WiFiClientSecure client ipv4 always connect fail

[iamneo2416]

Hardware:

Board: ESP8266 NodeMCU V2
Core Installation/update date: 2018/03/21
IDE name: Arduino IDE
Flash Frequency: 80Mhz
Upload Speed: 115200

Description:

All samples from internet use host name to do sample code. Today, I tried to use ipv4 to do sample code connection, but always get fail result without any luck. Here is my sample code. Please help. My server is located inside "intranet", not "internet".

I installed ubuntu 16.04 apache web server with self-signed certificate in LAN environment and use browser to access https://192.168.1.210/ web page always successfully.

I even use dos command line to telnet 192.168.1.210 443 to check port listening. It's working perfectly.
C:> telnet 192.168.1.210 443

But when I use WiFiClientSecure client.connect(ip, 443). It always get fail return. Is this a bug for ipv4 connect in connect() function ?

Here is the exact step I followed to build this virtual machine (192.168.1.210) w/self-signed certificate.
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04

Sketch:

//Change the code below by your sketch
#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>

const char * host = "192.168.1.210";
const int port = 443;

static WiFiClientSecure g_client;
String wifi = "ssid";
String pass = "pass";

unsigned char root_ca[] = {
  0x30, 0x82, 0x04, 0x02, 0x30, 0x82, 0x02, 0xea, 0xa0, 0x03, 0x02, 0x01,
  0x02, 0x02, 0x09, 0x00, 0xc5, 0xb6, 0xe0, 0xe5, 0x41, 0x5f, 0x08, 0xa6,
  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
  0x0b, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
  0x55, 0x04, 0x06, 0x13, 0x02, 0x54, 0x57, 0x31, 0x0f, 0x30, 0x0d, 0x06,
  0x03, 0x55, 0x04, 0x08, 0x0c, 0x06, 0x54, 0x61, 0x69, 0x77, 0x61, 0x6e,
  0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, 0x54,
  0x61, 0x69, 0x70, 0x65, 0x69, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55,
  0x04, 0x0a, 0x0c, 0x0c, 0x42, 0x61, 0x79, 0x65, 0x73, 0x74, 0x65, 0x6b,
  0x20, 0x43, 0x4f, 0x2e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04,
  0x0b, 0x0c, 0x03, 0x4d, 0x49, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
  0x55, 0x04, 0x03, 0x0c, 0x0d, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38,
  0x2e, 0x31, 0x2e, 0x32, 0x31, 0x30, 0x31, 0x26, 0x30, 0x24, 0x06, 0x09,
  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x17, 0x74,
  0x6f, 0x6d, 0x6d, 0x79, 0x2e, 0x79, 0x61, 0x6e, 0x67, 0x40, 0x62, 0x61,
