Connect over SSL

Questions and discussion about The WiPy 1.0 board and CC3200 boards.
Target audience: Users with a WiPy 1.0 or CC3200 board.
ronaldk
Posts: 7
Joined: Sat Oct 31, 2015 9:02 pm

Connect over SSL

Post by ronaldk » Sat Oct 31, 2015 10:25 pm

Hi all,

I am trying to connect to a public service over SSL (servicebus.windows.net). Following http://micropython.org/resources/docs/e ... odule-ussl, I use the following code:

addr = socket.getaddrinfo('<mynamespace>.servicebus.windows.net', 443)[0][4]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
ss.connect(addr)

On the last line I get OSError 456. I think it means "Error secure level, bad CA file". Sometimes, when changing the ca.pem, I get a OSError 208, no clue what that meas, nor what's better ;-)

I noticed that the format of the ca.pem file assiciated with the Blynck example (seems binary) differs from my generated ca.pem. I created the certificate by:
1. Navigate to the service url
2. Install the certifcate to the certificate store (running on Windows)
3. Export the certificate as DER encoded
4. Converted using openssl to a PEM (result is a base64 encoded certificate)
5. Uploaded to /flash/cert/ca.pem

How can I generate a valid ca.pem certificate or what does the wipy consider to be a valid ca.pem?

Regards,
Ronald

User avatar
danicampora
Posts: 342
Joined: Tue Sep 30, 2014 7:20 am
Contact:

Re: Connect over SSL

Post by danicampora » Sun Nov 01, 2015 12:03 pm

Hi,

Probably PEM is not the right encoding, the file extension I took from TI's doc. The right format is DER I think, check this certificate:

https://github.com/wipy/wipy/blob/maste ... m?raw=true

and make sure yours looks like that one (kinda binary).

Cheers,
Daniel

ronaldk
Posts: 7
Joined: Sat Oct 31, 2015 9:02 pm

Re: Connect over SSL

Post by ronaldk » Tue Nov 03, 2015 6:28 am

Hi Daniel,

Thanks for your response.
I looked into the TI documentation and indeed, it needs to be the DER encoded certificate of the root CA.The root CA of *.servicebus.windows.net is Baltimore CyberTrust Root. So I updated my code to:

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
ss = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/baltimoreCyberTrustRoot.der')

When connecting I used:
ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])

This returned OSError 456. I think that is because socket.getaddrinfo returns an ip-adress. The common name (CN = servicebus.windows.net) of the certificate contains a url. Connecting to the service from my browser succeeds when using the url and fails with an certificate error when using the ip-address.

So my second change is:
ss.connect(('ronald.servicebus.windows.net', 443))

However this results in OSError 111. From the TI documentation, this could mean several things, of which one is "connection refused".

I read from the TI documentation, that by default SSLv3 and TLS v1.2 are supported (default value of SL_SO_SECMETHOD is SL_SO_SEC_METHOD_SSLv3_TLSV1_2). Azure doesn't support SSLv3. A sample application I found on Github which exactly does what I want (https://github.com/remixed123/IoT), explicitly sets SSL support to TLS v1 (SL_SO_SEC_METHOD_TLSV1). Can I change the SSL settings?

Any ideas how to connect to azure service bus using WiPy?

TIA
Ronald

User avatar
danicampora
Posts: 342
Joined: Tue Sep 30, 2014 7:20 am
Contact:

Re: Connect over SSL

Post by danicampora » Wed Nov 04, 2015 8:37 pm

The problem is not the SSL/TLS version (it will be automatically negotiated), the issue is that you MUST name the certificate file as 'ca.pem' (no matter the format) and place it in /flash/cert/.

Cheers,
Daniel

ronaldk
Posts: 7
Joined: Sat Oct 31, 2015 9:02 pm

Re: Connect over SSL

Post by ronaldk » Thu Nov 05, 2015 6:19 pm

Thanks again for answering.

Following your guidelines
- Use DER encoded root CA;
- Upload the certificate as ca.pem;
- Resolve hostname to IP-adres before connecting,
the following code should do the trick, but as you can see it returns 208.

>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/flash/cert/ca.pem')
>>> ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: 208
>>>

also, without certificate validation, the same error occurs:
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
>>> ss.connect(socket.getaddrinfo('ronald.servicebus.windows.net', 443)[0][4])
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: 208

What does 208 mean or - my primary goal - how to connect to azure service bus?

Please note that connecting to another site is not an issue:
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_SEC)
>>> ss = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
>>> ss.connect(socket.getaddrinfo('www.google.com' , 443)[0][4])
>>>

btw. I tried to upload the certificate, but it wouldn't accept *.pem nor *.pm.txt as file extensions.

Thanks,
Ronald

User avatar
danicampora
Posts: 342
Joined: Tue Sep 30, 2014 7:20 am
Contact:

Re: Connect over SSL

Post by danicampora » Thu Nov 05, 2015 11:18 pm

Hi Ronald,

Thanks for the pointer regarding the SSL/TLS method, you were right. That was the issue.
In: https://github.com/micropython/micropyt ... f14e5f724f I forced the method to TLSV1 and this works with google, blynk and now also with Azure.

I recommend trying without the certificate first, and then with it, in order to discard any certificates problems first. Also make sure to set the current time in the RTC before calling ssl.wrap_socket(), since proper time setting are required to validate the server certificate.

A new binary with this patch should be available in http://micropython.org/download/ in around an hour.

Cheers,
Daniel

ronaldk
Posts: 7
Joined: Sat Oct 31, 2015 9:02 pm

Re: Connect over SSL

Post by ronaldk » Fri Nov 06, 2015 5:44 am

Hi Daniel,

I'll try first thing I get home this evening (well, after all family business ;) ) and will let you know.
Great support!

/Ronald

ronaldk
Posts: 7
Joined: Sat Oct 31, 2015 9:02 pm

Re: Connect over SSL

Post by ronaldk » Fri Nov 06, 2015 7:13 pm

Hi Daniel,

Works like a charm, also with root certificate validation.
Many thanks for fixing the issue.

Regards,
Ronald

User avatar
danicampora
Posts: 342
Joined: Tue Sep 30, 2014 7:20 am
Contact:

Re: Connect over SSL

Post by danicampora » Sat Nov 07, 2015 11:27 am

Great! Thanks for the feedback :-)

Knoahlr
Posts: 7
Joined: Wed Nov 16, 2016 11:37 pm

Re: RE: Re: Connect over SSL

Post by Knoahlr » Sun Nov 20, 2016 8:18 am

danicampora wrote:Great! Thanks for the feedback :-)
Hi dani,

I'm having an issue connecting to a secure site.
I'm using the esp8266 Node MCU w micropython 1.8.6
I think the problem is that the ssl module does not support server certificate validation.

"ssl_handshake_status:-256"

Do you any possible solution to this?



Sent from my SM-G930W8 using Tapatalk

Post Reply