Skip to content

https: certificate doesn't match, CI has failed #1933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Alexey888 opened this issue Apr 18, 2016 · 3 comments
Closed

https: certificate doesn't match, CI has failed #1933

Alexey888 opened this issue Apr 18, 2016 · 3 comments
Labels
component: libraries type: bug
Milestone
2.3.0

Comments

@Alexey888
Copy link

Alexey888 commented Apr 18, 2016
edited by igrr
Loading

ESP-12e, Core Version: 2.1.0

The problem with the certificate.Please, help.
Thank!

Sketch

#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>

const char* ssid = "...";
const char* password = "...";

const char* host = "remoteboot.pro";
const int httpsPort = 443;

// Use web browser to view and copy
// SHA1 fingerprint of the certificate
const char* fingerprint = "2a 5b b5 29 ab 32 00 b2 fb 7d e3 fb b7 d9 af 98 44 32 60 58";

void setup() {
  Serial.begin(115200);
  Serial.println();
  Serial.print("connecting to ");
  Serial.println(ssid);
  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
  // Use WiFiClientSecure class to create TLS connection
  WiFiClientSecure client;
  Serial.print("connecting to ");
  Serial.println(host);
  if (!client.connect(host, httpsPort)) {
    Serial.println("connection failed");
    return;
  }

  if (client.verify(fingerprint, host)) {
    Serial.println("certificate matches");
  } else {
    Serial.println("certificate doesn't match");
  }

  String url = "/";
  Serial.print("requesting URL: ");
  Serial.println(url);

  client.print(String("GET ") + url + " HTTP/1.1\r\n" +
               "Host: " + host + "\r\n" +
               "User-Agent: BuildFailureDetectorESP8266\r\n" +
               "Connection: close\r\n\r\n");

  Serial.println("request sent");
  while (client.connected()) {
    String line = client.readStringUntil('\n');
    if (line == "\r") {
      Serial.println("headers received");
      break;
    }
  }
  String line = client.readStringUntil('\n');
  if (line.startsWith("{\"state\":\"success\"")) {
    Serial.println("esp8266/Arduino CI successfull!");
  } else {
    Serial.println("esp8266/Arduino CI has failed");
  }
  Serial.println("reply was:");
  Serial.println("==========");
  Serial.println(line);
  Serial.println("==========");
  Serial.println("closing connection");
  delay(4000);
}

Debug Messages

WiFi connected
IP address: 
192.168.1.146
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd 1376, 1460, 84
:rdi 1376, 1376
:c0 1376, 1460
:rn 1460
:rd 1460, 1460, 0
:rdi 1460, 1460
:c0 1460, 1460
:rn 1460
:rd 1460, 1460, 0
:rdi 1460, 1460
:c0 1460, 1460
:rn 1132
:rd 1123, 1132, 0
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14400
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10552
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:rch 261, 53
:rcl
:abort
:ww
request sent
:rd 5, 314, 0
:rdi 261, 5
:rd 256, 314, 5
:rdi 256, 256
:c 256, 261, 314
:wcs ra 211esp8266/Arduino CI has failed
reply was:
==========
HTTP/1.1 200 OK

==========
closing connection
Alert: close notify
:ur 1
:del
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd:rch 1460, 1460
:rch 2920, 1460
:rch 4380, 1132
 1376, 1460, 84
:rdi 1376, 1376
:c 1376, 1460, 5512
:rd 4043, 4052, 0
:rdi 1460, 1460
:c 1460, 1460, 4052
:rdi 1460, 1460
:c 1460, 1460, 2592
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14528
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10680
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:rch 261, 53
:rcl
:abort
:ww
request sent
:rd 5, 314, 0
:rdi 261, 5
:rd 256, 314, 5
:rdi 256, 256
:c 256, 261, 314
:wcs ra 211esp8266/Arduino CI has failed
reply was:
==========
HTTP/1.1 200 OK

==========
closing connection
pm open,type:2 0
Alert: close notify
:ur 1
:del
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd 1376, 1460, 84
:r:rch 1460, 1460
:rch 2920, 1460
:rch 4380, 1132
di 1376, 1376
:c 1376, 1460, 5512
:rd 4043, 4052, 0
:rdi 1460, 1460
:c 1460, 1460, 4052
:rdi 1460, 1460
:c 1460, 1460, 2592
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14528
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10680
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:rch 261, 53
:rcl
:abort
:ww
request sent
:rd 5, 314, 0
:rdi 261, 5
:rd 256, 314, 5
:rdi 256, 256
:c 256, 261, 314
:wcs ra 211esp8266/Arduino CI has failed
reply was:
==========
HTTP/1.1 200 OK

