Hi,
After some connection issues, I found that some website's TLS certificates are incompatible with the Wifi 101 shield.
Check the website you are trying to connect to by using the following TLS certificate website: SSL Server Test (Powered by Qualys SSL Labs)
Examine the certificates and check they do not use SHA384 or higher hashing cyphers; the Atmel ATECC508A Cryptographic Co-processors maximum hashing is 256bits (SHA256): http://www.atmel.com/images/atmel-8923s-cryptoauth-atecc508a-datasheet-summary.pdf
So:
RSA 2048 bits (e 65537) / SHA1withRSA >>> OK
RSA 2048 bits (e 65537) / SHA256withRSA >>> OK
RSA 2048 bits (e 65537) / SHA384withRSA >>>> Not OK
... etc ...
All the certificates are hashed during the TLS handshake so they all have to be 128 or 256 only!
Cheers,
Michael.
More investigation results...
The ATWINC1500 hardcodes the TLS level in the firmware and in the documentation it lists this everywhere as being set to TLS1.0 but when I capture the TLS handshake it is set as TLS1.2 ????
Then I found an ATMEL support notice that says:
'In ATWINC1500B, from the Firmware version 19.3.0, TLS 1.2 client is supported. Please note TLS Server is not supported as of now.'
But the chipset is clearly not TLS1.2 compliant and my connection issues would be resolved if the chip was correctly handshaking with TLS1.1 in the Client Hello. I have logged a support request to try and get this modified and I will try to find a copy of the firmware before v19.3.0.
I spent most of yesterday trying to hack the 19.4.4 firmware binary to pass v1.1 without success. Managed to get the binary to pass TLS1.0 in the first part of the handshake but not in the all important Client Hello.
The code for TLS v1.2 is 0x0303, so I used a hex editor to change this in several (eventually all) parts of the binary but it did not update the value as I wanted. Around location 129844, the value changes the first part of the handshake but could not find any other occurrences to change. Around that point there seems to be two references to a case statements (0300....0301....0302....0304....0305) but changing these just stops the TLS handshake from completing correctly.
Does anyone have access to the source code to create the binaries? I could then make a test version to check if it resolves the problem....
Someone please help, as I am getting to the limit of what else I can try!
ALSO BE VERY CAREFUL MODIFYING THE BINARY; CAN BRICK ANY DEVICE DOING THAT ( I HAD A SPARE ATWINC1500 Chip in case I screwed up )
Cheers,
Michael.
Opened support case 00037229 with Atmel support against the ATWINC1500 module.
Just got the following update from Atmel support:
Created By: Anu Ramakrishnan (3/21/2016 4:09 AM)
[Recipients: Michael Kelsall]
Hi Micheal,
Yes, we do not support SHA-384 and 512. Thank you for the feedback regarding the usage of TLS1.2 mode. We have raised a bug internally for this and we will follow up to get it fixed in future releases.
We do not share firmware sources of the ATWINC1500, sorry for the inconvenience.
Regards,
Anu
Arduino dev is on this now so should be fixed soon! Cheers guys!
From Arduino github issues:
"facchinm commented 8 minutes ago
I think this should be moved to GitHub - arduino-libraries/WiFi101: Wifi library for the Arduino WiFi 101 Shield giving it top priority since it's going to become a very serious problem. Thanks for reporting"
Updates from Github Arduino forum:
"cmaglie commented 11 minutes ago
For the record: we have already reported this problem to Atmel more than once in the last two months. Unfortunately there isn't much we can do except waiting for a new release of the firmware."
My reply:
"If I knew this board had such a fundamental issue, I would not have purchased it. Based on your comment I should return it for a refund as it will not be resolved in any reasonable timescale. This issue essentially turns the card back to a basic Wifi shield.
I have been updating many user forums with this issue log to keep them informed before they choose to buy an item that may or may not work..."
@mashikawa, I am trying to connect to a HTTPS server with SHA256RSA. Wifi101 connect still gives me a -3 error code. Reading this post points that this should work, or am I wrong?