- Wed Aug 01, 2018 2:35 pm
#77529
I have been working with the ESP8266 Huzzah Feather module trying to develop an app to connect to a server using the TLS API. I have the Server CA Cert and Client Cert and Key in DER form loaded in the flash. When I make the call to load the CA Cert:
bool res = client.setCACert_P(CACert, CACertLen);
there is a parsing error for the "Not After" date. The date should be:
"Not After : Jan 23 14:55:26 2054 GMT" <** NOTE: this is the GeneralizedTime format **>
but the debug display shows:
"Not After: Tue Dec 18 08:27:10 1917"
I have looked at the binary data in the array created to hold the DER certificate and it is correct. The DER certificate was converted from the PEM version "root.crt" (which was downloaded from the server) using the OpenSSL tool. I have also used the OpenSSL tool to display the PEM and DER version and they both show the date correctly.
During the handshake the same problem occurrs for all the certs in the CA Cert Chain. The Debug output gives the following error:
Verify: Cert has expired
ssl_verify_cert returned -517
Error: Cert has expired
Certificate verify failed
I am using the 1.8.5 version of the Arduino IDE with the following options in the TOOLS menu:
Generic ESP8266 Module
Flash Mode QIO
Flash Size 4M(1M SPIFFS)
Debug Port "Serial"
Debug Level "SSL+TLS_MEM+HTTP_SERVER+HTTP_CLIENT+CORE+WIFI+HTTP_UPDATE+UPDATER+OTA+OOM" (everything set)
lwIP variant: "v2 lower memory"
Reset Method: "ck"
Crystal Frequency: "26 MHz"
VTables: "Flash"
Flash Frequency: "40 MHz"
CPU Frequency: "80 MHz"
Builtin Led: " 2"
Upload Speed "115200"
Erase Flash "Only Sketch"
Port: "COMM 2"
I dont know if this is a bug in the SSL code or something I am doing wrong but would appreciate help from someone that knows the code to determine what is happening. I will include a copy of the relavent sketch code, the certs, and the debug output for your reference. Thanks very much for any help.
I have seen a lot of really good support comments/help from the moderator of this forum (@igrr). I would really appreciate some help here. I have put a lot of work getting to this point, much of which was helped by comments in these forums and I think I am just inches from getting a workable solution. I would not mind digging through the code myself if someone can point me to the source where this parsing is done and would not mind sharing what I find. Thanks.
Rex
bool res = client.setCACert_P(CACert, CACertLen);
there is a parsing error for the "Not After" date. The date should be:
"Not After : Jan 23 14:55:26 2054 GMT" <** NOTE: this is the GeneralizedTime format **>
but the debug display shows:
"Not After: Tue Dec 18 08:27:10 1917"
I have looked at the binary data in the array created to hold the DER certificate and it is correct. The DER certificate was converted from the PEM version "root.crt" (which was downloaded from the server) using the OpenSSL tool. I have also used the OpenSSL tool to display the PEM and DER version and they both show the date correctly.
During the handshake the same problem occurrs for all the certs in the CA Cert Chain. The Debug output gives the following error:
Verify: Cert has expired
ssl_verify_cert returned -517
Error: Cert has expired
Certificate verify failed
I am using the 1.8.5 version of the Arduino IDE with the following options in the TOOLS menu:
Generic ESP8266 Module
Flash Mode QIO
Flash Size 4M(1M SPIFFS)
Debug Port "Serial"
Debug Level "SSL+TLS_MEM+HTTP_SERVER+HTTP_CLIENT+CORE+WIFI+HTTP_UPDATE+UPDATER+OTA+OOM" (everything set)
lwIP variant: "v2 lower memory"
Reset Method: "ck"
Crystal Frequency: "26 MHz"
VTables: "Flash"
Flash Frequency: "40 MHz"
CPU Frequency: "80 MHz"
Builtin Led: " 2"
Upload Speed "115200"
Erase Flash "Only Sketch"
Port: "COMM 2"
I dont know if this is a bug in the SSL code or something I am doing wrong but would appreciate help from someone that knows the code to determine what is happening. I will include a copy of the relavent sketch code, the certs, and the debug output for your reference. Thanks very much for any help.
I have seen a lot of really good support comments/help from the moderator of this forum (@igrr). I would really appreciate some help here. I have put a lot of work getting to this point, much of which was helped by comments in these forums and I think I am just inches from getting a workable solution. I would not mind digging through the code myself if someone can point me to the source where this parsing is done and would not mind sharing what I find. Thanks.
Rex
You do not have the required permissions to view the files attached to this post.
