WiFiClientSecure doesn't handle large certificates

[nikant]

Hardware

Hardware: NodeMCU v1.0 ESP-12E
Core Version: 2.1.0

Description

Well.. if someone could offer some enlightenment.. can't find the error in the following (modified host from the original of course..)

It hangs at client.connect for some time.. and then connection fails.
the same happens in "google.com" or "www.google.com"

other hosts work and reply normally

Is it my network?
I've come to believe that it has something to do with dns resolving (or not..)
Of course I've tried setting various DNS and a static IP -commented sections in code- but no result.

Settings in IDE

Module: NodeMCU v1.0
Flash Size: 4MB
CPU Frequency: 80Mhz
Flash Mode: ?qio?
Flash Frequency: ?40Mhz?
Upload Using: SERIAL
Reset Method: ?ck / nodemcu?

Sketch

/*
 *  HTTP over TLS (HTTPS) example sketch
 *
 *  This example demonstrates how to use
 *  WiFiClientSecure class to access HTTPS API.
 *  We fetch and display the status of
 *  esp8266/Arduino project continuous integration
 *  build.
 *
 *  Created by Ivan Grokhotkov, 2015.
 *  This example is in public domain.
 */

#include <ESP8266WiFi.h>

// Replace with your network credentials
const char* ssid = ".....";
const char* password = ".........";

const char* host = "calendar.google.com";
const int httpsPort = 443;

// Use web browser to view and copy
// SHA1 fingerprint of the certificate
//const char* fingerprint = "CF 05 98 89 CA FF 8E D8 5E 5C E0 C2 E4 F7 E6 C3 C7 50 DD 5C";
const char* fingerprint = "99 70 D6 7C B8 42 71 18 DC A6 88 DB DC C8 69 66 96 9D 51 88"; //google

/*
// Update these with values suitable for your network.
IPAddress ip(192,168,1,229);  //Node static IP
IPAddress gateway(192,168,1,1);
IPAddress subnet(255,255,255,0);
IPAddress dns1(208,67,222,222);
IPAddress dns2(208,67,220,220);
*/

// Use WiFiClientSecure class to create TLS connection
WiFiClientSecure client;

void setup() {
  Serial.begin(57600);
  Serial.println();
  Serial.print("connecting to ");
  Serial.println(ssid);

  //WiFi.mode(WIFI_STA);
  WiFi.begin(ssid, password);
  //WiFi.config(ip, gateway, subnet, dns1, dns2);

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());

  Serial.print("connecting to ");
  Serial.println(host);

  if (!client.connect(host, httpsPort)) {
    Serial.println("connection failed");
    return;
  }

  if (client.verify(fingerprint, host)) {
    Serial.println("certificate matches");
  } else {
    Serial.println("certificate doesn't match");
  }


  String url = "/";
  Serial.print("requesting URL: ");
  Serial.println(url);

  client.print(String("GET ") + url + " HTTP/1.1\r\n" +
               "Host: " + host + "\r\n" +
               "User-Agent: ESP8266\r\n" +
               "Connection: close\r\n\r\n");

  Serial.println("request sent");
  while (client.connected()) {
    String line = client.readStringUntil('\n');
    if (line == "\r") {
      Serial.println("headers received");
      break;
    }
  }
  String line = client.readStringUntil('\n');

  Serial.println("reply was:");
  Serial.println("==========");
  Serial.println(line);
  Serial.println("==========");
  Serial.println("closing connection");
}

void loop() {
}

Debug Messages

connecting to ssid
..
WiFi connected
IP address:
192.168.1.11
connecting to calendar.google.com
connection failed

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[Links2004]

enable the debug out for Core + WiFi
https://github.com/esp8266/Arduino/blob/master/doc/Troubleshooting/debugging.md

then you will see if the resolve is the problem.

Note: for http/https existing a class then you not need to handle the header and encoding yourself
https://github.com/esp8266/Arduino/blob/master/libraries/ESP8266HTTPClient/examples/BasicHttpClient/BasicHttpClient.ino

[nikant]

@Links2004 thank you for the second link. 👍 I'll take a look. Sorry I'm new to all this.. :/

Also debug menu is not available in the IDE if you have NodeMCU board selected and I don't have a bare esp.