  0x79, 0x65, 0x73, 0x74, 0x65, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x20,
  0x17, 0x0d, 0x31, 0x38, 0x30, 0x36, 0x31, 0x31, 0x31, 0x30, 0x33, 0x30,
  0x33, 0x37, 0x5a, 0x18, 0x0f, 0x32, 0x31, 0x31, 0x38, 0x30, 0x35, 0x31,
  0x38, 0x31, 0x30, 0x33, 0x30, 0x33, 0x37, 0x5a, 0x30, 0x81, 0x94, 0x31,
  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x54, 0x57,
  0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x06, 0x54,
  0x61, 0x69, 0x77, 0x61, 0x6e, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55,
  0x04, 0x07, 0x0c, 0x06, 0x54, 0x61, 0x69, 0x70, 0x65, 0x69, 0x31, 0x15,
  0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x42, 0x61, 0x79,
  0x65, 0x73, 0x74, 0x65, 0x6b, 0x20, 0x43, 0x4f, 0x2e, 0x31, 0x0c, 0x30,
  0x0a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x03, 0x4d, 0x49, 0x53, 0x31,
  0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0d, 0x31, 0x39,
  0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x2e, 0x32, 0x31, 0x30, 0x31,
  0x26, 0x30, 0x24, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
  0x09, 0x01, 0x16, 0x17, 0x74, 0x6f, 0x6d, 0x6d, 0x79, 0x2e, 0x79, 0x61,
  0x6e, 0x67, 0x40, 0x62, 0x61, 0x79, 0x65, 0x73, 0x74, 0x65, 0x6b, 0x2e,
  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
  0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
  0xbb, 0xff, 0x54, 0xfa, 0xd9, 0x2b, 0xab, 0x39, 0xf8, 0xb9, 0x5c, 0x22,
  0xe0, 0x07, 0xea, 0x06, 0x52, 0xe4, 0x09, 0x1a, 0x06, 0xd3, 0x31, 0xca,
  0x3c, 0xa3, 0x91, 0x3f, 0x2c, 0x8a, 0xea, 0x9d, 0x60, 0x49, 0x50, 0x09,
  0xf4, 0x93, 0xe3, 0x84, 0x54, 0x03, 0xe0, 0x26, 0x84, 0xc6, 0xa9, 0xbf,
  0x19, 0x32, 0x44, 0xd1, 0xfe, 0x83, 0x50, 0xa5, 0x85, 0x6c, 0x94, 0xc2,
  0xc0, 0xe4, 0xf8, 0xbe, 0x1e, 0xa5, 0x48, 0xfa, 0xae, 0x00, 0xe2, 0x43,
  0x7f, 0x8d, 0x83, 0x4b, 0xf7, 0x40, 0x03, 0xb1, 0xe6, 0x36, 0x16, 0xb8,
  0x32, 0xbe, 0x81, 0x17, 0x22, 0x99, 0x8d, 0xd4, 0xfa, 0xf8, 0x72, 0x9c,
  0x1b, 0xd4, 0x71, 0x30, 0xcf, 0xc5, 0x61, 0xf0, 0x8c, 0x94, 0x49, 0x32,
  0xaa, 0x28, 0x4b, 0x55, 0x42, 0x80, 0x2b, 0x25, 0x87, 0xa6, 0xab, 0x82,
  0x08, 0x3f, 0xfc, 0x27, 0xff, 0xae, 0xbd, 0x4e, 0xf6, 0x07, 0x65, 0x5d,
  0x90, 0xb5, 0xb4, 0x1f, 0x05, 0x9d, 0x83, 0xd0, 0x63, 0x1f, 0x42, 0x67,
  0x35, 0xbc, 0xf2, 0x52, 0x0a, 0x3d, 0x6a, 0x9f, 0x3f, 0xe3, 0x2a, 0x92,
  0xfa, 0xa6, 0x43, 0xeb, 0x15, 0x73, 0xb0, 0x06, 0xc4, 0xe9, 0x06, 0x40,
  0x6c, 0x8d, 0xc4, 0xb1, 0x54, 0xb6, 0x73, 0x08, 0xf0, 0x33, 0xfc, 0xd4,
