0

WiFi101 WiFiSSLClient issues
Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.

WiFi101 WiFiSSLClient issues

by sensei on Thu Oct 12, 2017 2:57 pm

I'm using a Feather M0 WiFi. It connects to the network just fine and I have upgraded the firmware and SSL certs as per here: https://learn.adafruit.com/adafruit-fea ... rtificates

My server is using Let's Encrypt Authority X3 certificate seen here: https://blockymcblockface.org/test
I've tested the code with a website using the same root authority i.e. https://slashdot.org/popular

I'm using the example code WiFiSSLClient tweaking it slightly to change the server from https://www.google.com to the respective servers. It works great for slashdot.org but not for mine. Code posted below:

BLOCKYMCBLOCKFACE.ORG
Code: Select all | TOGGLE FULL SIZE
/*
This example creates a client object that connects and transfers
data using always SSL.

It is compatible with the methods normally related to plain
connections, like client.connect(host, port).

Written by Arturo Guadalupi
last revision November 2015

*/

#include <SPI.h>
#include <WiFi101.h>

#include "arduino_secrets.h"
///////please enter your sensitive data in the Secret tab/arduino_secrets.h
char ssid[] = SECRET_SSID;        // your network SSID (name)
char pass[] = SECRET_PASS;    // your network password (use for WPA, or use as key for WEP)
int keyIndex = 0;            // your network key Index number (needed only for WEP)

int status = WL_IDLE_STATUS;
// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
//IPAddress server(74,125,232,128);  // numeric IP for Google (no DNS)
char server[] = "blockymcblockface.org";    // MINE! DOES NOT WORK

// Initialize the Ethernet client library
// with the IP address and port of the server
// that you want to connect to (port 80 is default for HTTP):
WiFiSSLClient client;

void setup() {
  WiFi.setPins(8,7,4,2);
  //Initialize serial and wait for port to open:
  Serial.begin(9600);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }

  // check for the presence of the shield:
  if (WiFi.status() == WL_NO_SHIELD) {
    Serial.println("WiFi shield not present");
    // don't continue:
    while (true);
  }

  // attempt to connect to WiFi network:
  while (status != WL_CONNECTED) {
    Serial.print("Attempting to connect to SSID: ");
    Serial.println(ssid);
    // Connect to WPA/WPA2 network. Change this line if using open or WEP network:
    status = WiFi.begin(ssid, pass);

    // wait 10 seconds for connection:
    delay(10000);
  }
  Serial.println("Connected to wifi");
  printWiFiStatus();

  Serial.println("\nStarting connection to server...");
  // if you get a connection, report back via serial:
  if (client.connect(server, 443)) {
    Serial.println("connected to server");
    // Make a HTTP request:
    client.println("GET /test/ HTTP/1.1");
    client.println("Host: blockymcblockface.org");
    client.println("Connection: close");
    client.println();
  }
}

void loop() {
  // if there are incoming bytes available
  // from the server, read them and print them:
  while (client.available()) {
    char c = client.read();
    Serial.write(c);
  }

  // if the server's disconnected, stop the client:
  if (!client.connected()) {
    Serial.println();
    Serial.println("disconnecting from server.");
    client.stop();

    // do nothing forevermore:
    while (true);
  }
}


void printWiFiStatus() {
  // print the SSID of the network you're attached to:
  Serial.print("SSID: ");
  Serial.println(WiFi.SSID());

  // print your WiFi shield's IP address:
  IPAddress ip = WiFi.localIP();
  Serial.print("IP Address: ");
  Serial.println(ip);

  // print the received signal strength:
  long rssi = WiFi.RSSI();
  Serial.print("signal strength (RSSI):");
  Serial.print(rssi);
  Serial.println(" dBm");
}
SLASHDOT.ORG
Code: Select all | TOGGLE FULL SIZE
/*
This example creates a client object that connects and transfers
data using always SSL.

It is compatible with the methods normally related to plain
connections, like client.connect(host, port).

