Page 1 of 1

mbedtls error connecting to server

Posted: Tue May 30, 2017 11:19 pm
by gregstewart90
I've been working on using libcurl to connect to an access point to make configuration changes. The code works on my mac, but it fails when I try it on the ESP32. I believe the issue resides in mbedtls. With the help of loboris from post, I have enabled mbedtls debugging, and I now receive the following output with error:

Code: Select all

* timeout on name lookup is not supported
*   Trying 192.168.1.25...
* TCP_NODELAY set
* Connected to 192.168.1.25 (192.168.1.25) port 443 (#0)
* Error reading ca cert file /certs/ca-certificates.crt - mbedTLS: (-0x3E00) PK - Read/write of file failed
* mbedTLS: Connecting to 192.168.1.25:443
W (4571) mbedtls: ssl_tls.c:4425 x509_verify_cert() returned -9984 (-0x2700)
The real issue resides in the line containing "x509_verify_cert() returned -9984". The error on the ca cert file is irrelevant as I get the same warning when successfully connecting to other servers. I can connect to other servers requiring https with this code.

What do I need to do to get past this "x509_verify_cert()" error?

The https request is a little different than normal. HttpFox from firefox returns the following post data.
Screen Shot 2017-05-30 at 5.13.35 PM.png
Screen Shot 2017-05-30 at 5.13.35 PM.png (102.53 KiB) Viewed 4510 times
I can't expose this server to the internet because my ISP blocks opening ports.


Full Code

Code: Select all


#include "freertos/FreeRTOS.h"

#include "quickmail.h"

#include "esp_wifi.h"
#include "esp_system.h"
#include "esp_event.h"
#include "esp_event_loop.h"
#include "nvs_flash.h"
#include "esp_vfs.h"
#include "esp_vfs_fat.h"
#include "driver/gpio.h"
#include "esp_log.h"
#include "freertos/task.h"
#include "nvs_flash.h"
#include "nvs.h"
#include <string.h>
#include "sdkconfig.h"
#include <stdint.h>
#include "curl/curl.h"

#undef DISABLE_SSH_AGENT

// =====================================
// === Set your WiFi SSID & password
#define SSID CONFIG_WIFI_SSID
#define PASSWORD CONFIG_WIFI_PASSWORD
// =====================================

static char tag[] = "[cURL Example]";
static uint8_t thread_started = 0;
static uint8_t _restarting = 0;



// Print some info about curl environment
//---------------------
static void curl_info()
{
	curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);

	printf("\r\n=========\r\n");
	printf("cURL INFO\r\n");
	printf("=========\r\n\n");

	printf("Curl version info\r\n");
	printf("  version: %s - %d\r\n", data->version, data->version_num);
	printf("Host: %s\r\n", data->host);
	if (data->features & CURL_VERSION_IPV6) {
		printf("- IP V6 supported\r\n");
	} else {
		printf("- IP V6 NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_SSL) {
		printf("- SSL supported\r\n");
	} else {
		printf("- SSL NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_LIBZ) {
		printf("- LIBZ supported\r\n");
	} else {
		printf("- LIBZ NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_NTLM) {
		printf("- NTLM supported\r\n");
	} else {
		printf("- NTLM NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_DEBUG) {
		printf("- DEBUG supported\r\n");
	} else {
		printf("- DEBUG NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_UNIX_SOCKETS) {
		printf("- UNIX sockets supported\r\n");
	} else {
		printf("- UNIX sockets NOT supported\r\n");
	}
	printf("Protocols:\r\n");
	int i=0;
	while(data->protocols[i] != NULL) {
		printf("- %s\r\n", data->protocols[i]);
		i++;
	}
}

static void print_cookies(CURL *curl)
{
	CURLcode res;
	struct curl_slist *cookies;
	struct curl_slist *nc;
	int i;

	printf("Cookies, curl knows:\n");
	res = curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies);
	if(res != CURLE_OK) {
		fprintf(stderr, "Curl curl_easy_getinfo failed: %s\n",
				curl_easy_strerror(res));
		exit(1);
	}
	nc = cookies, i = 1;
	while(nc) {
		printf("[%d]: %s\n", i, nc->data);
		nc = nc->next;
		i++;
	}
	if(i == 1) {
		printf("(none)\n");
	}
	curl_slist_free_all(cookies);
}

//=============================
void testCurl(void *taskData) {

	printf("Beginning Login Test**\n");
	curl_info();
	curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
	printf("Curl version info");
	printf("version: %s - %d", data->version, data->version_num);

	CURLcode ret;
	CURL *hnd;

	hnd = curl_easy_init();
	curl_easy_setopt(hnd, CURLOPT_URL, "https://192.168.1.25/");
	curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
	curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
	curl_easy_setopt(hnd, CURLOPT_FOLLOWLOCATION, 1L);
	curl_easy_setopt(hnd, CURLOPT_USERAGENT, "curl/7.50.3");
	curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
	curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0);
	curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYHOST, 0L);
	curl_easy_setopt(hnd, CURLOPT_COOKIEFILE, "");
	curl_easy_setopt(hnd, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
	curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);

	printf("Before Perform\n");
	ret = curl_easy_perform(hnd);
	printf("After Perform\n");
	print_cookies(hnd);


	vTaskDelete(NULL);
} // End of testCurl

//------------------------------------------------------------
esp_err_t wifi_event_handler(void *ctx, system_event_t *event)
{
	if (_restarting) return ESP_OK;

	switch(event->event_id) {
	case SYSTEM_EVENT_STA_START:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_START");
		ESP_ERROR_CHECK(esp_wifi_connect());
		break;
	case SYSTEM_EVENT_STA_GOT_IP:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_GOT_IP");
		ESP_LOGI(tag, "got ip:%s ... ready to go!\n", ip4addr_ntoa(&event->event_info.got_ip.ip_info.ip));
		if (thread_started == 0) {
			xTaskCreatePinnedToCore(&testCurl, "testCurl", 10*1024, NULL, 5, NULL, tskNO_AFFINITY);
			thread_started = 1;
		}
		break;
	case SYSTEM_EVENT_STA_CONNECTED:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_CONNECTED");
		break;
	case SYSTEM_EVENT_STA_DISCONNECTED:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_DISCONNECTED");
		ESP_ERROR_CHECK(esp_wifi_connect());
		break;
	default:
		ESP_LOGI(tag, "=== WiFi EVENT: %d ===", event->event_id);
		break;
	}
	return ESP_OK;

}


//================
int app_main(void)
{

	tcpip_adapter_init();

	ESP_ERROR_CHECK( esp_event_loop_init(wifi_event_handler, NULL) );
	wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
	ESP_ERROR_CHECK( esp_wifi_init(&cfg) );
	ESP_ERROR_CHECK( esp_wifi_set_storage(WIFI_STORAGE_RAM) );
	ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
	wifi_config_t sta_config = {
			.sta = {
					.ssid = SSID,
					.password = PASSWORD,
					.bssid_set = 0
			}
	};
	ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &sta_config) );
	ESP_ERROR_CHECK( esp_wifi_start() );
	ESP_ERROR_CHECK( esp_wifi_connect() );
	ESP_ERROR_CHECK( esp_wifi_set_ps(WIFI_PS_NONE) );

	return 0;
}



Re: mbedtls error connecting to server

Posted: Wed May 31, 2017 1:30 am
by WiFive
Seems like a problem with your server certificate either incompatible cypher or something else. Why it works on Mac could be that cypher is supported in that library.