WiFiClientSecure verify fingerprint problem

[gjt211]

Basic Infos

Unable to get the fingerprint verify to run successfully on my server, but works ok using the adafruit server.

Description

I believe the problem is due to my server not supporting the appropriate cipher suite that is supported by from what I can tell axTLS.

Using openSSL or my web browser, I can obtain the fingerprint and they both match.
I believe I need to edit my servers Apache config to allow RSA with AES128, but have been unable to find what ciphers are supported in ESP8266 Arduino core.

I am using WHM on a CentOS VPS, so it's quite easy to edit the cipher list, I just need to know what to add/delete/edit.

Currently my servers SSL Cipher Suite is as follows;
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
It specifically shows that RC4 is NOT allowed.
The SSL/TLS protocol setting is as follows;
All -SSLv2 -SSLv3
Which means all V1 variants are supported (1.0, 1.1, 1.2). Do I need to remove/edit this also?

Additionally, when you perform the actual fingerprint verify, there is no option for a port, just the address; Is the port 'inferred' from the client connect command? I ask this as my MQTT broker uses different certificates on port 8883 than the web server.

Is there a way to view the fingerprint received when performing the fingerprint verify? It would help if possible to see what is actually being returned from the server.

Thanks in advance.

[gjt211]

I have been playing with this quite a bit more and now can get the fingerprint to verify for port 443 successfully. I had to add RC4-SHA and remove !RC4 from my apache Cipher suites configuration.

In my Arduino code, I enabled debug output by adding the following
#define DEBUG_SSL
#define DEBUGV
and then adding the following to my setup function
Serial.setDebugOutput(true);

When I run my test code on port 443, if the certificates match, I have success.
However when I run my test code on port 8883 (Mosquitto MQTT broker secured with a self signed certificate), I get a connection insecure message.
With the above debug configuration, it seems after some testing that when the fingerprints match, I just get the normal return from my program that says the connection is insecure. However, if I purposely supply a fingerprint that is incorrect, then the debug outputs both my incorrectly supplied fingerprint and the fingerprint from my server from port 8883.
The fingerprint it shows matches what I am meant to be providing for port 8883, so I am wondering if it's telling me it's insecure because of the self signed certificate?

I have included a copy of my code with obvious things altered/obscured for security purposes.

#define DEBUG_SSL
#define DEBUGV
#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>

#define WLAN_SSID       "********"
#define WLAN_PASS       "********"

#define AIO_SERVER      "s****t.com"
#define AIO_SERVERPORT  8883                   // 8883 for MQTTS, 443 for HTTPS

// WiFiFlientSecure for SSL/TLS support
WiFiClientSecure client;

//HTTPS Port fingerprint
const char* fingerprint = "B4 DD 51 DE ED 1D E2 C1 BE EF A0 D0 05 E5 B1 E7 B7 85 A5 F9";

//MQTTS Port fingerprint
//const char* fingerprint = "3A BB EE EE FF BF 81 1D A5 E6 C4 69 DD EE AA DD B2 05 72 16";

/*************************** Sketch Code ************************************/
void verifyFingerprint();

void setup() {
  Serial.begin(115200);
  delay(10);
  Serial.setDebugOutput(true);

  Serial.println(F("S*****t TLS fingerprint test"));

  // Connect to WiFi access point.
  Serial.print("Connecting to ");
  Serial.println(WLAN_SSID);

  delay(1000);

  WiFi.begin(WLAN_SSID, WLAN_PASS);
  delay(2000);

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("WiFi connected");
  Serial.print("IP address: "); Serial.println(WiFi.localIP());

}


void loop() {
  verifyFingerprint();
  Serial.println();
  delay(20000);
}

void verifyFingerprint() {
  const char* host = AIO_SERVER;
 
  Serial.print("Connecting to ");
  Serial.println(host);
  Serial.println(fingerprint);
  if (! client.connect(host, AIO_SERVERPORT)) {
    Serial.println("Connection failed. Halting execution.");
    return;
  }

  if (client.verify(fingerprint, host)) {
    Serial.println("Connection secure.");
  } else {
    Serial.println("Connection insecure!");
  }
}

[devyte]

BearSSL is merged in #4273 , with alternate BearSSL::WiFi* classes. Although axtls-based classes are still available and even the default, they are planned for deprecation and then retirement, hence won't be fixed. Any issues with BearSSL-based classes should be reported in new issues.
Closing.