Written by Arturo Guadalupi
last revision November 2015

*/

#include <SPI.h>
#include <WiFi101.h>

#include "arduino_secrets.h"
///////please enter your sensitive data in the Secret tab/arduino_secrets.h
char ssid[] = SECRET_SSID;        // your network SSID (name)
char pass[] = SECRET_PASS;    // your network password (use for WPA, or use as key for WEP)
int keyIndex = 0;            // your network key Index number (needed only for WEP)

int status = WL_IDLE_STATUS;
// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
//IPAddress server(74,125,232,128);  // numeric IP for Google (no DNS)
char server[] = "slashdot.org";    // THIS ONE WORKS GREAT

// Initialize the Ethernet client library
// with the IP address and port of the server
// that you want to connect to (port 80 is default for HTTP):
WiFiSSLClient client;

void setup() {
  WiFi.setPins(8,7,4,2);
  //Initialize serial and wait for port to open:
  Serial.begin(9600);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }

  // check for the presence of the shield:
  if (WiFi.status() == WL_NO_SHIELD) {
    Serial.println("WiFi shield not present");
    // don't continue:
    while (true);
  }

  // attempt to connect to WiFi network:
  while (status != WL_CONNECTED) {
    Serial.print("Attempting to connect to SSID: ");
    Serial.println(ssid);
    // Connect to WPA/WPA2 network. Change this line if using open or WEP network:
    status = WiFi.begin(ssid, pass);

    // wait 10 seconds for connection:
    delay(10000);
  }
  Serial.println("Connected to wifi");
  printWiFiStatus();

  Serial.println("\nStarting connection to server...");
  // if you get a connection, report back via serial:
  if (client.connect(server, 443)) {
    Serial.println("connected to server");
    // Make a HTTP request:
    client.println("GET /popular/ HTTP/1.1");
    client.println("Host: slashdot.org");
    client.println("Connection: close");
    client.println();
  }
}

void loop() {
  // if there are incoming bytes available
  // from the server, read them and print them:
  while (client.available()) {
    char c = client.read();
    Serial.write(c);
  }

  // if the server's disconnected, stop the client:
  if (!client.connected()) {
    Serial.println();
    Serial.println("disconnecting from server.");
    client.stop();

    // do nothing forevermore:
    while (true);
  }
}


void printWiFiStatus() {
  // print the SSID of the network you're attached to:
  Serial.print("SSID: ");
  Serial.println(WiFi.SSID());

  // print your WiFi shield's IP address:
  IPAddress ip = WiFi.localIP();
  Serial.print("IP Address: ");
  Serial.println(ip);

  // print the received signal strength:
  long rssi = WiFi.RSSI();
  Serial.print("signal strength (RSSI):");
  Serial.print(rssi);
  Serial.println(" dBm");
}
The output for BLOCKYMCBLOCKFACE.ORG is as follows:
Code: Select all | TOGGLE FULL SIZE
Attempting to connect to SSID: my_ssid
Connected to wifi
SSID: my_ssid
IP Address: ***.***.***.***
signal strength (RSSI):-74 dBm

Starting connection to server...

disconnecting from server.

Does anyone have any ideas why it doesn't work? Thank you.

sensei
 
Posts: 16
Joined: Thu Jul 20, 2017 3:25 pm

Re: WiFi101 WiFiSSLClient issues

by sensei on Thu Oct 12, 2017 3:45 pm

I should mention even if I match the exact same cipher suite I get the same result. Apache settings:
Code: Select all | TOGGLE FULL SIZE
SSLCipherSuite DHE-RSA:HMAC:SHA1:SHA256

sensei
 
Posts: 16
Joined: Thu Jul 20, 2017 3:25 pm

Re: WiFi101 WiFiSSLClient issues

by sensei on Wed Oct 18, 2017 12:16 pm

I've done some further investigation into this and may have figured out the issue. Any time I try and connect to a server using a certificate issued by Let's Encrypt that is generated using an RSA 4096 bit key, it fails to connect for example:
https://certbot.eff.org

On the other hand if it is generated using an RSA 2048 bit key, it connects successfully for example:
https://slashdot.org

This was the only common factor that I could tell. I wonder if this issue is known and if not, where could I report it? I may have a hard time requesting a 2048 bit key encrypted cert from Let's Encrypt even though it is default due to this issue:
https://github.com/kristapsdz/acme-client/issues/20

Thank you

sensei
 
Posts: 16
Joined: Thu Jul 20, 2017 3:25 pm

Re: WiFi101 WiFiSSLClient issues

by sensei on Wed Oct 18, 2017 3:58 pm

Well just to close off this issue and in case it helps anybody else searching on it, I can confirm 100% that the issue is the 4096-bit certificate RSA key is not supported by the Feather M0 WiFi.

You can run your site through here to find out the server's certificate key length: https://www.ssllabs.com/ssltest/

In my case to fix the issue, I had to manually compile the Let's Encrypt acme-client after changing in rsa.c:

Code: Select all | TOGGLE FULL SIZE
#define   KBITS 4096
to
Code: Select all | TOGGLE FULL SIZE
#define   KBITS 2048
Enjoy :)

sensei
 
Posts: 16
Joined: Thu Jul 20, 2017 3:25 pm

Please be positive and constructive with your questions and comments.