Forums - qapi_Net_HTTPc_Connect() doesn't finish TLS handshake

6 posts / 0 new
Last post
qapi_Net_HTTPc_Connect() doesn't finish TLS handshake
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Fri, 2019-10-25 10:10

I'm having trouble getting SSL working to make an HTTPS connection to any website. I can see that the client (QCA4020) sends the "client hello" message and nothing else. The server responds with its certificate and other handshaking info. The client just sits there stupid until qapi_Net_HTTPc_Connect() times out after a minute. The client never initiates the key exchange with the server.

Here is an example what the server receives from the client:

  RX Protocol (0): Unknown Content (256): SSL3_RT_HEADER
  Data: 
  00000000  16 03 03 00 85                                    |.....|
 
  RX Protocol (772): TLS1_3_VERSION Content (22): SSL3_RT_HANDSHAKE
  Data: 
  00000000  01 00 00 81 03 03 00 00  0A 2E 3C 33 50 A3 12 76  |..........<3P..v|
  00000010  07 52 C2 5B 2B AE DA D3  17 0E B5 22 F5 4F F1 13  |.R.[+......".O..|
  00000020  A7 9F 3E 1B D1 38 00 00  18 C0 2C C0 24 C0 2B C0  |..>..8....,.$.+.|
  00000030  23 C0 0A C0 09 C0 30 C0  28 C0 2F C0 27 C0 14 C0  |#.....0.(./.'...|
  00000040  13 01 00 00 40 00 0D 00  14 00 12 06 03 05 03 04  |....@...........|
  00000050  03 02 03 06 01 05 01 04  01 02 01 01 01 00 01 00  |................|
  00000060  01 02 00 0A 00 0A 00 08  00 18 00 17 00 15 00 13  |................|
  00000070  00 0B 00 02 01 00 00 10  00 0B 00 09 08 68 74 74  |.............htt|
  00000080  70 2F 31 2E 31                                    |p/1.1|

That's it. I've followed the instructions in section 6.3.7 in the Development Kit User Guide to create a CA List file and certificate. I also tried the CA List file that was referenced elsewhere on this forum. I've tried all permutations of loading, or not loading, CA List files and certificates and nothing makes a difference. I'm not trying to authenticate the validity of the server certificate so I shouldn't actually need the CA List file.

Can someone give some insight as to what I might be missing? Better yet, an example that actually works. Thanks.

 
  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Fri, 2019-10-25 15:37

Kindly use below instructions to verify HTTPS connection with remote server using QCLI_demo.

> Connect to Wifi and Acquire IP address.

> Download CA certificate to QCA4020 device.
// net cert get ca_list.bin 10.177.245.215 -s ca.bin -t ca_list

Start DNS, SNTP and HTTP clients.
> net dnsc start
> net sntpc start
> net httpc start
> net httpc new -s -c ca.bin
> net httpc conn 1 10.177.245.215 443
> net httpc get 1 /index.html

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Mon, 2019-10-28 10:59

Is 10.177.245.215 publicly accessable and still up and running? I am unable access that server - can't connect to https://10.177.245.215/index.html with web browser and it doesn't respond to pings.

  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Mon, 2019-10-28 11:53

I have used my private root CA and local PC to verify SSL connection.

However, I have also verified SSL connection sequence using public website , kinldy follow below instructions:
I have downloaded the digicert Root CA : https://dl.cacerts.digicert.com/ThawteRSACA2018.crt
 

Net> dnsc start
Net> sntpc start
Net> cert get ../digiCertRoot.bin 10.177.245.215 -s ca_d.bin -t ca_list
Net: Successfully downloaded ../digiCertRoot.bin
Net: Successfully stored CA list
Net: ca_d.bin is stored in NV memory

Net> httpc start
Net> httpc new -s -c ca_d.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms

Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded

Net> httpc get 1
Net>
Net: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-trans

Net: itional.dtd">
Net: <html xmlns="http://www.w3.org/1999/xhtml">


 

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Mon, 2019-10-28 14:56

Sorry, I didn't immediately recognize 10.177.245.215 as a private subnet so I was trying to follow your example and connect to it.

I'm having some mixed results. Is the certificate at https://dl.cacerts.digicert.com/ThawteRSACA2018.crt in the correct format or does it need to be converted? Here is what I have done:

On Linux:

$ wget https://dl.cacerts.digicert.com/ThawteRSACA2018.crt

$ mv ThawteRSACA2018.crt digiCertRoot.bin

.$ /certcs -s
On QCA4020
> net cert get digiCertRoot.bin 192.168.10.155 -s ca_d.bin -t ca_list
Net: Successfully downloaded digiCertRoot.bin
Net: Successfully stored CA list
Net: ca_d.bin is stored in NV memory
 
> net httpc start
> net httpc new -s -c ca_d.bin
> net httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn failed -8
But, if i leave off the -c ca_d.bin it will work.
> net httpc start
> net httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
> net httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
Now, adding back the -c ca_d.bin will work.
> net httpc start
> net httpc new -s -c ca_d.bin
Net: HTTP client created. <client num> = 2
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
> net httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
I have been testing with a server running on our intranet and I still can't get a successful connection to it. The internal server is using the same SSL certificate that is in use by the production server. I have been able to successfully connect to and retreive a resource from the production server. The SSL certificate we have is a wildcard certificate. I expect the validation to fail on the internal  server because I don't have a domain name mapped to it. By disabling the domain name checking the QCA should still accept the certificate on the internal server. From reading through the QAPI documentation, not loading a root certificate should allow SSL to work. It just won't do the certificate validation.
 
I plan on mapping a subdomain to the internal server at some point so the certificate will validate. I don't think I'm getting a validation error from the QAPI SDK though. 
 
It is encourating that I am finally getting something to work now.
  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Mon, 2019-11-11 07:13
  • Up0
  • Down0
or Register

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.