Issue connecting sockets to some websites

All ESP8266 boards running MicroPython.
Official boards are the Adafruit Huzzah and Feather boards.
Target audience: MicroPython users with an ESP8266 board.
Post Reply
jphalip
Posts: 7
Joined: Thu Apr 29, 2021 2:22 am

Issue connecting sockets to some websites

Post by jphalip » Mon May 03, 2021 2:40 am

Hi,

I'm using a fresh install of esp8266-1m-20210418-v1.15.bin on a ESP-01 with 1MB flash and I'm having some issues opening sockets to some websites.

Here's the basic code:

Code: Select all

def socket_connect(hostname):
    addr = socket.getaddrinfo(hostname, 443)[0][-1]
    s = socket.socket()
    s.connect(addr)
    s = ussl.wrap_socket(s, server_hostname=hostname)
    s.close()
    return True
It works fine for some sites:

Code: Select all

>>> socket_connect('www.google.com')
True
>>> socket_connect('www.yahoo.com')
True
>>> socket_connect('micropython.org')
True
However, I get at least two kinds of errors with other sites.

Here's the first error:

Code: Select all

>>> socket_connect('www.nytimes.com')
TLS buffer overflow, record size: 5176 (+5)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 26, in socket_connect
OSError: (-257, 'RECORD_OVERFLOW')
I believe this is caused by the SSL buffer being too small. In the past I was able to fix this using an AT command: "AT+CIPSSLSIZE=8192". Is it possible to do the same with MicroPython?

Here is the second error:

Code: Select all

>>> socket_connect('www.wikimedia.org')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 26, in socket_connect
OSError: -40
Is that related to the previous error? Do you know how to fix it?

Thanks!

Julien

jphalip
Posts: 7
Joined: Thu Apr 29, 2021 2:22 am

Re: Issue connecting sockets to some websites

Post by jphalip » Sat May 08, 2021 11:53 pm

Just a friendly bump :)

If someone has some clues on how to address this, please let me know. Thanks!

User avatar
pythoncoder
Posts: 5205
Joined: Fri Jul 18, 2014 8:01 am
Location: UK
Contact:

Re: Issue connecting sockets to some websites

Post by pythoncoder » Sun May 09, 2021 8:24 am

SSL/TLS on ESP8266 is challenging in terms of RAM, however I don't understand the subject well enough to comment on why success is site dependent.
Peter Hinch

jphalip
Posts: 7
Joined: Thu Apr 29, 2021 2:22 am

Re: Issue connecting sockets to some websites

Post by jphalip » Sun May 09, 2021 10:25 pm

Thanks for your reply.

Regarding the two issues:

1) OSError: (-257, 'RECORD_OVERFLOW')

I saw in this thread on Github that this was due to a SSL buffer overflow. So as suggested in that thread I rebuilt Micropython with "-DRT_EXTRA=8192" (Note: I'm using a ESP-01 with a 1MB flash size):

Code: Select all

docker run --rm -v $HOME:$HOME -u $UID -w $PWD larsks/esp-open-sdk make -C mpy-cross
cd ports/esp8266
docker run --rm -v $HOME:$HOME -u $UID -w $PWD larsks/esp-open-sdk make BOARD=GENERIC_1M
esptool.py -p ${PORT} erase_flash
esptool.py --port ${PORT} --baud 460800 write_flash --flash_size=detect 0 build-GENERIC_1M/firmware-combined.bin
And that indeed did fix the issue:

Code: Select all

>>> socket_connect('www.nytimes.com')
True
2) OSError: -40

I'm still having this issue. Apparently I'm not the only one, as per these issues on Github:
https://github.com/micropython/micropython/issues/6468
https://github.com/micropython/micropyt ... issues/400

Any tips on how to troubleshoot this would be very welcome. Thanks!

jphalip
Posts: 7
Joined: Thu Apr 29, 2021 2:22 am

Re: Issue connecting sockets to some websites

Post by jphalip » Mon May 10, 2021 12:05 am

An update from my research:

According to this Github thread, this issue might be due to the fact that the AXTLS library doesn't support ECDHE ciphers. This makes sense as the site that's failing for me indeed uses the following:

Code: Select all

nmap --script ssl-enum-ciphers -p 443 www.wikimedia.org
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-09 17:02 PDT
Nmap scan report for www.wikimedia.org (198.35.26.96)
Host is up (0.0048s latency).
rDNS record for 198.35.26.96: text-lb.ulsfo.wikimedia.org

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A
Apparently there is an open pull request to allow using Mbed TLS instead of AXTLS.

If anyone has any further advice, or knows the status of that pull request, please let me know.

SpotlightKid
Posts: 459
Joined: Wed Apr 08, 2015 5:19 am

Re: Issue connecting sockets to some websites

Post by SpotlightKid » Mon May 10, 2021 12:08 pm

See also Damien's remark on this PR in the linked issue https://github.com/micropython/micropyt ... -690840497. I think it's unlikely that this gets merged in the current state, i.e. with mbedtls being the default. But that's just my conjecture.

Post Reply