SSL Validation fails for some root certs #3340
Comments
|
Thanks for the report. Unfortunately I won't be able to reproduce the issue with googleapis.com because google is blocked here in China. I'll try a few other services to see if same thing happens... This may have something to do with key usage constraints checking which was merged from upstream axTLS, and similar issue was mentioned here: #1851 (comment) (also with a google domain). |
|
That's unfortunate. The thing to note is that I isolated the problem specifically to this commit, so something happened between this axTLS pull and the last one: 1d41859 |
|
Any update on this? |
|
@igrr , I'm having similar issues with certs from LetsEncrypt. Are you able to use those certs in China? |
|
Some of my automated tests of WiFiClientSecure use dl.espressif.com to test connection and download stuff. It uses Letsencrypt as its CA, and I haven't noticed issues with these certificates. |
|
I just tried this again, and the issue still persists :(. |
|
Based on my similar issue on the ESP32 (espressif/arduino-esp32#545), I discovered there that the correct root cert to use for Google is the Geotrust Global CA, instead of the Equifax one I was using here. So, excitedly, I tried the Geotrust one with the latest axtls library hoping that it solves this problem. Unfortunately, I still get the error, so it seems something else is wrong :(. |
|
@salqadri in your fork you added the possibility to use ESP8266HTTPClient with RootCA, that's very interesting. But that's not in the main repo. |
|
Can we merge it as @denouche said? |
|
Well the reason I can't really ask @igrr to merge it in, is because my fork uses an older version of the axtls binary. So we need to wait for this particular issue to be fixed with axtls not working with domains like securetoken.googleapis.com. |
|
@igrr , I can't make the latest version work with LetsEncrypt at all. I can setup a test server for you if you need it. I tried both the immediate parent (LetsEncrypt) and the root and it doesn't validate, the error is -514.Edit: It was an error on my side, please see below. |
|
Could you please paste the debug output first? Enable debugging in Tools menu (core+TLS) and add Serial.setDebugOutput(true); to the setup. You should get a printout of all the certificates among other things. |
|
I could do that, what's the IDE where I would do it ? I don't find it in default Arduino IDE. I also figured out that -514 is X509_VFY_ERROR_NO_TRUSTED_CERT by digging the source. However, since axTLS does not validate CACert upon loading, it's not easy to know if it's a wrong root certificate or not loading 😄 update: I enabled setDebugOuput(true); and the error is as follow: So, I have to dig why this specific file is invalid. |
|
Ok I made a stupid mistake in my DER conversion routine, and I could fix it. After putting it, everything works! @igrr , thank you ! Please disregard my previous comment. As a side note, it works well validating alt-names. Now, I don't know if SNI will work or not (but this is irrelevant to this ticket). |
@igrr
The following commit started causing a certain root cert to fail validation: 1d41859
To reproduce the issue, change the HTTPSRequestCACert.ino sample to use the following domain:
"securetoken.googleapis.com"
In the Cert.ino file, grab the cert data from the following file: https://github.com/salqadri/Arduino/blob/master/libraries/ESP8266HTTPClient/examples/SSLCertificateVerification/SSLCertificateVerification.ino
Make sure to set the length to 804.
Run the sample, and notice the following errors:
WiFi connected
IP address:
192.168.1.23
Setting time using SNTP.
Current time: Sun Jun 11 02:05:15 2017
connecting to securetoken.googleapis.com
ERROR: certificate verification failed!
connecting to securetoken.googleapis.com
connection failed
The text was updated successfully, but these errors were encountered: