Skip to content

Have support for TLS 1.2 in SDK v2.0? #2805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yuridiniz opened this issue Dec 28, 2016 · 9 comments
Closed

Have support for TLS 1.2 in SDK v2.0? #2805

yuridiniz opened this issue Dec 28, 2016 · 9 comments
Labels
component: libraries type: enhancement

Comments

@yuridiniz
Copy link

Hi, i see some posts on the internet saying that the new version of the SDK (ESP8266_NONOS_SDK_V2.0.0_16_07_19) supports TLS 1.2, but in the official documentation says it only has support for TLS 1.1

https://github.com/esp8266/Arduino/blob/master/doc/esp8266wifi/readme.md#client-secure

Thanks
@partofthething
Copy link

In #2537 (35ee060) it looks like the axTLS library was upgraded to a version supporting TLS 1.2. I think the documentation might be behind.

@bantaj
Copy link

bantaj commented Jan 5, 2017
edited
Loading

Curious if you were able to confirm support for TLS 1.2 by getting it to work?

After several attempts of connecting to AWS API Gateway (which requires TLS 1.2), all I am getting are connection failed errors when trying to make a post request. It seems like it may work though as I can connect to github with similar requests. In both cases I confirmed the SSL fingerprints are correct.

@tedder
Copy link

tedder commented Apr 3, 2017

With version 2.3.0 installed, using fancyssl.hboeck.de (which is tls1.2-only), it appears TLS1.2 is NOT supported. @igrr, does this make sense? It appears it should work, per the 2.3.0 release notes and #2537.

Further, the release notes give two git hashes for axTLS binary inclusions. The 2.3.0 tag has the older release hash, not the newer one:
https://github.com/esp8266/Arduino/blob/2.3.0/tools/sdk/lib/libaxtls.a

The commit of the updated binary appears to be on master, not in the 2.3.0 tag. I don't know where the git hashes of the axtls binary come from, so it's hard to be certain that's the problem.

FWIW, using 'fancyssl' means SNI works, which was the other addition that should be in axtls2.0.

@jfktrey
Copy link

jfktrey commented May 15, 2017

Did you configure the TLS version appropriately when attempting to connect? micropython/micropython#2343

@tedder
Copy link

tedder commented May 15, 2017

Hmm, no. Looks like it needs to be ssl_version: TODO. But what are the constants? I don't understand how it gets mapped from C to Python; the two values I see in C are SL_SO_SEC_METHOD_TLSV1_2 or MP_QSTR_PROTOCOL_TLSv1_2.

@igrr
Copy link
Member

igrr commented May 16, 2017

TLS1.2 is supported in git version, to be released in 2.4.0.

@zdewitt
Copy link

zdewitt commented Oct 24, 2017

Hey all, just curious if anyone was able to get TLS 1.2 working with the git version? I'm trying to connect to AWS IoT and it seems to keep rejecting the connection at the SSL stage. I've successfully connected to the AWS endpoint using openssl on my laptop and the same certificates/key (they are DER versions) but I keep getting this on the debug output:

SPIFFSImpl: allocating 512+240+1400=2152 bytes
SPIFFSImpl: mounting fs @100000, size=2fb000, block=2000, page=100
SPIFFSImpl: mount rc=0
:ref 1
please start sntp first !
State:	sending Client Hello (1)
:wr 129 129 0
:wrc 129 129 0
:sent 129
:rn 1460
:rch 1460, 1460
:rch 2920, 119
:rd 5, 3039, 0
:rdi 1460, 5
:rd 3034, 3039, 5
:rdi 1455, 1455
:c 1455, 1460, 3039
:rdi 1460, 1460
:c 1460, 1460, 1579
:rdi 119, 119
:c0 119, 119
State:	receiving Server Hello (2)
State:	receiving Certificate (11)
State:	receiving Certificate Request (13)
State:	receiving Server Hello Done (14)
State:	sending Certificate (11)
:wr 877 877 0
:wrc 256 877 0
:wrc 256 621 0
:wrc 256 365 0
:wrc 109 109 0
:sent 877
State:	sending Client Key Exchange (16)
:wr 267 267 0
:wrc 256 267 0
:wrc 11 11 0
:sent 267
State:	sending Certificate Verify (15)
:wr 269 269 0
:wrc 256 269 0
:wrc 13 13 0
:wr 6 6 0
:wrc 6 6 0
State:	sending Finished (16)
:wr 85 85 0
:wrc 85 85 0
:wr 69 69 0
:wrc 69 69 0
Alert: close notify
Secure connection to host failed!
SPIFFS_close: fd=3
SPIFFS_close: fd=2
SPIFFS_close: fd=1
:sent 269
:sent 160
:rn 160
:rcl
:abort

A snippet of my code for this connection test is here:

File CACertFile = SPIFFS.open("/CA-certificate.der.crt", "r");
File certFile = SPIFFS.open("/fb24dcba28-certificate.der.crt", "r");
File pkFile = SPIFFS.open("/fb24dcba28-private.der.key", "r");

if (!wifiClient.loadCertificate(certFile)) Serial.println("certFile failed!");
if (!wifiClient.loadCACert(CACertFile)) Serial.println("CACert failed!");
if (!wifiClient.loadPrivateKey(pkFile)) Serial.println("pkFile failed!");

wifiClient.connect(HOST_NAME, 8883);
if (wifiClient.connected())
{
  Serial.println("Established secure connection to host.");
} else {
  Serial.println("Secure connection to host failed!");
}

I don't know if it means anything, but it takes a while (a couple seconds) after State: sending Finished (16) before the Alert: close notify message comes up. It seems as though it's trying to negotiate but unable to. Is there any way to get any more verbose messages out of the TLS system? I don't fully understand the comment above about micropython, is there something I need to configure to use v1.2?

@igrr igrr closed this as completed Jan 2, 2018
@tedder
Copy link

tedder commented Jan 2, 2018

Closed sans comment, @igrr?

@igrr
Copy link
Member

igrr commented Jan 2, 2018

I have commented above: #2805 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: libraries type: enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@tedder @jfktrey @igrr @bantaj @partofthething @yuridiniz @zdewitt