Forums - SSL Connection failures on certain servers

5 posts / 0 new
Last post
SSL Connection failures on certain servers
jesse
Join Date: 22 Aug 17
Posts: 17
Posted: Fri, 2019-11-08 10:57

This is the same basic problem as I tried outlining here: https://developer.qualcomm.com/forum/qdn-forums/hardware/qca4020-qca4024...

Now I have more information that points to flaws in the QAPI/SSL library.

First to prove that SSL works - I'm leaving out loading the CA list because it is irrelevent for this test.

Net> httpc start

Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded
Alright, that worked. Now for some failures...
 
This hangs forever:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 developer.qualcomm.com 443
Also hangs forever:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 www.apple.com 443
Also hangs forever:
Net> httpc new -s            
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.microsoft.com 443
This one returns a failure:
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 slashdot.org 443
Net: conn failed -8
One thing I have found in my testing is servers using OpenSSL version 1.0.2g work. The exact same server using the exact same SSL certificate compiled on a server using OpenSSL version 1.1.1b will fail. What I see on my servers using OpenSSL 1.1.1b is the QCA4020 never sends anything after the initial "client hello" message. 
  • Up0
  • Down0
raja_pedada
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 201
Posted: Mon, 2019-11-11 17:01

I tried to use the same examples as described in the forum, I am able to successfully connect and do not observer any hang issue:

> wlan enable
> wlan setdevice 1
> wlan SetWpaPassphrase 123456789
> wlan SetWpaParameters WPA2 CCMP CCMP
> wlan connect DemoAP_1
WLAN: devid - 1 1 CONNECTED MAC addr *********
WLAN: 4 way handshake success for device=1
> net dhcpv4c wlan1

Net: DHCPv4c: IP=10.177.239.18  Subnet Mask=255.255.254.0  Gateway=10.177.238.1
> net dnsc start
> net sntpc start

Net> cert get digiCertRoot.bin 10.177.245.215 -s ca.bin -t ca_list
Net: Successfully downloaded digiCertRoot.bin
Net: Successfully stored CA list
Net: ca.bin is stored in NV memory

> net httpc start

Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn failed -20002  // Error with SSL connection QAPI_ERR_SSL_CONN 
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
Net: conn to global-root-ca.chain-demos.digicert.com:443 succeeded

Net> httpc stop
Net> httpc start
Net> httpc new -s
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.apple.com 443
Net: conn failed -20002  // Error with SSL connection QAPI_ERR_SSL_CONN 
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 developer.qualcomm.com 443
Net: conn to developer.qualcomm.com:443 succeeded
 
Net> httpc new -s -c ca.bin
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 slashdot.org 443
Net: conn failed -20002 // Error with SSL connection QAPI_ERR_SSL_CONN 

Kindly refer to qapi_net_status.h for more information on SSL related errors.
The expected behaviour is SSL connection should return error when trying to connect to multiple websites if case the rootCA authentication fails.

I have tried to run SSL traffic between remote Linux PC with openSSL 1.1.1 version /MAC book using LibreSSL 3.0.1  and QCA4020 device and do not observe any issue.

Can you share us your serial console logs during the issue ? 

 

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 17
Posted: Tue, 2019-11-12 10:10

Net> httpc new -s -c ca.bin

Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net>  httpc conn 1 slashdot.org 443
Net: conn failed -20002 // Error with SSL connection QAPI_ERR_SSL_CONN 
Are you acknowledging a problem and working on a fix? 
  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 17
Posted: Tue, 2019-11-12 10:28

I have tried to run SSL traffic between remote Linux PC with openSSL 1.1.1 version /MAC book using LibreSSL 3.0.1  and QCA4020 device and do not observe any issue.

Are you using a real certificate issued from a Certificate Provider? My self-signed certificate that I have used for testing the past few years works with either version of OpenSSL. The QCA4020 connecting to a server using the real certificate issued from DigiCert on a server with OpenSSL 1.1.1 does not work. The same setup on a server with OpenSSL 1.0.2 does work. I don't know why my self-signed certificate works. The only thing I can think of is my self-signed certiciate was created with weaker encryption that results in smaller buffers being sent  back to the client.

I have seen references that clients fail to handshake with servers running OpenSSL 1.1.1 because 1.1.1 sends back more data than 1.0.2. I have no idea if that is the case or if that is the same problem the QAPI is running into.

For the record, I have never run into a problem with any other client having SSL connection issues with my server.

 

  • Up0
  • Down0
jesse
Join Date: 22 Aug 17
Posts: 17
Posted: Tue, 2019-11-12 10:41

Command List:

  Commands:
     0. Ver
     1. Help
     2. Exit
 
  Subgroups:
     3. BLE
     4. HMI
     5. WLAN
     6. Net
     7. Coex
     8. FwUp
     9. ADSS
    10. LP
    11. Fs
    12. Ecosystem
    13. SecureFs
    14. Crypto
    15. ZigBee
    16. Thread
    17. Platform
    18. JSON
    19. FLASHLOG
    20. UART
 
> WLAN Enable
 
> WLAN SetWpaParameters WPA2 CCMP CCMP
 
> WLAN SetWpaPassphrase XXXX
 
> WLAN Connect XXXX
 
WLAN: 
WLAN: Setting SSID to XXXX 
WLAN: 
 
WLAN: devid - 0 1 CONNECTED MAC addr a0:21:b7:63:56:00 
WLAN: 4 way handshake success for device=0 
Net dhcpv4c wlan0 new
 
> Net dnsc start
Net: DHCPv4c: IP=192.168.10.178  Subnet Mask=255.255.255.0  Gateway=192.168.10.1
 
> Net sntpc start
 
> net cert get digiCertRoot.bin 192.168.10.155 -s ca.bin -t ca_list
 
Net: Successfully downloaded digiCertRoot.bin
Net: Successfully stored CA list
Net: ca.bin is stored in NV memory
 
> net httpc start
 
> net
 
Net> httpc new -s
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
 
Net: conn failed -20002
 
Net> ping global-root-ca.chain-demos.digicert.com
 
Net> 
Net: Ping global-root-ca.chain-demos.digicert.com (64.58.225.127):
 
Net> 
Net: Request timed out
 
Net> ping google.com
 
Net> 
Net: Ping google.com (216.58.192.142):
Net: 64 bytes from 216.58.192.142: seq=1 time=0 ms
 
Net> httpc new -s -c ca.bin
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 global-root-ca.chain-demos.digicert.com 443
 
Net: conn failed -20002
 
Net> httpc stop
 
Net> httpc start
 
Net> httpc new -s
 
Net: HTTP client created. <client num> = 1
Net: secure  rxbuf:512  bodybuf:300  headerbuf:200  timeout:5000ms
 
Net> httpc conn 1 www.apple.com 443
I'll post a follow-up with the status from the last command when it eventually returns. It has been over 40 minutes now.
 
This demo was built with QAPI SDK 3.1. I had previously been using SDK 3.0. The only difference I see between the two is I can't make a connection to global-root-ca.chain-demos.digicert.com any more. I don't know if that's because of the change in the SDK or if they upgraded their server to use OpenSSL 1.1.1 in the meantime. 
 
BTW, the ping to global-root-ca.chain-demos.digicert.com fails because that server doesn't respond to pings. I verified I had internet access by pinging google.com instead.
 
 
  • Up0
  • Down0
or Register

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.