Go Down

Topic: HTTPS with MKR1000 (Read 886 times) previous topic - next topic

gbafamily

Since the connection fails (the line "connected to server" never appears), there will never be an HTTP response. Could be a problem with the certificate validation but that happens inside the WINC1500. Perhaps the WiFi101 library maintainer would have some insight.

pert

I just had a try at adding the SSL root certificate for tgftp.nws.noaa.gov to the MKR 1000 using Tools > WiFi101 / WiFiNINA Firmware Updater. The certificate process seemed to go fine but then I ran the sketch again and got the same result as before.

gbafamily

The possibility exists that the failure is a bug in the WINC1500 firmware. The WINC1500 firmware is closed source so there is no way to see what it does. Perhaps the WiFi101 library maintainers know more about debugging TLS connection failures.

Juraj

there is some SSL related fix in the GitHub repo
https://github.com/arduino-libraries/WiFi101/commits/master

David_Normand

#19
Aug 15, 2019, 10:34 am Last Edit: Aug 15, 2019, 11:00 am by David_Normand
Hi gbafamily, pert,

Thank you for trying my code.

This is surprising it works on MKR1010 and not on MKR1000.

I'm currently connecting from home network. I can't do it at work so I tried on my cell phone, with the same result.
I got a redirection response in HTTP, but no response in HTTPS.

I then took a Yun shield lying in a drawer, and put it on a ZERO, updated it's firmware to 1.6.2.
I used the HTTPClient example of the Bridge library, that I modified.
Unfortunately I got still the same result, a redirection answer for an HTTP request and no answer for an HTTPS one.

BTW, I'm using library WiFi101 version 0.16.0 and MKR1000 is running 19.6.1 firmware.

Juraj

#20
Aug 15, 2019, 11:00 am Last Edit: Aug 15, 2019, 11:00 am by Juraj
there is a fix. did you try it?

pert

@Juraj, I'm guessing the fix you're referring to is this one?:
https://github.com/arduino-libraries/WiFi101/commit/3301d03f82e53f60e07434a9f07ca677d992d121

I just tried again with the MKR 1000 and the beta version of the WiFi101 library (which contains that fix) and I still get the same result as before.

I tried it with my MKR WiFi 1010 and I get the similar results (working I assume) as what gbafamily posted.

ballscrewbob

As noted the 1000 and 1010 are two different approaches and require two different libs eg the wifinina and wifi101.

Strongly suspect therein lies the issue.

They are after all two different boards despite the same MPU.

Bob.
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

gbafamily

https://www.ssllabs.com/ssltest/analyze.html?d=tgftp.nws.noaa.gov

Inspection of the TLS server using the www.ssllabs.com shows the NOAA site requires TLS_ECDHE_RSA_WITH_AES. The WiFi101 library disables EC (elliptic curve) ciphers by default. Enabling SSL_ECC_ALL_CIPHERS might work.

Summary: Use a MKR1010 or Nano 33 IOT if you need this to work right now. Both use an ESP32 which supports a much larger set of cipher suites.

David_Normand

I had a look at WiFi101 library to try to enable EC cipher, but couldn't find in which file it is.

It's far above my knowledge

gbafamily

To modify the library source code you can try this. In the IDE click on Sketch | Show Sketch Folder. In the file browser window, go up one level to the sketchbook folder.

Open the libraries folder. Next open the WiFi101 folder. Next open the src folder.

Open the file WiFi.cpp. Search for the string "active_ciphersuites". The line should look like this.

m2m_ssl_set_active_ciphersuites(SSL_NON_ECC_CIPHERS_AES_128 | SSL_NON_ECC_CIPHERS_AES_256);

Change the line to

m2m_ssl_set_active_ciphersuites(SSL_ECC_ALL_CIPHERS);

If this does not work, open an issue at the library github repo with a link back to this message thread.

Code: [Select]
https://github.com/arduino-libraries/wifi101/issues



David_Normand

I modified WiFi.cpp, line 317.

Code: [Select]

if (nmdrv_firm_ver >= M2M_MAKE_VERSION(19, 5, 0)) {
// enable AES-128 and AES-256 Ciphers, if firmware is 19.5.0 or higher
//m2m_ssl_set_active_ciphersuites(SSL_NON_ECC_CIPHERS_AES_128 | SSL_NON_ECC_CIPHERS_AES_256);
m2m_ssl_set_active_ciphersuites(SSL_ECC_ALL_CIPHERS);
}


What it changed is that it took longer time to disconnect from server, but I still got no answer.

Code: [Select]

Attempting to connect to SSID: XXXX
Connected to wifi
SSID: XXXX
IP Address: 192.168.XXX.XXX
signal strength (RSSI):-48 dBm

Starting connection to server...

disconnecting from server.

gbafamily

There is nothing more I can do. The problem needs to be investigated by the WiFi101 library maintainers on github.com.

David_Normand

I opened an issue on GitHub about WiFi101 library.

While on GitHub, I had a look around at other issues and found a link to ArduinoBearSSL library which depends on ArduinoECCX08 and WiFi101.
I installed both, modified WiFiSSLClient_BearSSL example and it works.

I had to turn off the forcing of EC ciphers done previously, line 317 of WiFi101.

Code: [Select]

Attempting to connect to SSID: XXXX
Connected to wifi
SSID: XXXX
IP Address: 192.168.XXX.XXX
signal strength (RSSI):-49 dBm

Starting connection to server...
connected to server
HTTP/1.1 200 OK
Date: Sun, 18 Aug 2019 10:01:37 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Last-Modified: Sun, 18 Aug 2019 09:34:12 GMT
ETag: "4927a80-57-59060ed1c958d"
Accept-Ranges: bytes
Content-Length: 87
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

2019/08/18 09:30
XXXX 180930Z AUTO 08020KT 9999 BKN026 27/19 Q1012 TEMPO BKN014 BKN025

disconnecting from server.


With WiFi101 only the sketch was wheigthing 16% of MKR1000 memory. Now, with WiFi101 and ArduinoBearSSL it wheights 49 %.

pert

Here's the issue report David_Norman submitted:
https://github.com/arduino-libraries/WiFi101/issues/277

I'm glad to hear you found a solution using the ArduinoBearSSL library.

Go Up