mbedtls error connecting to server

gregstewart90
Posts: 59
Joined: Thu Jan 19, 2017 5:17 pm

mbedtls error connecting to server

Postby gregstewart90 » Tue May 30, 2017 11:19 pm

I've been working on using libcurl to connect to an access point to make configuration changes. The code works on my mac, but it fails when I try it on the ESP32. I believe the issue resides in mbedtls. With the help of loboris from post, I have enabled mbedtls debugging, and I now receive the following output with error:

Code: Select all

* timeout on name lookup is not supported
*   Trying 192.168.1.25...
* TCP_NODELAY set
* Connected to 192.168.1.25 (192.168.1.25) port 443 (#0)
* Error reading ca cert file /certs/ca-certificates.crt - mbedTLS: (-0x3E00) PK - Read/write of file failed
* mbedTLS: Connecting to 192.168.1.25:443
W (4571) mbedtls: ssl_tls.c:4425 x509_verify_cert() returned -9984 (-0x2700)
The real issue resides in the line containing "x509_verify_cert() returned -9984". The error on the ca cert file is irrelevant as I get the same warning when successfully connecting to other servers. I can connect to other servers requiring https with this code.

What do I need to do to get past this "x509_verify_cert()" error?

The https request is a little different than normal. HttpFox from firefox returns the following post data.
Screen Shot 2017-05-30 at 5.13.35 PM.png
Screen Shot 2017-05-30 at 5.13.35 PM.png (102.53 KiB) Viewed 4506 times
I can't expose this server to the internet because my ISP blocks opening ports.


Full Code

Code: Select all


#include "freertos/FreeRTOS.h"

#include "quickmail.h"

#include "esp_wifi.h"
#include "esp_system.h"
#include "esp_event.h"
#include "esp_event_loop.h"
#include "nvs_flash.h"
#include "esp_vfs.h"
#include "esp_vfs_fat.h"
#include "driver/gpio.h"
#include "esp_log.h"
#include "freertos/task.h"
#include "nvs_flash.h"
#include "nvs.h"
#include <string.h>
#include "sdkconfig.h"
#include <stdint.h>
#include "curl/curl.h"

#undef DISABLE_SSH_AGENT

// =====================================
// === Set your WiFi SSID & password
#define SSID CONFIG_WIFI_SSID
#define PASSWORD CONFIG_WIFI_PASSWORD
// =====================================

static char tag[] = "[cURL Example]";
static uint8_t thread_started = 0;
static uint8_t _restarting = 0;



// Print some info about curl environment
//---------------------
static void curl_info()
{
	curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);

	printf("\r\n=========\r\n");
	printf("cURL INFO\r\n");
	printf("=========\r\n\n");

	printf("Curl version info\r\n");
	printf("  version: %s - %d\r\n", data->version, data->version_num);
	printf("Host: %s\r\n", data->host);
	if (data->features & CURL_VERSION_IPV6) {
		printf("- IP V6 supported\r\n");
	} else {
		printf("- IP V6 NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_SSL) {
		printf("- SSL supported\r\n");
	} else {
		printf("- SSL NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_LIBZ) {
		printf("- LIBZ supported\r\n");
	} else {
		printf("- LIBZ NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_NTLM) {
		printf("- NTLM supported\r\n");
	} else {
		printf("- NTLM NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_DEBUG) {
		printf("- DEBUG supported\r\n");
	} else {
		printf("- DEBUG NOT supported\r\n");
	}
	if (data->features & CURL_VERSION_UNIX_SOCKETS) {
		printf("- UNIX sockets supported\r\n");
	} else {
		printf("- UNIX sockets NOT supported\r\n");
	}
	printf("Protocols:\r\n");
	int i=0;
	while(data->protocols[i] != NULL) {
		printf("- %s\r\n", data->protocols[i]);
		i++;
	}
}

static void print_cookies(CURL *curl)
{
	CURLcode res;
	struct curl_slist *cookies;
	struct curl_slist *nc;
	int i;

	printf("Cookies, curl knows:\n");
	res = curl_easy_getinfo(curl, CURLINFO_COOKIELIST, &cookies);
	if(res != CURLE_OK) {
		fprintf(stderr, "Curl curl_easy_getinfo failed: %s\n",
				curl_easy_strerror(res));
		exit(1);
	}
	nc = cookies, i = 1;
	while(nc) {
		printf("[%d]: %s\n", i, nc->data);
		nc = nc->next;
		i++;
	}
	if(i == 1) {
		printf("(none)\n");
	}
	curl_slist_free_all(cookies);
}

