Forums - SSL Connection failures on certain servers

9 posts / 0 new
Last post
SSL Connection failures on certain servers
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Fri, 2019-11-08 10:57

This is the same basic problem as I tried outlining here: https://developer.qualcomm.com/forum/qdn-forums/hardware/qca4020-qca4024...

Now I have more information that points to flaws in the QAPI/SSL library.

First to prove that SSL works - I'm leaving out loading the CA list because it is irrelevent for this test.

Net> httpc start

Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
Alright, that worked. Now for some failures...
 
This hangs forever:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 developer.qualcomm.com 443
Also hangs forever:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 www.apple.com 443
Also hangs forever:
Net> httpc new -s            
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.microsoft.com 443
This one returns a failure:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 slashdot.org 443
Net: conn failed -8
One thing I have found in my testing is servers using OpenSSL version 1.0.2g work. The exact same server using the exact same SSL certificate compiled on a server using OpenSSL version 1.1.1b will fail. What I see on my servers using OpenSSL 1.1.1b is the QCA4020 never sends anything after the initial "client hello" message. 
  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Mon, 2019-11-11 17:01

I tried to use the same examples as described in the forum, I am able to successfully connect and do not observer any hang issue:

> wlan enable
> wlan setdevice 1
> wlan SetWpaPassphrase 123456789
> wlan SetWpaParameters WPA2 CCMP CCMP
> wlan connect DemoAP_1
WLAN: devid - 1 1 CONNECTED MAC addr *********
WLAN: 4 way handshake success for device=1
> net dhcpv4c wlan1

Net: DHCPv4c: IP=10.177.239.18  Subnet Mask=255.255.254.0  Gateway=10.177.238.1
> net dnsc start
> net sntpc start

Net> cert get digiCertRoot.bin 10.177.245.215 -s ca.bin -t ca_list
Net: Successfully downloaded digiCertRoot.bin
Net: Successfully stored CA list
Net: ca.bin is stored in NV memory

> net httpc start

Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn failed -20002  // Error with SSL connection QAPI_ERR_SSL_CONN 
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded

Net> httpc stop
Net> httpc start
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.apple.com 443
Net: conn failed -20002  // Error with SSL connection QAPI_ERR_SSL_CONN 
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 developer.qualcomm.com 443
Net: conn to developer.qualcomm.com:443 succeeded
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 slashdot.org 443
Net: conn failed -20002 // Error with SSL connection QAPI_ERR_SSL_CONN 

Kindly refer to qapi_net_status.h for more information on SSL related errors.
The expected behaviour is SSL connection should return error when trying to connect to multiple websites if case the rootCA authentication fails.

I have tried to run SSL traffic between remote Linux PC with openSSL 1.1.1 version /MAC book using LibreSSL 3.0.1  and QCA4020 device and do not observe any issue.

Can you share us your serial console logs during the issue ? 

 

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Tue, 2019-11-12 10:10

Net> httpc new -s -c ca.bin

Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 slashdot.org 443
Net: conn failed -20002 // Error with SSL connection QAPI_ERR_SSL_CONN 
Are you acknowledging a problem and working on a fix? 
  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Tue, 2019-11-12 10:28

I have tried to run SSL traffic between remote Linux PC with openSSL 1.1.1 version /MAC book using LibreSSL 3.0.1  and QCA4020 device and do not observe any issue.

Are you using a real certificate issued from a Certificate Provider? My self-signed certificate that I have used for testing the past few years works with either version of OpenSSL. The QCA4020 connecting to a server using the real certificate issued from DigiCert on a server with OpenSSL 1.1.1 does not work. The same setup on a server with OpenSSL 1.0.2 does work. I don't know why my self-signed certificate works. The only thing I can think of is my self-signed certiciate was created with weaker encryption that results in smaller buffers being sent  back to the client.

I have seen references that clients fail to handshake with servers running OpenSSL 1.1.1 because 1.1.1 sends back more data than 1.0.2. I have no idea if that is the case or if that is the same problem the QAPI is running into.

For the record, I have never run into a problem with any other client having SSL connection issues with my server.

