I'm having trouble getting SSL working to make an HTTPS connection to any website. I can see that the client (QCA4020) sends the "client hello" message and nothing else. The server responds with its certificate and other handshaking info. The client just sits there stupid until qapi_Net_HTTPc_Connect() times out after a minute. The client never initiates the key exchange with the server.
Here is an example what the server receives from the client:
RX Protocol (0): Unknown Content (256): SSL3_RT_HEADERData:00000000 16 03 03 00 85 |.....|RX Protocol (772): TLS1_3_VERSION Content (22): SSL3_RT_HANDSHAKEData:00000000 01 00 00 81 03 03 00 00 0A 2E 3C 33 50 A3 12 76 |..........<3P..v|00000010 07 52 C2 5B 2B AE DA D3 17 0E B5 22 F5 4F F1 13 |.R.[+......".O..|00000020 A7 9F 3E 1B D1 38 00 00 18 C0 2C C0 24 C0 2B C0 |..>..8....,.$.+.|00000030 23 C0 0A C0 09 C0 30 C0 28 C0 2F C0 27 C0 14 C0 |#.....0.(./.'...|00000040 13 01 00 00 40 00 0D 00 14 00 12 06 03 05 03 04 |....@...........|00000050 03 02 03 06 01 05 01 04 01 02 01 01 01 00 01 00 |................|00000060 01 02 00 0A 00 0A 00 08 00 18 00 17 00 15 00 13 |................|00000070 00 0B 00 02 01 00 00 10 00 0B 00 09 08 68 74 74 |.............htt|00000080 70 2F 31 2E 31 |p/1.1|
That's it. I've followed the instructions in section 6.3.7 in the Development Kit User Guide to create a CA List file and certificate. I also tried the CA List file that was referenced elsewhere on this forum. I've tried all permutations of loading, or not loading, CA List files and certificates and nothing makes a difference. I'm not trying to authenticate the validity of the server certificate so I shouldn't actually need the CA List file.
Can someone give some insight as to what I might be missing? Better yet, an example that actually works. Thanks.
Kindly use below instructions to verify HTTPS connection with remote server using QCLI_demo.
> Connect to Wifi and Acquire IP address.
> Download CA certificate to QCA4020 device.
// net cert get ca_list.bin 10.177.245.215 -s ca.bin -t ca_list
Start DNS, SNTP and HTTP clients.
> net dnsc start
> net sntpc start
> net httpc start
> net httpc new -s -c ca.bin
> net httpc conn 1 10.177.245.215 443
> net httpc get 1 /index.html
Is 10.177.245.215 publicly accessable and still up and running? I am unable access that server - can't connect to https://10.177.245.215/index.html with web browser and it doesn't respond to pings.
I have used my private root CA and local PC to verify SSL connection.
However, I have also verified SSL connection sequence using public website , kinldy follow below instructions:
I have downloaded the digicert Root CA : https://dl.cacerts.digicert.com/ThawteRSACA2018.crt
Net> dnsc start
Net> sntpc start
Net> cert get ../digiCertRoot.bin 10.177.245.215 -s ca_d.bin -t ca_list
Net: Successfully downloaded ../digiCertRoot.bin
Net: Successfully stored CA list
Net: ca_d.bin is stored in NV memory
Net> httpc start
Net> httpc new -s -c ca_d.bin
Net: HTTP client created. <client num> = 1
Net: secure rxbuf:512 bodybuf:300 headerbuf:200 timeout:5000ms
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
Net> httpc get 1
Net>
Net: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-trans
Net: itional.dtd">
Net: <html xmlns="http://www.w3.org/1999/xhtml">
Sorry, I didn't immediately recognize 10.177.245.215 as a private subnet so I was trying to follow your example and connect to it.
I'm having some mixed results. Is the certificate at https://dl.cacerts.digicert.com/ThawteRSACA2018.crt in the correct format or does it need to be converted? Here is what I have done:
On Linux:
See also https://developer.qualcomm.com/forum/qdn-forums/hardware/qca4020-qca4024/67260