Skip to content

setFingerprint in WiFiClientSecure required to pass certificate Check #567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 3, 2020
Merged

setFingerprint in WiFiClientSecure required to pass certificate Check #567

merged 3 commits into from
Oct 3, 2020

Conversation

lucalas
Copy link
Contributor

@lucalas lucalas commented Sep 30, 2020

Hi,

I'm having trouble with SSL Connection with sockets.streamlabs.com using fingerprint, I found that no fingerprint is passed to WiFiClientSecure so the check break up.
I'm using SocketIoClient and my piece of code is:

webSocket.beginSSL("sockets.streamlabs.com", 443, <query_parameters>, "E7 93 77 36 DA D4 15 0F C1 C1 8F 14 D5 2A C8 72 93 D0 6F 2A");

And I receive this log error on connection:

[WS-Client] connect wss...
[hostByName] request IP for: sockets.streamlabs.com
[hostByName] Host: sockets.streamlabs.com IP: 3.136.243.104
:ref 1
BSSL:_connectSSL: start connection
BSSL:Connection *will* fail, no authentication method is setup
:wr 227 0
:wrc 227 227 0
:ack 227
:rn 536
:rch 536, 536
:rd 5, 1072, 0
:rdi 536, 5
:rch 1072, 536
:rch 1608, 536
:rd 89, 2144, 5
:rdi 531, 89
:rd 5, 2144, 94
:rdi 442, 5
:rd 2045, 2144, 99
:rdi 437, 437
:c 437, 536, 2144
:rdi 536, 536
:c 536, 536, 1608
:rdi 536, 536
:c 536, 536, 1072
:rdi 536, 536
:c0 536, 536
:rn 536
:rch 536, 536
:rch 1072, 536
:rch 1608, 536
:rd 2144, 2144, 0
:rdi 536, 536
:c 536, 536, 2144
:rdi 536, 536
:c 536, 536, 1608
:rdi 536, 536
:c 536, 536, 1072
:rdi 536, 536
:c0 536, 536
:rn 536
:rch 536, 451
:rd 640, 987, 0
:rdi 536, 536
:c 536, 536, 987
:rdi 451, 104
BSSL:_wait_for_handshake: failed
BSSL:Couldn't connect. Error = 'Certificate is expired or not yet valid.'[WS-Client] connect wss...
[hostByName] request IP for: sockets.streamlabs.com
[hostByName] Host: sockets.streamlabs.com IP: 3.136.243.104
:ref 1
BSSL:_connectSSL: start connection
BSSL:Connection *will* fail, no authentication method is setup
:wr 227 0
:wrc 227 227 0
:ack 227
:rn 536
:rch 536, 536
:rd 5, 1072, 0
:rdi 536, 5
:rch 1072, 536
:rch 1608, 536
:rd 89, 2144, 5
:rdi 531, 89
:rd 5, 2144, 94
:rdi 442, 5
:rd 2045, 2144, 99
:rdi 437, 437
:c 437, 536, 2144
:rdi 536, 536
:c 536, 536, 1608
:rdi 536, 536
:c 536, 536, 1072
:rdi 536, 536
:c0 536, 536
:rn 536
:rch 536, 536
:rch 1072, 536
:rch 1608, 536
:rd 2144, 2144, 0
:rdi 536, 536
:c 536, 536, 2144
:rdi 536, 536
:c 536, 536, 1608
:rdi 536, 536
:c 536, 536, 1072
:rdi 536, 536
:c0 536, 536
:rn 536
:rch 536, 451
:rd 640, 987, 0
:rdi 536, 536
:c 536, 536, 987
:rdi 451, 104
BSSL:_wait_for_handshake: failed
BSSL:Couldn't connect. Error = 'Certificate is expired or not yet valid.'
[WS-Client] connection to sockets.streamlabs.com:443 Failed
:ur 1
:dsrcv 451
:close
:del
[WS-Client] client disconnected.
[SIoC] Disconnected!
[WS-Client] connection to sockets.streamlabs.com:443 Failed
:ur 1
:dsrcv 451
:close
:del
[WS-Client] client disconnected.
[SIoC] Disconnected!

