HTTPS client is here for the Photon! - by the glowfi.sh Team


#61

Sorry for the late reply, @dougM

Well… there probably might be an option somewhere…
But the code is terrifying. It’s a deep dark rabbit hole.
You could remove certs or maybe even disable it somewhere in the source code…
Perhaps emulate a real cert? All of these sound like pure hacks… but they’re just my guesses.

The problem is that I just don’t understand what’s going in the code. :frowning:
Let me know if you can glean any knowledge from it.


#62

I’m going to see if I can ping @jersey99 to see if I can join in on the development for this.


#63

Any Update on this? I’m interested in getting SSL into my project and have been playing with this for the past hour or so to no avail. Is this in any sort of state where i should continue trying this out or is there something else newer or more official available for SSL?


#64

Any further joy folk?

My only use case is AWS https gateway


#65

@mterrill, AWS API gateway is also what I need to be able to use (from an electron). Do you have any (temporary) solution for this? Would be greatly appreciated.


#66

Hi, I haven’t heard from anyone or figured it out myself!


#67

As the IOT grows a solidly performing HTTPS library will be incredibly useful for Particle IO devices.

I am trying to send data from a temperature probe to a Splunk HTTP Event Collector.
http://dev.splunk.com/view/event-collector/SP-CAAAE6P

So I can send successfully via http and this works perfectly.
http://pastebin.com/HTxBaBp1

However when I try using the https library nothing comes through on the other end.
http://pastebin.com/gbUvyekN

Can anyone see anything obvious in my code above?

Below is the output of the Serial Interface

I think there is definitely an issue with my content length but my C++ is more than 20 years old rusty.

Any advice would be appreciated.


Will Photon support outbound HTTPS?
#68

I would investigate what certificate your Splunk HTTP Event Collector is using for HTTPS and make sure this compatible with the GlowFish certificate scheme.


#69

Details below.

PKCS #1 SHA-1 With RSA Encryption
Size: 128 Bytes / 1024 Bits
Public Key: Modulus (1024 bits)

From

TLS 1.2 : Yes
RSA 2048bit key length : Splunk cert is only 1024 but the 2048 is the maximum isn’t it or does it need to be 2048?


#70

This is a “self-signed” certificate and so I think you need to compile the public key for Splunk with the GlowFish code.

If you click on “Details” I think you can download the cert into a .pem file, translate that to a hex array in header file and compile it with the GlowFish code. There are examples of how to do this in the GlowFish github but I have never tried it.


#71

Makes sense I just can’t find this example on their github. Can you point me in the right direction?

I’m guessing this library doesn’t pull down the public key during the initial setup and "Certificate Exchange"


#72

Hi @phoenixdigital

I have been reading the GlowFish code and I have some further questions:

Do you see any of the certificate related messages in the serial monitor before the part you showed above? That might also help.

I read about the Splunk collector and one thing that came out in their forum is that sometime the data is just not sent despite getting a success code back.

If you look at the GlowFish github repo, there are many .pem files that have been converted to C header files by copying the bytes into an array. There is even a small shell script to do that work for you. I don’t know exactly where you would add the certificate for Splunk or if you can tell the client to accept all certs even if they are not provably OK.


#73

I have been digging through the code as well to see where I could possibly add the cert in. As you noted there are a huge number of .pem files in there I just don’t know which one I need to change. I can see how they converted the .pem files to HEX so that part should be pretty easy once I work out which one to change.

Yeah an accept all certs flag would be good too as most other apps have that sort of option. Such as “-k, --insecure” for curl
https://curl.haxx.se/docs/manpage.html

There are no other errors message or warnings on the serial monitor. I’m thinking of adding more log lines to the GlowFish code to see if I can shed any more light on this too.

The Splunk collector is working fine in http mode on the photon so I’m confident that part it not the issue. I’ve even tested standard curl calls directly to the https port from my laptop and it is working fine.

Thanks for trying to help out here https is really the only thing stopping me here. If I can’t get this working I will likely have to look at another device.


#74

I’ve got the glowfish Particle client sort-of working. I pointed it at https://api.particle.io/v1 and it returned some plausible text. I pointed it at a server at home that is https however the certificate is signed by me rather than a CA. It connected for a few times before crashing (SOS) but connects occasionally so on that basis I reckon it’s ignoring the certificate checks. If that’s the case then you may want to look at setting diagnostics rather than trying to add extra root certs, which might be ignored.

I’ve since had a look through the code, which I think was a bundle that I downloaded from github. httpsclient-particle.h sets ALLOW_ANON_CONNECTIONS to 1, which seems to be a way of ignoring cert errors and in httpsclient-particle.cpp NULL is passed as the expected name for a match against CN. I can’t be 100% certain from a brief look but it looks to be the case.

Try setting USE_CRYPTO_TRACE in cryptoConfig.h as it gives a little bit more handshake diagnostics. USE_SSL_HANDSHAKE_MSG_TRACE and USE_SSL_INFORMATIONAL_TRACE looked promising but didn’t help me much when I tried them.

If you are accessing your own server then Wireshark is always a good bet for seeing what’s going over the network and is always my favoured tool.


#76

pardon for my Question, but how do you include in your code the certificate one gained for the https server that will be accessed? This is unclear to me. If anyone would have an example or can point me out in the right direction, it would be greatly appreciated.


#77

I’m still working on it so will post here if I have any success.

One thing I am not seeing as many of the Serial.println outputs as I would have expected from the HTTPS library.

I even went so far as to hardcoding true for the if statements

My Code - http://pastebin.com/i5Y1KPQW
HTTPS Library - http://pastebin.com/1FQPfJ7Z

All I see is this on the output is this

Serial Output - http://pastebin.com/3zZ4tHGk

but with all the Serial.println statements in the library thought I should be seeing a lot more.


#78

I don’t know. I’ve not spent much time looking at glowfish.

It looks to me like it might be ALL_RSA_CAS.h that store the CA root certificates but I’ve not had time to prove or disprove that. At the moment I am not convinced that the software is validating against the CA certificates. If you want to use glowfish then I think you first need to get one of the examples working and then experiment with the settings and the CA files to see which settings cause it to fail the verification checks.


#79

Just wanted to chime in on this - I solved my AWS issues by using Adafruit’s WICED Feather hardware for my prototyping. This is based on the same P0 chip, but has a completely different firmware. I now have a client that connects to AWS IoT cloud and posts data perfectly. I’m seeing response times of 30-35ms, so this certainly isn’t shabby.

I really wish that the Particle team could get this working though as I really want to use their ecosystem with OTA & firmware updates. Maybe they could look at the Adafruit code and find some inspiration there? https://github.com/adafruit/Adafruit_WICED_Arduino/


#80

Agreed. I’ve been prototyping on their hardware for some commercial applications but without https it is no deal with my clients. As another poster pointed out in another thread there are some good other devices out there that are capable that sadly are the better option.


#81

Looking on the Adafruit website it lists a Feather device (product id 3056) that appears to do HTTPS but it’s a lot more expensive ($35 vs £19) than the Photon - is that the one you are using?