SPWF04Sx - AT-S.Http Client Error:1

Posted on January 18, 2018 at 10:33

 ,

 ,

Hi,

first error was because on host (192.168.0.2) path was not good (tls/cert.pem).

Now, i have new error:

AT+S.HTTPGET=192.168.0.2,tls/cert.pem,443,2,,,ServerCert.pem,

 ,

AT-S.Skip CA

 ,

AT-S.Skip CA

 ,

AT-S.Loading:1:2

 ,

AT-S.Loading:2:2

 ,

AT-S.Loading:3:2

 ,

AT-S.Http Server Status Code:400

 ,

AT-S.Http Server Error:400

 ,

AT-S.ERROR:111:Request failed

on host, log server is:

certifs_1 , | 2018/01/17 17:50:32 [info] 6 ♯ 6: *2 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 192.168.0.1, server: , request: 'GET /tls/cert.pem HTTP/1.1', host: '192.168.0.2'

the problem is it the compatibility with spwf04sx ,supported ciphhers? PEM-encoded long term bundle containing 3 ECC

(

prime256v1 aka NIST P-256) certificates.

Thanks

Yoann

Posted on January 18, 2018 at 11:31

Hi Yoann,

from SPWF04Sx log, it seems the mutual authentication succeeded, whereas the HTTP server has refused the connection (Bad Request). Please note that the Http Server Status Code is received from HTTP server.

A TCP/TLS problem would be reported as Http Client Error/Certificate Error (a TLS error would be propagated back to the client).

Anyway, you can further diagnose the TLS connection by means of the SOCKON command. Following an example I have done on my module (1-way authentication):

- wrong certificate (CA certificate not found):

AT+S.HTTPGET=192.168.1.112,,443,2,,,,

AT-S.Certificate Error:23

AT-S.Http Client Error:2

AT-S.ERROR:111:Request failed

AT+S.SOCKON=192.168.1.112,443,,s

AT-S.Certificate Error:23

AT-S.ERROR:74:Failed to open socket

- good certificate, page not found

AT+S.HTTPGET=192.168.1.129,,443,2,,,,

AT-S.Loading:1:1

AT-S.Http Server Status Code:404

AT-S.Http Server Error:404

AT-S.ERROR:111:Request failed

AT+S.SOCKON=192.168.1.129,443,,s

AT-S.Loading:1:1

AT-S.On:192.168.1.129:0

AT-S.OK

+WIND:58:Socket Closed:0:0  <-- the connection was closed by the Apache HTTP server after a timeout

Hope it helps, otherwise please send a wireshark log of the transaction.

Regards,

Elio

Posted on January 18, 2018 at 19:15

 Hi,

i found my problem,

certificat is stored in flash system and i use cmd AT+S.FSP to read file. i use callback ind_wifi_file_data_available fct to store result and after init wifi module (AT+STLSCERT...) size certificate is 2642bytes and if result (AT+S.FSP) is stored in the middle of DMA buffer (4096), the certificate is bad (old string in the middle of buffer) Process_DMA_Buffer_Messages()

so with AT+S.TLSCERT i loaded a part of certificate (not full).

in debug step by step result (AT+S.FSP) is correct and i can load certificate in wifi module.

new:

i tested and i receive a GOOD log: ;-(

T+S.HTTPGET=192.168.0.2,tls/cert.pem,443,2,,,ServerCert.pem,

AT-S.Skip CA

AT-S.Skip CA

AT-S.Loading:1:2

A+-S.Loading:2:2

WIND:8:Hard Fault:TcpIp:47427153:08009a56:00000002:00000000:0806bd6b:0806c249:08097aee:21000000

i need to fix the result of cmd AT+S.FSP to get full certificate but i would like to know why hard Fault.

link to size of file i download (> 2500bytes)

thanks

Yoann

Posted on January 19, 2018 at 11:37

To complet the message,

i tested with a download of file size 2500bytes and 300bytes = same error!

Show the message server side:

certifs_1  | 2018/01/19 10:30:17 [info] 6&sharp6: *5 client timed out (110: Operation timed out) while SSL handshaking, client: 192.168.0.1, server:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F0.0.0.0%3A443&data=02%7C01%7Cyoann.lebeller%40hill-rom.com%7C1bf5a5def3974f59cfd908d55f27f970%7Cf4dcdb22a4c74f4ca3901954365b828c%7C0%7C0%7C636519547685738756&sdata=%2BgCTspO2WO1pfK2P2GDWXs7k4Porpq3QK%2FR3U8SaowA%3D&reserved=0

Do you have an idea on Hard Fault in the wifi module?

