SSL Validation fails for some root certs

[salqadri]

@igrr
The following commit started causing a certain root cert to fail validation: 1d41859

To reproduce the issue, change the HTTPSRequestCACert.ino sample to use the following domain:
"securetoken.googleapis.com"

In the Cert.ino file, grab the cert data from the following file: https://github.com/salqadri/Arduino/blob/master/libraries/ESP8266HTTPClient/examples/SSLCertificateVerification/SSLCertificateVerification.ino

Make sure to set the length to 804.

Run the sample, and notice the following errors:
WiFi connected
IP address:
192.168.1.23
Setting time using SNTP.
Current time: Sun Jun 11 02:05:15 2017
connecting to securetoken.googleapis.com
ERROR: certificate verification failed!
connecting to securetoken.googleapis.com
connection failed

[igrr]

Thanks for the report. Unfortunately I won't be able to reproduce the issue with googleapis.com because google is blocked here in China. I'll try a few other services to see if same thing happens... This may have something to do with key usage constraints checking which was merged from upstream axTLS, and similar issue was mentioned here: #1851 (comment) (also with a google domain).

[salqadri]

That's unfortunate. The thing to note is that I isolated the problem specifically to this commit, so something happened between this axTLS pull and the last one: 1d41859
It seems to have additional validation logic, but I'm not sure how I can debug it to understand exactly what's failing.

[Defozo]

Any update on this?

[muchtall]

@igrr , I'm having similar issues with certs from LetsEncrypt. Are you able to use those certs in China?

[igrr]

Some of my automated tests of WiFiClientSecure use dl.espressif.com to test connection and download stuff. It uses Letsencrypt as its CA, and I haven't noticed issues with these certificates.

[salqadri]

I just tried this again, and the issue still persists :(.

[salqadri]

Based on my similar issue on the ESP32 (espressif/arduino-esp32#545), I discovered there that the correct root cert to use for Google is the Geotrust Global CA, instead of the Equifax one I was using here. So, excitedly, I tried the Geotrust one with the latest axtls library hoping that it solves this problem. Unfortunately, I still get the error, so it seems something else is wrong :(.

[denouche]

@salqadri in your fork you added the possibility to use ESP8266HTTPClient with RootCA, that's very interesting. But that's not in the main repo.
It is possible to ask to merge your branch into the main repository, so everyone can enjoy your HTTPClient::setRootCA function and examples?
Thank you

[Defozo]

Can we merge it as @denouche said?

[salqadri]

Well the reason I can't really ask @igrr to merge it in, is because my fork uses an older version of the axtls binary. So we need to wait for this particular issue to be fixed with axtls not working with domains like securetoken.googleapis.com.

[slurdge]

@igrr , I can't make the latest version work with LetsEncrypt at all. I can setup a test server for you if you need it. I tried both the immediate parent (LetsEncrypt) and the root and it doesn't validate, the error is -514.Edit: It was an error on my side, please see below.

[igrr]

Could you please paste the debug output first? Enable debugging in Tools menu (core+TLS) and add Serial.setDebugOutput(true); to the setup. You should get a printout of all the certificates among other things.
514 is X509_VFY_ERROR_NO_TRUSTED_CERT, which means that you are providing wrong root certificate, or not loading the certificate at all, according to axTLS.