 

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Tue, 2019-11-12 10:41

Command List:

  Commands:
     0. Ver
     1. Help
     2. Exit
 
  Subgroups:
     3. BLE
     4. HMI
     5. WLAN
     6. Net
     7. Coex
     8. FwUp
     9. ADSS
    10. LP
    11. Fs
    12. Ecosystem
    13. SecureFs
    14. Crypto
    15. ZigBee
    16. Thread
    17. Platform
    18. JSON
    19. FLASHLOG
    20. UART
 
> WLAN Enable
 
> WLAN SetWpaParameters WPA2 CCMP CCMP
 
> WLAN SetWpaPassphrase XXXX
 
> WLAN Connect XXXX
 
WLAN: 
WLAN: Setting SSID to XXXX 
WLAN: 
 
WLAN: devid - 0 1 CONNECTED MAC addr a0:21:b7:63:56:00 
WLAN: 4 way handshake success for device=0 
Net dhcpv4c wlan0 new
 
> Net dnsc start
Net: DHCPv4c: IP=192.168.10.178  Subnet Mask=255.255.255.0  Gateway=192.168.10.1
 
> Net sntpc start
 
> net cert get digiCertRoot.bin 192.168.10.155 -s ca.bin -t ca_list
 
Net: Successfully downloaded digiCertRoot.bin
Net: Successfully stored CA list
Net: ca.bin is stored in NV memory
 
> net httpc start
 
> net
 
Net> httpc new -s
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
 
Net: conn failed -20002
 
Net> ping global-root-ca.chain-demos.digicert.com
 
Net> 
Net: Ping global-root-ca.chain-demos.digicert.com (64.58.225.127):
 
Net> 
Net: Request timed out
 
Net> ping google.com
 
Net> 
Net: Ping google.com (216.58.192.142):
Net: 64 bytes from 216.58.192.142: seq=1 time=0 ms
 
Net> httpc new -s -c ca.bin
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
 
Net: conn failed -20002
 
Net> httpc stop
 
Net> httpc start
 
Net> httpc new -s
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.apple.com 443
I'll post a follow-up with the status from the last command when it eventually returns. It has been over 40 minutes now.
 
This demo was built with QAPI SDK 3.1. I had previously been using SDK 3.0. The only difference I see between the two is I can't make a connection to global-root-ca.chain-demos.digicert.com any more. I don't know if that's because of the change in the SDK or if they upgraded their server to use OpenSSL 1.1.1 in the meantime. 
 
BTW, the ping to global-root-ca.chain-demos.digicert.com fails because that server doesn't respond to pings. I verified I had internet access by pinging google.com instead.
 
 
  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Thu, 2020-01-16 14:28
I have tried below sequence to verify OpenSSL 1.1.1b version is working on QCA4020.
 
Step 1:
Install OpenSSL on 16.04.1-Ubuntu 
> tar -zxf openssl-1.1.1b.tar.gz && cd openssl-1.1.1b
> ./config.
> make
> sudo mv /usr/bin/openssl ~/tmp
> sudo make install.
> sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
> sudo ldconfig
 
Issue "openssl version"  to confirm running version is OpenSSL 1.1.1b  
 
Step 2:
Generate RootCA and certificates
 
> openssl genrsa -des3 -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
> openssl rsa -in server.key -out server.key.insecure
> mv server.key server.key.secure
> mv server.key.insecure server.key
 
You should see these four files:
server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.
server.key.secure: The private server key, it does require a password starting Apache.
 
cp server.key cp server.crt /etc/apache2/ssl
a2enmod ssl
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
mkdir /var/www/ssl
 
Edit /etc/apache2/sites-available/default-ssl.conf to include the latest server certificate, key and DocuementRoot
 
DocumentRoot /var/www/ssl
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
create a new file to verify HTTPS connection as  /var/www/ssl/index.html
 
<html>
<body>
<h1>Test Page on My HTTPS Server</h1>
<h2>by YOUR NAME</h2>
</body>
</html>
 
sudo service apache2 restart
 
Note: To generate RootCA from the certificate, kindly use SharkSSLParseCAList available under  (@./target/build/tools/net/ssl/bin/linux32) as below:
rajapedada@rajapedada:~$ ./SharkSSLParseCAList -b server_calist.bin server.crt
 /**
  *  SharkSSLParseKey.  Build 4000.
  *  Copyright (c) 2017 Real Time Logic.
  */
 
rajapedada@rajapedada:$ ls -l server*
-rw-rw-r-- 1 rajapedada rajapedada 1345 Jan 16 14:00 server_calist
-rw-r--r-- 1 root       root       1854 Jan 14 17:31 server.crt
 
Step 3:
Flashing QCA4020 and connecting to HTTPS server.
 
> Power on QCA4020
> enable wlan connect to SSID, acquire IP address.
> download certificate to local machine using certcs server available  under (@target/build/tools/net/ssl/certcs/linux/certcs).
> connect httpc using secure mode and rootca to linux machine and try to get the index.html.
 