AT+S.HTTPGET=192.168.0.2,tls/priv.pem,443,2,,,ServerCert.pem,

AT-S.Skip CA

AT-S.Skip CA

AT-S.Loading:1:2

A+-S.Loading:2:2

WIND:8:Hard Fault:TcpIp:47427153:08009a56:00000002:00000000:0806bd6b:0806c249:08097aee:21000000

Thanks

Yoann

Posted on January 19, 2018 at 11:49

After the reset:

AT+S.STS

AT-S.List

AT-S.Var:build=171117-0328fe3-SPWF04S

AT-S.Var:fw_version=1.1.0

AT-S.Var:boot_version=1.0

AT-S.Var:var_version=2

AT-S.Var:free_heap=38392

AT-S.Var:min_heap=36504

AT-S.Var:system_time=1516012536

AT-S.Var:system_uptime=9

AT-S.Var:system_sleeptime=0

AT-S.Var:reset_reason=1

AT-S.Var:startup=0

AT-S.Var:random_number=460553785

AT-S.Var:gpio_enable=0x0000

AT-S.Var:app_fs=1

AT-S.Var:ram_fs=1

AT-S.Var:user_fs=0

AT-S.Var:extvol_fs=0

AT-S.Var:nv_power_cycles=13

AT-S.Var:nv_wdog_resets=8

AT-S.Var:nv_reset_cycles=204

AT-S.Var:wifi_state=10

AT-S.Var:wifi_own_macaddr=00:80:E1:BD:F0:17

AT-S.Var:wifi_bssid=00:80:E1:BD:F0:17

AT-S.Var:wifi_aid=0

AT-S.Var:wifi_channelnum=1

AT-S.Var:wifi_sup_rate_mask=0x003FFFCF

AT-S.Var:wifi_bas_rate_mask=0x0000000F

AT-S.Var:wifi_chan_activity=0x00001FFF

AT-S.Var:wifi_max_tx_power=18

AT-S.Var:wifi_gf_mode=0

AT-S.Var:wifi_reg_country=

AT-S.Var:wifi_dtim_period=0

AT-S.Var:wifi_num_assoc=1

AT-S.Var:ip_from_AutoIP=0

AT-S.Var:ip_ipaddr=192.168.0.1

AT-S.Var:ip_netmask=255.255.255.0

AT-S.Var:ip_gw=0.0.0.0

AT-S.Var:ip_dns1=0.0.0.0

AT-S.Var:ip_dns2=208.67.220.220

AT-S.Var:ip_linklocal=0:0:0:0:0:0:0:0

AT-S.Var:ip_local=0:0:0:0:0:0:0:0

AT-S.Var:ip_dns1v6=0:0:0:0:0:0:0:0

AT-S.Var:ip_dns2v6=0:0:0:0:0:0:0:0

AT-S.OK

AT&V

AT-S.List

AT-S.Var:nv_manuf=ST

AT-S.Var:nv_model=SPWF04SC

AT-S.Var:nv_serial=0317>30129

AT-S.Var:nv_wifi_macaddr=00:80:E1:BD:F0:17

AT-S.Var:standby_time=10

AT-S.Var:standby_enabled=0

AT-S.Var:sleep_enabled=0

AT-S.Var:etf_mode=0

AT-S.Var:blink_led=1

AT-S.Var:ext_volume=3

AT-S.Var:ramdisk_memsize=16

AT-S.Var:aes128_key=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:user_desc=4231

AT-S.Var:python_script=3:/uPython_test.py

AT-S.Var:python_memsize=32

AT-S.Var:console_enabled=1

AT-S.Var:console_speed=115200

AT-S.Var:console_hwfc=0

AT-S.Var:console_echo=1

AT-S.Var:console_errs=2

AT-S.Var:console_winds=2

AT-S.Var:console_verbose=1

AT-S.Var:console_repeater=0x21

AT-S.Var:console_delimiter=0x2C

AT-S.Var:console_wind_off_low=0x00000000

AT-S.Var:console_wind_off_medium=0x00000000

AT-S.Var:console_wind_off_high=0x00000000

AT-S.Var:wifi_tx_msdu_lifetime=0

AT-S.Var:wifi_rx_msdu_lifetime=0

AT-S.Var:wifi_operational_mode=0x00000011

AT-S.Var:wifi_beacon_wakeup=1

AT-S.Var:wifi_beacon_interval=100

AT-S.Var:wifi_listen_interval=0

AT-S.Var:wifi_rts_threshold=3000

AT-S.Var:wifi_ssid=48:52:50:33:32:31:36:35:34:37:38:39:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_ssid_len=12

AT-S.Var:wifi_txfail_thresh=5

AT-S.Var:wifi_dtim_period=1

AT-S.Var:wifi_add_tim_ie=0

AT-S.Var:wifi_region=1

AT-S.Var:wifi_ht_mode=1

AT-S.Var:wifi_channelnum=1

AT-S.Var:wifi_opr_rate_mask=0x003FFFCF

AT-S.Var:wifi_bas_rate_mask=0x0000000F

AT-S.Var:wifi_mode=3

AT-S.Var:wifi_auth_type=0

AT-S.Var:wifi_atim_window=0

AT-S.Var:wifi_powersave=0

AT-S.Var:wifi_tx_power=18

AT-S.Var:wifi_rssi_thresh=0

AT-S.Var:wifi_rssi_hyst=0

AT-S.Var:wifi_ap_idle_timeout=120

AT-S.Var:wifi_beacon_loss_thresh=10

AT-S.Var:wifi_priv_mode=0

AT-S.Var:wifi_wep_keys[0]=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_wep_keys[1]=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_wep_keys[2]=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_wep_keys[3]=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_wep_key_lens=00:00:00:00