---

edit: I tried the the HttpClient method with a link in my google calendar (my private link that allows to donwload the ical) which is https://calendar.google.com/calendar/..........
and the result was

WiFi connected
IP address: 
192.168.1.229
connection refused

---

edit2: ok I enabled debug
At HTTPClient+SSL it gives the following:

[HTTP] GET...
[HTTP-Client] connect https...
please start sntp first !
State:  sending Client Hello (1)
State:  receiving Server Hello (2)
ssl->need_bytes=10149 > 6859
Error: invalid protocol message
Alert: handshake failure
Alert: close notify
[HTTP-Client] failed connect to calendar.google.com:443
[HTTP-Client][returnError] error(-1): connection refused
[HTTP] GET... failed, error: connection refused
[HTTP-Client][end] tcp is closed
pm open,type:2 0

[Links2004]

the generic board work with all board you only need to set the settings for flash and reset method right.
please set the debug too Core + WiFi then you can see if it a DNS problem.

but ssl->need_bytes=10149 > 6859
looks like the ssl cert is to big

[igrr]

It's more likely that connection is failing during ssl handshake due to the certificate size. I do have a patch for this, maybe will push it on the weekend.

[nikant]

I set debug to Core + WiFi

[HTTP] begin...
[HTTP] GET...
[hostByName] request IP for: calendar.google.com
[hostByName] Host: calendar.google.com IP: 193.92.133.45
:ref 1
please start sntp first !
:wr
:sent 52
:ww
:rn 1452
:rd 5, 1452, 0
:rdi 1452, 5
:rd 74, 1452, 5
:rdi 1447, 74
:rd 5, 1452, 79
:rdi 1373, 5
ssl->need_bytes=10149 > 6859
:wr
:rch 1452, 596
:ww
:wr
:rch 2048, 1452
:rch 3500, 1452
:sent 7
:ww
:wr
:er -9 7 1
:ww
[HTTP] GET... failed, error: connection refused
:ur 1
:del
pm open,type:2 0

something noticed is that IP of calendar.google.com returned is 193.92.133.45 which is
canonical name *cache.google.com *

while calendar.google.com is
canonical name www3.l.google.com.
aliases calendar.google.com
some other IP here.
but I guess Google knows better..

also fingerprint changed from what it was yesterday (given from https://www.grc.com/fingerprints.htm)
(am I crazy??)
(really sorry I'm reporting anything in my ignorance and you probably try to figure out where is the problem..)

here is the info with the fingerprint

[HTTP] GET...
[hostByName] request IP for: calendar.google.com
[hostByName] Host: calendar.google.com IP: 216.58.209.206
:ref 1
please start sntp first !
:wr
:sent 52
:rn 1430
:ww
:rd 5, 1430, 0
:rdi 1430, 5
:rd 74, 1430, 5
:rdi 1425, 74
:rd 5, 1430, 79
:rdi 1351, 5
:rd 1346, 1430, 84:rch 1430, 1430
:rch 2860, 1135

:rdi 1346, 1346
:c 1346, 1430, 3995
:rd 2556, 2565, 0
:rdi 1430, 1430
:c 1430, 1430, 2565
:rdi 1135, 1126
:rd 5, 1135, 1126
:rdi 9, 5
:rd 4, 1135, 1131
:rdi 4, 4
:c0 4, 1135
:wr
:sent 267
:ww
:wr
:sent 6
:ww
:wr
:sent 69
:ww
:rn 75
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
cert FP: 2E BC 3F 9B F9 19 4D 89 49 65 B2 24 AB A8 B1 8B 37 7B DB 20 
test FP: 3A 88 A0 FC 7A BF 9F 0F 37 D9 A1 99 95 7F D9 46 CE 15 7C 41 
fingerprint doesn't match
:wr
:sent 53
:rcl
:abort
:ww
:ur 1
:del
[HTTP] GET... failed, error: connection refused

[scottjgibson]

@igrr you mentioned you have a patch for this; I would be interested in trying it if it is in a usable state. If it is a work in progress I would still be interested in seeing how you are planning on addressing it.

[igrr]

This issue should be resolved with c8a1507.

[electronicsguy]

Ok the boards manager told me there's an update (v2.2.0) for esp8266 so I updated that. @igrr is the patch included in this version?

I then tried @nikant's script. This is what I get. Is this "working"? Sorry I am very new to using esp8266 and ssl in general. (Using ESP-01)

wifi evt: 0
.wifi evt: 3
.
WiFi connected
IP address: 
192.168.1.105
connecting to calendar.google.com
[hostByName] request IP for: calendar.google.com
[hostByName] Host: calendar.google.com IP: 216.58.216.110
certificate doesn't match
requesting URL: /
request sent
reply was:
==========
HTTP/1.1 301 Moved Permanently

==========
closing connection
pm open,type:2 0

[electronicsguy]

@nikant Were you using esp8266 with nodemcu installed on it, through Arduino IDE? Is that possible?