As you can see handshake failed and there is this line of log:
BSSL:Couldn't connect. Error = 'Certificate is expired or not yet valid.'

this is why no fingerprint is valorized.

I made this fix that resolve the problem, let me know if it's ok.

@Links2004
Copy link
Owner

sounds like some changes in the SSL support for the ESP where made in the Arduino core.
are you using a ESP8266 or ESP32?

the code normally checks the fingerprint here:

arduinoWebSockets/src/WebSocketsClient.cpp

Line 774 in 05ec18e

if(!_client.ssl->verify(_fingerprint.c_str(), _host.c_str())) {

@lucalas
Copy link
Contributor Author

lucalas commented Oct 1, 2020

sounds like some changes in the SSL support for the ESP where made in the Arduino core.
are you using a ESP8266 or ESP32?

the code normally checks the fingerprint here:

arduinoWebSockets/src/WebSocketsClient.cpp

Line 774 in 05ec18e

if(!_client.ssl->verify(_fingerprint.c_str(), _host.c_str())) {

Sorry, I forgot to mention it, I'm using ESP8266.
Yes, I have seen this piece of code that you reported and tried to debug it, but connection didn't go there.

@lucalas
Copy link
Contributor Author

lucalas commented Oct 1, 2020
edited
Loading

@Links2004 i've seen that Travis CI build failed for ESP32 because no setFingerprint exists but I don't have an ESP32 module to test if
#if defined(ESP8266)
is required for this set

@Links2004
Copy link
Owner

yes, the ESP32 does not support setFingerprint.

error message from ESP32 build:

'class WiFiClientSecure' has no member named 'setFingerprint'

may this here what we need, since there are cases where CA is used.

            _client.ssl = new WEBSOCKETS_NETWORK_SSL_CLASS();
            _client.tcp = _client.ssl;
            if(_CA_cert) {
                DEBUG_WEBSOCKETS("[WS-Client] setting CA certificate");
#if defined(ESP32)
                _client.ssl->setCACert(_CA_cert);
#elif defined(ESP8266)
                _client.ssl->setCACert((const uint8_t *)_CA_cert, strlen(_CA_cert) + 1);
#else
#error setCACert not implemented
#endif
            } else if(_fingerprint.length()) {
#if defined(wificlientbearssl_h) && !defined(USING_AXTLS) && !defined(wificlientsecure_h)
                _client.ssl->setFingerprint(_fingerprint.c_str());
#endif
            }

@lucalas
Copy link
Contributor Author

lucalas commented Oct 1, 2020

yes, the ESP32 does not support setFingerprint.

error message from ESP32 build:

'class WiFiClientSecure' has no member named 'setFingerprint'

may this here what we need, since there are cases where CA is used.

            _client.ssl = new WEBSOCKETS_NETWORK_SSL_CLASS();
            _client.tcp = _client.ssl;
            if(_CA_cert) {
                DEBUG_WEBSOCKETS("[WS-Client] setting CA certificate");
#if defined(ESP32)
                _client.ssl->setCACert(_CA_cert);
#elif defined(ESP8266)
                _client.ssl->setCACert((const uint8_t *)_CA_cert, strlen(_CA_cert) + 1);
#else
#error setCACert not implemented
#endif
            } else if(_fingerprint.length()) {
#if defined(wificlientbearssl_h) && !defined(USING_AXTLS) && !defined(wificlientsecure_h)
                _client.ssl->setFingerprint(_fingerprint.c_str());
#endif
            }

I tried this piece of code and it works for ESP8266

@lucalas
Copy link
Contributor Author

lucalas commented Oct 2, 2020

I pushed the changes, let me know if everything is ok.

@Links2004 Links2004 merged commit a00d3ed into Links2004:master Oct 3, 2020
@Links2004
Copy link
Owner

Links2004 commented Oct 3, 2020
edited
Loading

looks good build has passed for ESP32 and ESP8266

@Links2004
Copy link
Owner

some more changes are coming via #569

@lucalas lucalas mentioned this pull request Oct 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
SSL/TLS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lucalas @Links2004