SSLClient with static IP not working

Using the MKRWiFI1010 and a MKR ETH Shield, I try to establish an SSL-client to a static IP server.

I am using the default example of the SSLClient library, called EthernetHTTPS.

Screenshot 2021-09-29 at 22.13.26

It works out of the box, until the moment where I try with a static IP:

The example says:

// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
IPAddress server(54,85,55,79);  // numeric IP for Google (no DNS)
// const char server[] = "www.arduino.cc";    // name address for Arduino (using DNS)
const char server_host[] = "www.arduino.cc"; // leave this alone, change only above two

Therfore I use the numeric IP for Google (no DNS) option. But the example no longer works.

I get the following error message:

Initialize Ethernet:
connecting to 54.85.55.79...
(SSLClient)(SSL_WARN)(connect): Using a raw IP Address for an SSL connection bypasses some important verification steps. You should use a domain name (www.google.com) whenever possible.
(SSLClient)(SSL_ERROR)(connect): Failed to connect using m_client. Are you connected to the internet?
connection failed
(SSLClient)(SSL_ERROR)(available): Cannot operate if the write error is not reset: 
(SSLClient)(SSL_ERROR)(m_print_ssl_error): SSL_CLIENT_CONNECT_FAIL
(SSLClient)(SSL_ERROR)(connected): Not connected because write error is set
(SSLClient)(SSL_ERROR)(m_print_ssl_error): SSL_CLIENT_CONNECT_FAIL

disconnecting.

What is wrong here ?

Why is the default example not working ?

Does it have to do with the trust_anchor.h file ? (by default it is set up for www.arduino.cc most likely).

Is there another option where I can achieve a HTTPS-WebClient over Ethernet connecting to a given static IP address using the MKRWiFi1010 ??

Normally, SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.arduino.cc". In the rare cases, only GlobalSign offers support for IP addresses on SSL certificates both in the common name and Subject Alternative Name (SANs) fields.

Also check the discussion in Is it possible to have SSL certificate for IP address, not domain name?

Therefore, the Ethernet / WiFi-related libraries are forcing SSL to be used with Fully Qualified Domain Name (FQDN) and don't permit you use SSL with plain IP addresses, to avoid SSL error in most of the cases.

Doing this with cable (EthernetHTTPS or EthernetWebServer_SSL) or WiFi (WiFiNINA), all show the same issue when trying to connect the Arduino SSL-client to a fixed IP.

Here I describe further trials and questions:

Why does the WiFiNINA library (used with the MKRWIFI1010) contain an WiFiClientSSL Default Example that contains the possibility to use a static IP ?? This does not make sense. Why would the Default example contain code that does not work ?

(Same with the Default Example of the EthernetHTTPS or WebClient_SSL Examples as for the cable-option).

The WiFiNINA's WiFiClientSSL Example sais:

// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
IPAddress server(74,125,232,128);  // numeric IP for Google (no DNS)

The Default ClientSSL's EthernetHTTPS Example sais:

// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
IPAddress server(54,85,55,79);  // numeric IP for Google (no DNS)

The EthernetWebServer_SSL's WebClient_SSL Example sais:

// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
// Raw IP address not accepted in SSL
IPAddress server_host(104, 22, 48, 75);

Compiling any of those examples does not work.

All examples do work if giving a domain name (such as www.google.com) as the server name instead of the static IP. Plus, in addition, I need to whitelist the certificate Uploader with the FirmwareUploader).

But I need NO DNS :frowning:

Can't I just add, for example, 74.125.232.128:443 to the white-list of the certificate Uploader using the FirmwareUpdater ? Of course I tried - but without success...

Let's assume all of the Default Examples are wrong. And you are right and only fully fledged Fully Qualified Domain Name (FQDN) are allowed.

How would I configure my local network to 'mimic' a domain name ?

See we are intending to use the Arduino in a local network environment (either Ethernet-cable or WiFi). And we are not able to create a DNS since we want to sell a product with an Arduino-SSL-client where we don't have access to the customer's router settings. So therefore No DNS ! But only a PC-Host on a local network.

Any idea on how to proceed ?

AFAIK, I'm afraid you can't do so with Reserved (or local) IP Addresses, unless you use DynDNS (DuckDns, NoIP, etc. ) and UPnP PortForwarding.

Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.

Check how to access local server from outside

  1. How to control MKR1000 from outside your local network
  2. UPnP_Generic Library and DDNS_Generic Library

For example. you can

  1. create a DuckDNS account, your_name.duckdns.org, then link it to your dynamic public IP aaa.bbb.ccc.ddd by using DDNS_Generic Library
  2. create an SSL certificate for that FQDN, then force your SSL server to use the cert.
  3. access your SSL server @ local address, e.g 192.168.100.1, port 12345 after port-forwarding port 12345 to your 192.168.100.1 machine by using https://your_name.duckdns.org:12345
  4. If everything is OK => just use in your code
const char      server_host[]   = "your_name.duckdns.org"; // leave this alone, change only above two
const uint16_t  server_port     = 12345;

Certainly, SSL can 't be used in completely isolated local network.

I think you have to raise some questions: what is the purpose of SSL, how is SSL working then why SSL is necessary in that isolated local network. ???

I'm sorry I can't do anything any further. Hopefully many other more experienced experts here can share the opinions and help

Good Luck,


Notes:

// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
// Raw IP address not accepted in SSL
IPAddress server_host(104, 22, 48, 75);

The examples (are just examples to show some basic features and not totally trustworthy) are written long ago, when SSL certificate for a public IP address were still issued and/or used

Thank you khoih-prog, unfortunately our customer does not allow dynDNS for security reasons.

Threfore we are still looking for a solution with SSL and static IP.

Any idea if the MKRWiFi1010 can download the SSL-certificate from a local IP inside the "WiFi1010 / WiFiNINA Firmware Updater" Tool ? Or any other way on how to make the MKRWiFi1010 recognize a static IP server ?