Problem with AdafruitTCP::connectSSL method?

Please tell us which board you are using.
For CircuitPython issues, ask in the Adafruit CircuitPython forum.

Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.
Locked
User avatar
ken_s
 
Posts: 2
Joined: Wed Nov 29, 2017 2:59 pm

Problem with AdafruitTCP::connectSSL method?

Post by ken_s »

I've run into a connectivity issue with the WICED WiFi Feather when trying to connect to my website using SSL/TLS. For testing purposes, I used the example sketch Adafruit WICED Examples->TLS->HttpsCustomRootCA. This sketch is basic and the one I chose originally to try and debug when I thought my problem was SSL certificate related. Although I no longer think that is the case, I'm at a loss (without better debugging tools) at getting to the root cause of this problem.

To begin, this sketch works fine when using the default website and page ("www.reddit.com"). When changing the SERVER to my website ("gardenmeister.website") however, I get the error shown below.
HTTPS Custom Root CA Example
Bootloader : 1.0.0
WICED SDK : 3.5.2
FeatherLib : 0.6.5
Arduino API : 0.6.6

WARNING: Featherlib & Arduino library version are not matched
Please update Featherlib or Arduino library if possible

Please wait while connecting to: 'HOME-0435' ... Connected!

SSID : HOME-0435 (-57 dBm)
Encryption : WPA2_MIXED
MAC Address : 6C:0B:84:CA:23:64
Local IP : 10.0.0.8
Gateway : 10.0.0.1
Subnet Mask : 255.255.255.0

Connecting to gardenmeister.website port 443 ...
SDEP_CMD_TCP_CONNECT failed, Error: SOCKET_CLOSED (7014)

--- FEATHER HALTED ---
Thinking that the problem was in the SSL certification process, I then added the following line to the Setup: http.tlsRequireVerification(false); -bypassing the TLS verification. The result was the same. However, when I switched to port 80 (and changed the http.connectSSL() to http.connect(), it worked the way I would expect returning a standard 301 Document Moved page. This narrows the problem down to something in the AdafruitTCP::connectSSL method.

I re-compiled this program many times replacing the SERVER variable with different website names each time. Most sites I tried -worked. But some others did not (although, their error number was different from mine which makes me think there could be mutiple issues). My best guess is that it may be timing related (my site is not exactly running on an enterprise platform) but I'm not sure if that's really true or what to do about it if it is. (For what it's worth, I'm able to post data with no problems using the Metro MO Express and WINC1500 shield on the same computer.) Thanks in advanced to anyone who could help with this.

P.S., Is there a complete list of error codes somewhere and if so, could someone please point me to it? If not, could someone provide more insight into error numbers 7014 and 5018?
P.P.S. Other secure websites I tried that failed:

goldprice.org / - hangs on connect
http://www.BANNED.gov / - ERROR_FATAL_ALERT_MESSAGE (5018)
http://www.eaa.org /eaa - ERROR_FATAL_ALERT_MESSAGE (5018)
calikimgardenandhome.com / - ERROR_FATAL_ALERT_MESSAGE (5018)
za.godaddy.com / - ERROR_FATAL_ALERT_MESSAGE (5018)

User avatar
ktownsend
 
Posts: 1447
Joined: Thu Nov 05, 2009 2:18 am

Re: Problem with AdafruitTCP::connectSSL method?

Post by ktownsend »

Can you please provide the sketch you are using to reproduce this issue, so we have something comparable to test against on both sides? The main dev for this is out on holidays, but when they're back I'll ask them to have a look, but unfortunately we have zero control over the black-box TLS code which is provided as a binary library with the WICED API, and there are some known bugs in it (memory leaks, etc.). :(

User avatar
ken_s
 
Posts: 2
Joined: Wed Nov 29, 2017 2:59 pm

Re: Problem with AdafruitTCP::connectSSL method?

Post by ken_s »

Sure thing. It's essentially the HTTPSCustomRootCA example sketch with the http.tlsRequireVerification set to false. I tried looking at the source but the trail went cold at the AdafruitTCP::connectSSL method which I believe is where the code enters that black box. What I would love to know is -what's the difference between my website (and a few others that failed) and the many others that worked.

Thanks for your speedy reply, I look forward to hearing from your main devs when they get back.