AT-S.Var:wifi_wep_default_key=0

AT-S.Var:wifi_wpa_psk_raw=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

AT-S.Var:wifi_wpa_psk_text=

AT-S.Var:wifi_eap_identity=identity

AT-S.Var:

mailto:wifi_eap_anon_identity=anonymous@identity.org

AT-S.Var:wifi_eap_passwd=password

AT-S.Var:wifi_eap_type=0

AT-S.Var:wifi_eap_skip_datechecks=0

AT-S.Var:wifi_wps_walk_time=120

AT-S.Var:wifi_wps_pin=1234567

AT-S.Var:ip_sock_memsize=1

AT-S.Var:ip_sock_threshold=0

AT-S.Var:ip_dhcp_lease_time=120

AT-S.Var:ip_macfilter=00:00:00:00:00:00

AT-S.Var:ip_num_clients=1

AT-S.Var:ip_allow_port_scans=1

AT-S.Var:ip_use_v6=1

AT-S.Var:ip_use_dhcpd=1

AT-S.Var:ip_use_httpd=1

AT-S.Var:ip_use_tftpd=1

AT-S.Var:ip_use_dhcpc=1

AT-S.Var:ip_hostname=iwm-BD-F0-17

AT-S.Var:ip_apdomainname=

AT-S.Var:ip_apredirect=

AT-S.Var:ip_ipaddr=192.168.0.1

AT-S.Var:ip_netmask=255.255.255.0

AT-S.Var:ip_gw=0.0.0.0

AT-S.Var:ip_dns1=0.0.0.0

AT-S.Var:ip_dns2=208.67.220.220

AT-S.Var:ip_local=0:0:0:0:0:0:0:0

AT-S.Var:ip_dns1v6=0:0:0:0:0:0:0:0

AT-S.Var:ip_dns2v6=0:0:0:0:0:0:0:0

AT-S.Var:ip_dhcp_timeout=20

AT-S.Var:ip_ntp_server1=ptbtime1.ptb.de

AT-S.Var:ip_ntp_server2=ntp0.ipv6.fau.de

AT-S.Var:ip_ntp_refresh=3600

AT-S.Var:ip_ntp_startup=1

AT-S.Var:ip_mdns_domain_name=SPWF04S-Default

AT-S.Var:ip_mdns_device_name_ttl=120

AT-S.Var:ip_mdns_services_name=SPWF04S-WebSrv SPWF04S-TFTPSrv

AT-S.Var:ip_mdns_services_prot=_http._tcp _tftp._udp

AT-S.Var:ip_mdns_services_keys=dev1 dev2

AT-S.Var:ip_mdns_services_vals=number1 number2

AT-S.Var:ip_mdns_services_port=80 69

AT-S.Var:ip_mdns_services_ttl=120 60

AT-S.Var:ip_mdns_startup=01:01

AT-S.OK

Posted on January 19, 2018 at 13:04

Hi Yoann,

as stated in the Security application note (AN4963) the maximum allowed size for certificates/key is 2.5KB.

You may save the certificates in any of the filesystems, that will anyway lead to handshake failure but will prevent from getting the WIND:8.

In a previous comment you wrote 'PEM-encoded long term bundle containing 3 ECC ( prime256v1 aka NIST P-256) certificates.', so I understood that the certificate you are loading in cert section is composed by a chain of 3 ECC certificate (SPWF04S's cert + intermediate CA cert + Root CA cert).

If this is your case, this kind of certificate is actually supported and you should load the concatenation of module's certificate (PEM encoded) + intermediate CA certificate (PEM encoded) in the cert section in flash (or tls.cert on filesystem), while the respective Root CA cert should be in the availability of the peer (the HTTP server on your PC). I'm a bit surprised that the chain of two ECC certificates exceeds 2.5KB (even though possible if the certificates include lot of info...).

Could you please confirm the certificate does not include the Root CA certificate?

Posted on January 19, 2018 at 15:51

Hi,

the certificate i am loading in cert section is composed by a chain of 3 ECC certificate (SPWF04S's cert + intermediate or site CA cert + delegate CA cert). Not Root CA cert!

i already validated bundle certificate with  a socket with size < 2.5KB

I will test with certificate < 2.5KB to check if i have same pb.

So i confirm certificat does not include the root CA.

Thks

Yoann

Posted on January 19, 2018 at 17:20

Hi,

this explain the size of certificate... This kind of certificate is also supported if it's size is less than 2.5K.

Unfortunately, I don't see a way to reduce the size of your certificate, since the only method supported by SPWF04S to concatenate certificates is to PEM encode each of them.

Regards,

Elio