that "The peer notified us that the connection is going to be closed".
Is there an API to get these reason codes?

3. Is there an efficient idea to burn the bin of CA certificates into the module?

Scenario 1: We have 10K module without CA and client certificates burnt before.
How could we lead these module to support SSL? burn one by one?

Scenario 2: The module connects one SSL server, then connects another SSL server.
Then, need to burn the CA certificates twice frequently ?

Thanks!

Re: Three Questions About SSL support on ESP8266 module

PostPosted: Fri Dec 06, 2019 7:09 pm
by davydnorris
1. In the mbedtls code supplied with the NonOS SDK there are descriptions of the error codes - you have to dig a bit but the high and low bytes mean different subsystems and components.

2. The ESP routines return these codes, so you could grab them and use a print routine of your own - I think they didn't implement one in the SDK because the strings would take up space. I have never looked in the mbedtls code to see if there is an error printing function but that's where I would start.

3. I burn the CA certs when I burn the firmware, but I also have a routine to update expired cert info OTA.

Re: Three Questions About SSL support on ESP8266 module

PostPosted: Sun Dec 08, 2019 1:03 am
by esp8266_abc
Thanks Davydnorris very much at first !

For the third question, I am also considering update certs in an OTA manner.

But their is another qyestion: the certificates and private keys are often in a format other than the converted ESP BIN format that could be burn directly. Although the BINs could be achieved easily offline using tools by Espressif tool on a PC under linux enviroments, but how to achieve it by the ESP8266 itself? Do you have an converting codes that could be run on ESP8266 directly? Or We have to limit the certs provider server for donwloading to store offline converted bin files and in pre-defined protocol that is consistent with the donwloading protocol supported by the module, which is very imconvenience!

Thanks!

Re: Three Questions About SSL support on ESP8266 module

PostPosted: Sun Dec 08, 2019 5:19 pm
by davydnorris
I run the Espressif supplied tools on the files to create an uploadable format, and that is what I put on my OTA web server.