Topic: integrate with esp8266 sdk ?

Hi,
I built an app with the esp8266 sdk but then ran into problems with its supplied ssl, so I'm trying to replace it with the "official" wolfssl.

while I can get the examples in esp-wolfssl to work in my environment, anything I do with the normal SDK's esp-http-client appears to fail.

Are there known problems with this integration, or does the debug output below reveal something I can't interpret as a novel wolfSSL user ?


  Danny

I (7595) esp switch: 2 wolfSSL Entering GetObjectId()
I (7604) esp switch: 2 wolfSSL Entering GetObjectId()
I (7613) esp switch: 1 CA found
I (7619) esp switch: 1 Failed to verify Peer's cert
I (7627) esp switch: 1    No callback override available, fatal
I (7637) esp switch: 0 wolfSSL error occurred, error = 155 line:12179
I (7655) esp switch: 2 wolfSSL Entering SendAlert
I (7661) esp switch: 1 growing output buffer
I (7671) esp switch: 1 Shrinking output buffer
I (7676) esp switch: 3 wolfSSL Leaving SendAlert, return 0
I (7686) esp switch: 3 wolfSSL Leaving ProcessPeerCerts, return -155
I (7697) esp switch: 2 wolfSSL Entering wolfSSL_X509_NAME_free
I (7707) esp switch: 2 wolfSSL Entering wolfSSL_X509_NAME_free
I (7717) esp switch: 3 wolfSSL Leaving DoCertificate, return -155
I (7727) esp switch: 3 wolfSSL Leaving DoHandShakeMsgType(), return -155
I (7738) esp switch: 3 wolfSSL Leaving DoHandShakeMsg(), return -155
I (7749) esp switch: 0 wolfSSL error occurred, error = 155 line:19666 
I (7765) esp switch: 0 wolfSSL error occurred, error = 155 line:12723 
I (7780) esp switch: 2 wolfSSL Entering SSL_get_error
I (7789) esp switch: 3 wolfSSL Leaving SSL_get_error, return -155
E (7799) esp-tls-wolfssl: Failed to verify peer certificate , returned 21!
E (7810) esp-tls: Failed to open new connection
E (7818) TRANS_SSL: Failed to open a new connection
I (7827) esp switch: 2 wolfSSL Entering SSL_shutdown()
I (7836) esp switch: 3 wolfSSL Leaving SSL_shutdown(), return -1
I (7846) esp switch: 2 wolfSSL Entering SSL_free
I (7854) esp switch: 1 Free'ing client ssl
I (7862) esp switch: 1 Shrinking input buffer
I (7870) esp switch: 2 wolfSSL Entering wolfSSL_sk_CIPHER_free
I (7880) esp switch: 2 wolfSSL Entering wolfSSL_sk_free
I (7889) esp switch: 2 wolfSSL Entering wolfSSL_sk_X509_pop_free
I (7899) esp switch: 2 wolfSSL Entering wolfSSL_sk_pop_free
I (7909) esp switch: 2 wolfSSL Entering wolfSSL_sk_X509_NAME_pop_free

Share

Re: integrate with esp8266 sdk ?

Hi Danny,

-155 is ASN_SIG_CONFIRM_E, it means we were unable to confirm your certificate's signature.  Are you confident your peer's certificate is valid?  Are you registering CA certificates before trying to connect?  Can you provide your build settings? (user_settings.h or ./configure line)
Please also confirm you are using our latest wolfSSL release, 5.5.3.

Thanks,
Kareem

Share

Re: integrate with esp8266 sdk ?

Apologies, I appear to be a mess.
Copied the wrong debug log :-(

I appear to run into a memory issue (I see -125 on the second call), which I guess is

    MEMORY_E           = -125,  /* out of memory error */

Not entirely sure how to proceed now except studying my code line by line, assuming it's my problem.

The two calls in my code never work both. If one works because I disable cert checking

        wolfSSL_CTX_set_verify( (WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_VERIFY_NONE, NULL);
        // wolfSSL_CTX_set_verify( (WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_VERIFY_PEER, NULL);

then the other runs into memory errors, or if I do ask the check, then the first call fails but the second works.

So I assume I have at least two problems.

Share

Re: integrate with esp8266 sdk ?

and I'm using WolfSSL downloaded from github a couple of days ago, and am using certificates from the latter part of the output of commands like

openssl s_client -connect fcm.googleapis.com:443 < /dev/null -showcerts

Share

Re: integrate with esp8266 sdk ?

OK, found the memory problem (was in my code, as you'd expect).

I (4864) tester: WolfSSL tester (c) Danny Backx, build : 2022/11/25 21:07:23
I (4876) tester: Free heap 64960 (line 81)
I (8878) tester: Time has been set : 2022-11-25 21:07:45
I (8879) tester: Free heap 68328 (line 109)
I (8881) tester: Set WolfSSL logging
E (8885) tester: Google/Firebase CloudMessaging ...
I (8894) tester: Free heap 68328 (line 115)
I (8991) esp-tls-wolfssl: set_client_config 177 set_verify
E (9383) esp-tls-wolfssl: Failed to verify peer certificate , returned 24!
E (9385) esp-tls: Failed to open new connection
E (9388) TRANS_SSL: Failed to open a new connection
E (9400) HTTP_CLIENT: Connection failed, sock < 0
E (9405) tester: switch_task: firebase cloud message delivery failed
I (9416) tester: Free heap 67852 (line 131)
E (9423) tester: Sunrise ...
I (9428) tester: Free heap 67832 (line 138)
I (9633) esp-tls-wolfssl: set_client_config 177 set_verify
I (16386) tester: Sunrise : query ok
I (16387) tester: Sunrise is at 0812, sunset at 1643
I (16389) tester: Free heap 65892 (line 150)
E (16393) tester: Terminating ...

With debug enabled, this generates 1000 lines which I'm not pasting here (until you ask).
I grepped a bit though :

hp: {1659} fgrep -i -e "wolfSSL error occur" -e esp-tls-wolfssl typescript
I (9396) esp-tls-wolfssl: set_client_config 177 set_verify
I (11575) tester: 0 wolfSSL error occurred, error = 155 line:12179 file:/home/danny/src/esp8266/wol
I (12209) tester: 0 wolfSSL error occurred, error = 188 line:12179 file:/home/danny/src/esp8266/wol
I (12316) tester: 0 wolfSSL error occurred, error = 188 line:19666 file:/home/danny/src/esp8266/wol
I (12331) tester: 0 wolfSSL error occurred, error = 188 line:12723 file:/home/danny/src/esp8266/wol
E (12364) esp-tls-wolfssl: Failed to verify peer certificate , returned 24!
I (13333) esp-tls-wolfssl: set_client_config 177 set_verify
hp: {1660}

Looks like the relevant error code is 188, right ?
What could cause this, given how I include both certificates (root certs for both services) ?

Thanks,
  Danny

Share

Re: integrate with esp8266 sdk ?

Hi Danny,

-188 is ASN_NO_SIGNER_E, this means we were not able to find a CA signer for your peer's certificate.
Are you registering CA certificates before connecting?  You can register CA certs using a _verify API such as wolfSSL_CTX_load_verify_buffer.  Are you confident your CA certificates include your peer's certificate?

Thanks,
Kareem

Share

Re: integrate with esp8266 sdk ?

The same source code works with mbedtls.
I was moving away from that because it's more memory hungry but it looks like I'll have to come back on that decision.

Share