//=============================
void testCurl(void *taskData) {

	printf("Beginning Login Test**\n");
	curl_info();
	curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
	printf("Curl version info");
	printf("version: %s - %d", data->version, data->version_num);

	CURLcode ret;
	CURL *hnd;

	hnd = curl_easy_init();
	curl_easy_setopt(hnd, CURLOPT_URL, "https://192.168.1.25/");
	curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
	curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
	curl_easy_setopt(hnd, CURLOPT_FOLLOWLOCATION, 1L);
	curl_easy_setopt(hnd, CURLOPT_USERAGENT, "curl/7.50.3");
	curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
	curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0);
	curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYHOST, 0L);
	curl_easy_setopt(hnd, CURLOPT_COOKIEFILE, "");
	curl_easy_setopt(hnd, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
	curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);

	printf("Before Perform\n");
	ret = curl_easy_perform(hnd);
	printf("After Perform\n");
	print_cookies(hnd);


	vTaskDelete(NULL);
} // End of testCurl

//------------------------------------------------------------
esp_err_t wifi_event_handler(void *ctx, system_event_t *event)
{
	if (_restarting) return ESP_OK;

	switch(event->event_id) {
	case SYSTEM_EVENT_STA_START:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_START");
		ESP_ERROR_CHECK(esp_wifi_connect());
		break;
	case SYSTEM_EVENT_STA_GOT_IP:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_GOT_IP");
		ESP_LOGI(tag, "got ip:%s ... ready to go!\n", ip4addr_ntoa(&event->event_info.got_ip.ip_info.ip));
		if (thread_started == 0) {
			xTaskCreatePinnedToCore(&testCurl, "testCurl", 10*1024, NULL, 5, NULL, tskNO_AFFINITY);
			thread_started = 1;
		}
		break;
	case SYSTEM_EVENT_STA_CONNECTED:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_CONNECTED");
		break;
	case SYSTEM_EVENT_STA_DISCONNECTED:
		ESP_LOGI(tag, "SYSTEM_EVENT_STA_DISCONNECTED");
		ESP_ERROR_CHECK(esp_wifi_connect());
		break;
	default:
		ESP_LOGI(tag, "=== WiFi EVENT: %d ===", event->event_id);
		break;
	}
	return ESP_OK;

}


//================
int app_main(void)
{

	tcpip_adapter_init();

	ESP_ERROR_CHECK( esp_event_loop_init(wifi_event_handler, NULL) );
	wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
	ESP_ERROR_CHECK( esp_wifi_init(&cfg) );
	ESP_ERROR_CHECK( esp_wifi_set_storage(WIFI_STORAGE_RAM) );
	ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
	wifi_config_t sta_config = {
			.sta = {
					.ssid = SSID,
					.password = PASSWORD,
					.bssid_set = 0
			}
	};
	ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &sta_config) );
	ESP_ERROR_CHECK( esp_wifi_start() );
	ESP_ERROR_CHECK( esp_wifi_connect() );
	ESP_ERROR_CHECK( esp_wifi_set_ps(WIFI_PS_NONE) );

	return 0;
}



WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: mbedtls error connecting to server

Postby WiFive » Wed May 31, 2017 1:30 am

Seems like a problem with your server certificate either incompatible cypher or something else. Why it works on Mac could be that cypher is supported in that library.

Who is online

Users browsing this forum: Bing [Bot], VSparxx and 116 guests