I have been trying for several days to connect to an API service (https://liftie.info/api/resort/gunstock) using an ESP8266, but I can't get a connection at all. I have tried to use the HTTPSRequest, HTTPSRequestCACert, ESP-WeatherUnderground, and other sketch examples as templates (all of the examples work), but when I switch to liftie.info, the connection constantly fails.
The liftie website uses TLS1.2 and I installed the latest ESP8266 firmware which supports this. I have tried to use the sha1 fingerprints and certificates, as required by some examples, but that doesn't seem to work either.
I'm hoping that someone can help me diagnose why this connection seems to be failing, but the others work (api.reddit, api.github, api.wunderground, etc.).
While using the cURL utility to troubleshoot, I noticed that there is the option to force an unsecure connection (curl.exe -k) and it returns the API information that I can use. Is there a way to force the ESP to connect unsecurely, rather than as HTTPS? The data is not sensitive and doesn't need to be encrypted.
Thanks for any thought or help!
maybe if you post your code?
There is a reddit thread with some thoughts here https://www.reddit.com/r/esp8266/comments/5n6gqr/whats_the_current_state_of_ssltls_on_the_esp8266/. It seems SSL is a bit hit or miss on ESP8266.
rw950431:
maybe if you post your code?
My code is linked below, but they work with their example websites and not with mine. So the code is good (for those websites), but there's something about the website that I'm trying to connect to that won't let me in.
Thanks for the link, but I think that's referencing some firmware that has been updated as recently as January, and supports TLS1.2. Before I updated the firmware, I could not get at least 2 of the examples to work.
The only additional information that I have is the curl response, which might make sense to you as to what's potentially causing an issue:
curl -v https://liftie.info/api/resort/gunstock
* Trying 170.75.162.130...
* Connected to liftie.info (170.75.162.130) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: liftie.info (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: EC
* certificate version: #3
* subject: CN=liftie.info
* start date: Sat, 03 Mar 2018 01:24:15 GMT
* expire date: Fri, 01 Jun 2018 01:24:15 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /api/resort/gunstock HTTP/1.1
> Host: liftie.info
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 12 Mar 2018 16:37:07 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 2065
< Connection: keep-alive
< Vary: Accept-Encoding
< X-Powered-By: Express
< Cache-Control: no-cache, max-age=0, must-revalidate
< ETag: W/"811-B7rOTzssVOmGHWBtnWEzlH+3msQ"
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-DNS-Prefetch-Control: on
< X-UA-Compatible: IE=Edge
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
Here are some of the codes that I have tried, but I didn't modify the parsing portion because I'm not getting that far:
Thanks for taking a look!
Not really my area of expertise but wondering if your site is using some newish crypto algorithm thats not supported by the ESP8266 yet.
Compare your sites using SSL Server Test: liftie.info (Powered by Qualys SSL Labs) to see if there is any differences. littie.info does use an EC key unlike api.reddit.com for example.
Theres also a long thread at Always getting HTTPC_ERROR_CONNECTION_REFUSED for HTTPS GET · Issue #2556 · esp8266/Arduino · GitHub on similar topic