Announcement

Collapse
No announcement yet.

SSL connection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL connection

    I tried to get along with "sslclient.c" to connect to an HTTPS-Server... but I'm quite unsure, if this is possible.
    The device opens a socket and connects to the server, but the SSL initialization seems to fail. "SSLConnect()" returns "false" and the syslog tells me "sslcli.c: SSL connection error: 1249". Where do I find further information about the error codes and the usage of certificates?

  • #2
    What version are you using? There was a problem with SSL returning EOF prematurely (fixed in the 5.2 beta) that sounds like what you're encountering.
    Erick Liska
    Lantronix Inc.

    Comment


    • #3
      Sorry, of course: Evolution SDK V5.2.0.0 R7 (beta)

      Comment


      • #4
        Ah, it had to be R7. It looks like it was found in R7 and fixed in R8. The 5.2 beta has progressed a fair bit since then; you'll probably want to get an update via your support engineer.
        Erick Liska
        Lantronix Inc.

        Comment


        • #5
          I received another beta version (V5.2.0.0R15), but the problem stays the same: "SSLConnect()" returns "false" and syslog still tells: "sslcli.c: SSL connection error: 1249". Where do I find the description of the possible error values?

          Comment


          • #6
            The 1249 error code indicates that the certificate could not be verified; this could be for a variety of reasons. Can you provide some info about the cert chain, how they are signed, etc.?
            Erick Liska
            Lantronix Inc.

            Comment


            • #7
              I want to do a simple connection test between the XPort-Pro as client and my PC as a server. Therefore, I use the Apache HTTP server (XAMPP http://www.apachefriends.org/en/index.html). The XAMPP package provides a supplied SSL certificate - probably an invalid one: "SSL negotiation" failes with error 1249.

              I tried to create a simple self-signed certificate with openSSL:
              openssl req -new -x509 -days 365 -nodes -keyout server-key.pem -out server-cert.pem
              Same problem. BUT: It seems to me that I found the solution. As there are no API functions to handle the certificates on connecting to the server, I enabled the web frontend and uploaded the certificate.

              Now, it seems to work...
              Is there any possibility to connect to an "unknown" SSL server and accept it's certificate (like the web browser asking the user, wheather the certificate should be accepted)?

              Comment


              • #8
                New option

                Yes, we have added a "Validate Certificate" option for SSL. By default it attempts to validate the remote certificate, but you are allowed to turn this off.
                It is in the upcoming release, which you will be able to get as a Beta.

                Comment


                • #9
                  Great! I'm looking forward to get this new beta.

                  Thanks a lot!

                  Comment


                  • #10
                    I finally received the current beta about half an hour ago, but I could not find any API to handle certificates... the file evolution_ssl.h is exactly the same in V5.2.0.0R15 and V5.2.0.0R20.

                    When trying to link my application with the new libs, the process fails with the following messages:

                    C:\Programme\Lantronix\Evolution_XPort_Pro_SDK_v5. 2.0.0.R20\sdk\xport_pro\evolution.lib(up__up__hype rion__kernel__task.o)
                    In function `TaskStates':

                    c:\Release_Jun_14_2010\titan\projects\sakura\..\.. \hyperion\kernel\task.c 661
                    undefined reference to `__text_start'

                    Is there anything I have to consider from R15 to R20?

                    Comment


                    • #11
                      undefined reference to `__text_start'

                      Add the following line to your xport_pro.ld file:

                      __text_start = ADDR(.text);


                      Sorry, we missed that. Future releases will have it.

                      Comment


                      • #12
                        "Validate Certificate" option

                        We have added the "Validate Certificate" option to the Tunnel application, where you can control that from your program using XML.

                        Could it be that you are calling SSLConnect from your own program? [Sorry, this was not clear to me.] If so, I will need to create an API for the non-secure mode and make it available to you in the next Beta.

                        Please confirm if this is necessary.

                        Comment


                        • #13
                          Thank you for your instant response. The linking works.

                          I actually want to use "SSLConnect()" from within my XPort application to connect to another host with an unknown certificate (no tunnel). When only disabling the "validate functions", my application would not be able to get a foreign certificate for future connections (just like web browsers do).

                          Is it possible to implement such a behaviour:
                          1. connect to an unknown host (validation disabled)
                          2. get the server's certificate
                          3. (manual validation of the certificate content by the user)
                          4. store the certificate in the volatile or permenent memory
                          5. For future connections: Validate the certificate within the own application by the stored certificate list

                          Comment


                          • #14
                            Certificate Authorities

                            Right, if we just gave you the ability to disable validation like the new tunnel option, you would be able to make the connection, but you would not have any opportunity to review the certificate chain. For a tunnel which is expected to run unattended after being configured, this makes sense if the certificate chain is unknown at the time of configuration. Or, another way of looking at this could be that the person doing the configuration is just doing your steps 2, 3 , and 4 when they configure the certificate authorities in the device. [That's exactly what I do to test my XPort-Pro with an SSL server on the net: I am setting up the XPort-Pro from my PC using the Web Manager, I use my browser to connect to the SSL server and view the certificate chain, then I copy the root authority (for sure) and possibly one or more additional authorities up the chain, and I configure them in my XPort-Pro; note that I never need to copy the the SSL server certificate unless it is self-signed, that is, for validation when connecting to an SSL server, we only need a matching certificate authority.]

                            So, if I understand you correctly, the "disable validation" feature is not really what you want. Rather, you want to configure the appropriate certificate authority.

                            If that is correct, does my above description tell you enough how to do this at configuration time?

                            Comment


                            • #15
                              Thanks for your detailed answer!
                              I actually wanted to connect to another SSL-Server without the knowledge of the server's certificates. Therefore the user would have to manually accept the certificate. As this is not possible with the current API, there are probably two possibilities for me:
                              1. Trying to configure possible authorities at configuration time (as you described); I'm quite unsure if that works for me...
                              2. Get the server's certificate by a lean socket implementation; then configure the received data as certificate authority (XML) and connect (SSLConnect).


                              If one of these ideas actually works, there is no need to change the Evolution system. Right now, I think that there are more important things to do...

                              So, thanks for your helping support!

                              Comment

                              Working...
                              X