Code: Select all

#include <adafruit_feather.h>
#include <adafruit_http.h>
#include "certificates.h"

#define WLAN_SSID               "my SSID"
#define WLAN_PASS               "my Password"

#define SERVER                  "gardenmeister.website" //"www.reddit.com"
#define PAGE                    "/" 
#define HTTPS_PORT              443

// RootCAs require a lot of SRAM to manage (~900 bytes for each certificate
// in the chain). The default RootCA has 5 certificates, so ~4.5 KB of
// FeatherLib's SRAM is used to manage them.
// A lack of memory could cause FeatherLib to malfunction in some cases.
// It is advised to disable the default RootCA list if you only need to
// connect to one specific website (or sites where the RootCA is not
// included in the default root certificate chain).
#define INCLUDE_DEFAULT_ROOTCA  0

#define USER_AGENT_HEADER    "curl/7.45.0"

int ledPin = PA15;

// Use the HTTP class
AdafruitHTTP http;

/**************************************************************************/
/*!
    @brief  TCP/HTTP received callback
*/
/**************************************************************************/
void receive_callback(void)
{ 
  // If there are incoming bytes available
  // from the server, read then print them:
  while ( http.available() )
  {
    int c = http.read();
    Serial.write( (isprint(c) || iscntrl(c)) ? ((char)c) : '.');
  }
}

/**************************************************************************/
/*!
    @brief  TCP/HTTP disconnect callback
*/
/**************************************************************************/
void disconnect_callback(void)
{ 
  Serial.println();
  Serial.println("---------------------");
  Serial.println("DISCONNECTED CALLBACK");
  Serial.println("---------------------");
  Serial.println();
}

/**************************************************************************/
/*!
    @brief  The setup function runs once when coming out of reset
*/
/**************************************************************************/
void setup()
{
  Serial.begin(115200);

  // Wait for the Serial Monitor to open
  while (!Serial)
  {
    /* Delay required to avoid RTOS task switching problems */
    delay(1);
  }
  
  Serial.println("HTTPS Custom Root CA Example");
[color=#FF0000]
  /******************* I added this below: ************************************/[/color]
  // Optional: Disable TLS certificate verification (accept any server)
  http.tlsRequireVerification(false);
  //http.usePacketBuffering(true);

  // Print all software versions
  Feather.printVersions();

  while ( !connectAP() )
  {
    delay(500); // Small delay between each attempt
  }

  // Connected: Print network info
  Feather.printNetwork();

  // Include default RootCA if necessary
  Feather.useDefaultRootCA(INCLUDE_DEFAULT_ROOTCA);

  // Add custom RootCA since target server is not covered by default list
  Feather.addRootCA(rootca_certs, ROOTCA_CERTS_LEN);
 
  // Tell the HTTP client to auto print error codes and halt on errors
  http.err_actions(true, true);

  // Set up callbacks
  http.setReceivedCallback(receive_callback);
  http.setDisconnectCallback(disconnect_callback);

  // Start a secure connection
  Serial.printf("Connecting to %s port %d ... ", SERVER, HTTPS_PORT );
  Serial.println(http.connectSSL(SERVER, HTTPS_PORT)); // Will halt if an error occurs
  Serial.println("OK");
    
  // Make a HTTP request
  http.addHeader("User-Agent", USER_AGENT_HEADER);
  http.addHeader("Accept", "text/html");
  http.addHeader("Connection", "keep-alive");

  Serial.printf("Requesting '%s' ... ", PAGE);
  Serial.println(http.get(SERVER, PAGE)); // Will halt if an error occurs
  Serial.println("OK");
}

/**************************************************************************/
/*!
    @brief  The loop function runs over and over again
*/
/**************************************************************************/
void loop()
{
  togglePin(ledPin);
  delay(250);
}

/**************************************************************************/
/*!
    @brief  Connect to defined Access Point
*/
/**************************************************************************/
bool connectAP(void)
{
  // Attempt to connect to an AP
  Serial.print("Please wait while connecting to: '" WLAN_SSID "' ... ");
  
  if ( Feather.connect(WLAN_SSID, WLAN_PASS) )
  {
    Serial.println("Connected!");
  }
  else
  {
    Serial.printf("Failed! %s (%d)", Feather.errstr(), Feather.errnum());
    Serial.println();
  }
  Serial.println();

  return Feather.connected();
}

Here's the response:
HTTPS Custom Root CA Example
Bootloader : 1.0.0
WICED SDK : 3.5.2
FeatherLib : 0.6.5
Arduino API : 0.6.6

WARNING: Featherlib & Arduino library version are not matched
Please update Featherlib or Arduino library if possible

Please wait while connecting to: 'HOME-0435' ... Connected!

SSID : HOME-0435 (-54 dBm)
Encryption : WPA2_MIXED
MAC Address : 6C:0B:84:CA:23:64
Local IP : 10.0.0.8
Gateway : 10.0.0.1
Subnet Mask : 255.255.255.0

Connecting to gardenmeister.website port 443 ...
SDEP_CMD_TCP_CONNECT failed, Error: SOCKET_CLOSED (7014)

--- FEATHER HALTED ---

Locked
Please be positive and constructive with your questions and comments.

Return to “Feather - Adafruit's lightweight platform”