Example Using QCLI_demo and linux PC:
> wlan enable
> wlan setdevice 1
> wlan SetWpaPassphrase password
> wlan SetWpaParameters WPA2 CCMP CCMP
> wlan connect SSID
WLAN: devid - 1 1 CONNECTED MAC addr xx:xx:xx:xx:xx:xx
WLAN: 4 way handshake success for device=1
 
> net dhcpv4c wlan1
Net: DHCPv4c: IP=10.xxx.xxx.x  Subnet Mask=255.255.254.0  Gateway=10.xxx.xxx.x
 
> net ping 10.177.245.215
Net: 64 bytes from 10.177.245.215: seq=1 time=10 ms
 
> net cert get server_calist.bin 10.177.245.215 -s rootCA -t ca_list
Net: Successfully downloaded server_calist.bin
Net: Successfully stored CA list
Net: rootCA is stored in NV memory
 
> fs ls
Fs:        128 /spinor/etc/passwd
Fs:       1408 /spinor/ssl/ca_lists/rootCA
 
> net dnsc start
> net sntpc start
> net httpc start
> net httpc new -s -c rootCA
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
> net httpc conn 1 10.177.245.215 443
Net: conn to 10.177.245.215:443 succeeded
 
> net httpc get 1 index.html
Net: <html>
Net: <body>
Net: <h1>Test Page on QUALCOMM HTTPS Server</h1>
Net: <h2>OpenSSL 1.1.1b -RSP</h2>
Net: </body>
Net: </html>
Net: =========> http client Received: total size 103, Resp_code 200
Net: HTTP Client server closed on client[1].
 
> net httpc new -s
Net: HTTP client created. <client num> = 2
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
> net httpc conn 2 10.177.245.215 443
Net: conn failed -20002
 
>
 
> net httpc conn 1 10.177.245.215 443 1500
Net: conn to 10.177.245.215:443 succeeded
 
> net httpc get 1 index.html
Net: <html>
Net: <body>
Net: <h1>Test Page on QUALCOMM HTTPS Server</h1>
Net: <h2>OpenSSL 1.1.1b -RSP</h2>
Net: </body>
Net: </html>
Net: =========> http client Received: total size 103, Resp_code 200
Net: HTTP Client server closed on client[1]
 
Kindly let me know if you still face any issues.
  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 22
Posted: Thu, 2020-01-16 15:35

No Raja, you verified QCA works with OpenSSL 1.1.1 when using a self-signed certificate. I already knew this. If I didn't mention it in this thread it was in an email you received. Get a real certificate from a CA and do your test again. 

I gave you real websites that fail. You verified those websites failed for you also. 

From your post on Mon, 2019-11-11 19:01:

Net> httpc conn 1 www.apple.com 443
Net: conn failed -20002  // Error with SSL connection QAPI_ERR_SSL_CONN 
Net>  httpc conn 1 slashdot.org 443
Net: conn failed -20002 // Error with SSL connection QAPI_ERR_SSL_CONN 
Why did you get connection errors? Why did the connection errors to these websites not alarm you? When you got these connection errors, why did you say you were able to successfully connect?
 
I don't know how you managed to get developer.qualcomm.com to work in your test.
 
Can you do a test showing the QCA Successfully downloading content from www.apple.com, slashdot.org, AND www.microsoft.com? 
 
I am using QCA SDK 3.1. I have tried SDK 3.0 to see if I get results similar to yours and it was an overall worse experience than what I see with SDK 3.1
  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 80
Posted: Thu, 2020-01-16 18:09

Hi Jesse, 

You need to have CA for the real website you want to conect . Browser has by default (e.g Microsift/Apple) 

Would it be possible for you to share your real  CA with website details for testing  and sniffer capture . We will analyse them too . 

  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Thu, 2020-01-16 18:31
Kindly use below rootCA files for verifying https connection from QCA4020.
 
> global-root-ca.chain-demos.digicert.com ( https://global-root-ca.chain-demos.digicert.com/info/index.html )
 
 
Example:
> net cert get digicertglobalrootca.pem 10.177.245.215 -s digicertglobalrootca -t pem_ca_list
Net: Successfully downloaded digicertglobalrootca.pem
Net: Successfully converted and stored CA list
Net: digicertglobalrootca is stored in NV memory
 
> net httpc start
> net httpc new -s -c digicertglobalrootca
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
> net httpc conn 1 global-root-ca.chain-demos.digicert.com 443 1500
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
  • Up0
  • Down0
or Register

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.