==========
closing connection
Alert: close notify
:ur 1
:del
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd 1376, 1460, 84
:rdi 1376,:rch 1460, 1460
 1376
:c 1376, 1460, 2920
:rd:rch 1460, 1460
 1460, 1460, 0
:rdi 1460, 146:rch 2920, 1132
0
:c 1460, 1460, 4052
:rd 2583, 2592, 0
:rdi 1460, 1460
:c 1460, 1460, 2592
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14528
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10680
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:rch 261, 53
:rcl
:abort
:ww
request sent
:rd 5, 314, 0
:rdi 261, 5
:rd 256, 314, 5
:rdi 256, 256
:c 256, 261, 314
:wcs ra 211esp8266/Arduino CI has failed
reply was:
==========
HTTP/1.1 200 OK

==========
closing connection
Alert: close notify
:ur 1
:del
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd 1376,:rch 1460, 1460
:rch 2920, 1460
:rch 4380, 1132
 1460, 84
:rdi 1376, 1376
:c 1376, 1460, 5512
:rd 4043, 4052, 0
:rdi 1460, 1460
:c 1460, 1460, 4052
:rdi 1460, 1460
:c 1460, 1460, 2592
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14528
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10680
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:rch 261, 53
:rcl
:abort
:ww
request sent
:rd 5, 314, 0
:rdi 261, 5
:rd 256, 314, 5
:rdi 256, 256
:c 256, 261, 314
:wcs ra 211esp8266/Arduino CI has failed
reply was:
==========
HTTP/1.1 200 OK

==========
closing connection
Alert: close notify
:ur 1
:del
connecting to remoteboot.pro
:ref 1
ssl/tls1.c:549 malloc 6864, left 33200
please start sntp first !
State:  sending Client Hello (1)
:wr
:sent 52
:ww
:rn 1460
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:  receiving Server Hello (2)
:rd 5, 1460, 79
:rdi 1381, 5
:rd 1376, 1:rch 1460, 1460
:rch 2920, 1460
:rch 4380, 1132
460, 84
:rdi 1376, 1376
:c 1376, 1460, 5512
:rd 4043, 4052, 0
:rdi 1460, 1460
:c 1460, 1460, 4052
:rdi 1460, 1460
:c 1460, 1460, 2592
:rdi 1132, 1123
State:  receiving Certificate (11)
crypto/bigint.c:1072 realloc 1032, left 28824
crypto/bigint.c:1072 realloc 1032, left 25240
crypto/bigint.c:1072 realloc 1028, left 21136
crypto/bigint.c:1072 realloc 2056, left 18976
crypto/bigint.c:1072 realloc 1032, left 17896
crypto/bigint.c:1072 realloc 1024, left 17384
crypto/bigint.c:1072 realloc 1032, left 14528
:rd 5, 1132, 1123
:rdi 9, 5
:rd 4, 1132, 1128
:rdi 4, 4
:c0 4, 1132
State:  receiving Server Hello Done (14)
crypto/bigint.c:1072 realloc 1024, left 10680
State:  sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:  sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:  receiving Finished (16)
cert FP: EE 50 48 0E 50 C1 85 AB 0A E8 F9 43 2F 15 CD 45 7B 1F C6 7C 
test FP: 2A 5B B5 29 AB 32 00 B2 FB 7D E3 FB B7 D9 AF 98 44 32 60 58 
fingerprint doesn't match
certificate doesn't match
requesting URL: /
ssl/tls1.c:1422 malloc 17408, left 21552
:wr
:sent 149
:rn 261
:ww
request sent
:rd 5, 261, 0
:rdi 261, 5
:rd 256, 261, 5
:rdi 256, 256
:c0 256, 261
:wcs ra 211headers received
:rn 53
:rcl
:abort
:rd 5, 53, 0
:rdi 53, 5
:rd 48, 53, 5
:rdi 48, 48
:c0 48, 53
Alert: close notify
esp8266/Arduino CI has failed
reply was:
==========
BuildFailureDetectorESP8266
==========
closing connection

PORT CLOSED

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@riyono
Copy link
Contributor

riyono commented Apr 18, 2016

Might be related to #1285
If there are more than one domain served by the server, as the library don't send SNI, the server might response with the wrong certificate (the default one).

@Alexey888
Copy link
Author

wireshark dump (delete ".txt")
esp8266dump.pcapng.txt

@riyono
Copy link
Contributor

riyono commented Apr 18, 2016

sni-check-remoteboot pro
@Alexey888, your server return a certificate for *.hosting.reg.ru (instead of the one for remoteboot.pro) when HTTPS doesn't send SNI, so, it surely related to #1285 (must wait until the library support SNI, or make sure server return the right certificate even when no SNI sent)

@igrr igrr closed this as completed in 8c65f2f Apr 19, 2016
@igrr igrr reopened this Apr 19, 2016
@igrr igrr added this to the 2.3.0 milestone Apr 19, 2016
@igrr igrr closed this as completed Jun 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: libraries type: bug
Projects
None yet
Milestone
2.3.0
Development

No branches or pull requests
3 participants
@riyono @igrr @Alexey888