Connect over SSL

[ronaldk]

Hi all,

I am trying to connect to a public service over SSL (servicebus.windows.net). Following http://micropython.org/resources/docs/e ... odule-ussl, I use the following code:

addr = socket.getaddrinfo('<mynamespace>.servicebus.windows.net', 443)[0][4]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
ss.connect(addr)

On the last line I get OSError 456. I think it means "Error secure level, bad CA file". Sometimes, when changing the ca.pem, I get a OSError 208, no clue what that meas, nor what's better

I noticed that the format of the ca.pem file assiciated with the Blynck example (seems binary) differs from my generated ca.pem. I created the certificate by:
1. Navigate to the service url
2. Install the certifcate to the certificate store (running on Windows)
3. Export the certificate as DER encoded
4. Converted using openssl to a PEM (result is a base64 encoded certificate)
5. Uploaded to /flash/cert/ca.pem

How can I generate a valid ca.pem certificate or what does the wipy consider to be a valid ca.pem?

Regards,
Ronald

[danicampora]

Hi,

Probably PEM is not the right encoding, the file extension I took from TI's doc. The right format is DER I think, check this certificate:

https://github.com/wipy/wipy/blob/maste ... m?raw=true

and make sure yours looks like that one (kinda binary).

Cheers,
Daniel

[ronaldk]

Hi Daniel,

Thanks for your response.
I looked into the TI documentation and indeed, it needs to be the DER encoded certificate of the root CA.The root CA of *.servicebus.windows.net is Baltimore CyberTrust Root. So I updated my code to:

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
ss = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/baltimoreCyberTrustRoot.der')

When connecting I used:
ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])

This returned OSError 456. I think that is because socket.getaddrinfo returns an ip-adress. The common name (CN = servicebus.windows.net) of the certificate contains a url. Connecting to the service from my browser succeeds when using the url and fails with an certificate error when using the ip-address.

So my second change is:
ss.connect(('ronald.servicebus.windows.net', 443))

However this results in OSError 111. From the TI documentation, this could mean several things, of which one is "connection refused".

I read from the TI documentation, that by default SSLv3 and TLS v1.2 are supported (default value of SL_SO_SECMETHOD is SL_SO_SEC_METHOD_SSLv3_TLSV1_2). Azure doesn't support SSLv3. A sample application I found on Github which exactly does what I want (https://github.com/remixed123/IoT), explicitly sets SSL support to TLS v1 (SL_SO_SEC_METHOD_TLSV1). Can I change the SSL settings?

Any ideas how to connect to azure service bus using WiPy?

TIA
Ronald

[danicampora]

The problem is not the SSL/TLS version (it will be automatically negotiated), the issue is that you MUST name the certificate file as 'ca.pem' (no matter the format) and place it in /flash/cert/.

Cheers,
Daniel

[ronaldk]

Thanks again for answering.

Following your guidelines
- Use DER encoded root CA;
- Upload the certificate as ca.pem;
- Resolve hostname to IP-adres before connecting,
the following code should do the trick, but as you can see it returns 208.

>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
>>> ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: 208
>>>

also, without certificate validation, the same error occurs:
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
>>> ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: 208

What does 208 mean or - my primary goal - how to connect to azure service bus?

Please note that connecting to another site is not an issue:
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
>>> ss.connect(socket.getaddrinfo('www.google.com' , 443)[0][4])
>>>

btw. I tried to upload the certificate, but it wouldn't accept *.pem nor *.pm.txt as file extensions.

Thanks,
Ronald

[danicampora]

Hi Ronald,

Thanks for the pointer regarding the SSL/TLS method, you were right. That was the issue.
In: https://github.com/micropython/micropyt ... f14e5f724f I forced the method to TLSV1 and this works with google, blynk and now also with Azure.

I recommend trying without the certificate first, and then with it, in order to discard any certificates problems first. Also make sure to set the current time in the RTC before calling ssl.wrap_socket(), since proper time setting are required to validate the server certificate.

A new binary with this patch should be available in http://micropython.org/download/ in around an hour.

Cheers,
Daniel

[ronaldk]

Hi Daniel,

I'll try first thing I get home this evening (well, after all family business ) and will let you know.
Great support!

/Ronald

[ronaldk]

Hi Daniel,

Works like a charm, also with root certificate validation.
Many thanks for fixing the issue.

Regards,
Ronald

[danicampora]

Great! Thanks for the feedback

[Knoahlr]

Great! Thanks for the feedback

Hi dani,

I'm having an issue connecting to a secure site.
I'm using the esp8266 Node MCU w micropython 1.8.6
I think the problem is that the ssl module does not support server certificate validation.

"ssl_handshake_status:-256"

Do you any possible solution to this?



Sent from my SM-G930W8 using Tapatalk