  0x2e, 0x74, 0xc3, 0x0b, 0x5c, 0x7f, 0x90, 0x83, 0xf2, 0x12, 0x19, 0xf5,
  0xe3, 0x83, 0xee, 0x3e, 0x16, 0xea, 0x18, 0xb2, 0xfe, 0xb0, 0x89, 0xfe,
  0xd3, 0x3a, 0x1f, 0xc6, 0x08, 0x71, 0x6f, 0x8a, 0x23, 0x44, 0x1c, 0xfe,
  0x45, 0x47, 0x3a, 0x4b, 0xe7, 0x68, 0x4d, 0x04, 0x85, 0xe2, 0x26, 0xea,
  0x49, 0x8b, 0x52, 0xfa, 0x0d, 0x20, 0x94, 0x23, 0x5e, 0x19, 0x5d, 0x66,
  0xa8, 0x24, 0x72, 0x35, 0x91, 0x76, 0x0e, 0xea, 0xe7, 0x6a, 0x7f, 0x5a,
  0x07, 0x76, 0x3b, 0x31, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30,
  0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
  0x0e, 0x24, 0x5e, 0xd3, 0xf8, 0xda, 0x44, 0x9a, 0xdc, 0x0a, 0xf2, 0x09,
  0x53, 0xa1, 0xdf, 0xae, 0x0b, 0x92, 0x17, 0xff, 0x30, 0x1f, 0x06, 0x03,
  0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x0e, 0x24, 0x5e,
  0xd3, 0xf8, 0xda, 0x44, 0x9a, 0xdc, 0x0a, 0xf2, 0x09, 0x53, 0xa1, 0xdf,
  0xae, 0x0b, 0x92, 0x17, 0xff, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13,
  0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d,
  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
  0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54, 0x0d, 0xbf, 0xf1, 0x81, 0x9b,
  0x36, 0x68, 0x95, 0x2d, 0xf9, 0x7f, 0xb8, 0x01, 0xd1, 0xd4, 0x96, 0xb7,
  0x4d, 0x09, 0x4f, 0xcd, 0xfe, 0x8a, 0x3f, 0x62, 0xa1, 0xe1, 0x9e, 0x2f,
  0x28, 0x83, 0xee, 0xfb, 0x72, 0x90, 0x7b, 0xb7, 0xa2, 0xc6, 0x99, 0xd5,
  0x4d, 0x40, 0xa7, 0xa1, 0xc1, 0x1c, 0x17, 0x92, 0xe2, 0x98, 0xc5, 0x72,
  0x28, 0x7d, 0x7a, 0x7b, 0x05, 0x43, 0x27, 0x2e, 0x19, 0x74, 0x64, 0x3b,
  0x67, 0xe2, 0x74, 0xeb, 0xac, 0xcd, 0xc4, 0x0c, 0xa2, 0x9a, 0xb6, 0xb0,
  0x00, 0x69, 0xd9, 0xca, 0xc2, 0x1f, 0xe0, 0xe3, 0x88, 0x2b, 0x13, 0xa8,
  0x15, 0xba, 0xd5, 0xe2, 0x05, 0x6c, 0x9c, 0x20, 0xb5, 0xec, 0xdb, 0xca,
  0xe2, 0x57, 0x40, 0xed, 0xbe, 0x3c, 0x27, 0xe1, 0x53, 0x8c, 0x91, 0x2d,
  0x3f, 0xe8, 0x9b, 0x4c, 0x41, 0x84, 0x3e, 0x25, 0xae, 0x10, 0xe2, 0x1d,
  0xf4, 0x42, 0x74, 0xa7, 0x71, 0x3c, 0xa1, 0x54, 0x9a, 0x18, 0xb0, 0xae,
  0xf1, 0xcc, 0x96, 0x1d, 0x38, 0x5a, 0xce, 0x74, 0x55, 0xa2, 0x41, 0x51,
  0xcf, 0x72, 0x38, 0x72, 0xac, 0x49, 0x38, 0x5c, 0xb1, 0xdc, 0x48, 0x16,
  0xd4, 0x69, 0x41, 0xb0, 0xa9, 0x40, 0x6b, 0x27, 0x0d, 0xbf, 0x74, 0xbb,
  0x64, 0xb0, 0xf6, 0xd1, 0x9c, 0xd5, 0x7f, 0x46, 0x47, 0x78, 0x91, 0xd8,
  0xf1, 0xad, 0x7b, 0x1a, 0xf7, 0xfb, 0x03, 0xcf, 0x2e, 0xdc, 0xc3, 0x83,
  0xac, 0x76, 0x58, 0x00, 0x7f, 0xa4, 0xd8, 0x55, 0x43, 0x1c, 0xce, 0x20,
  0x0f, 0x0b, 0xb0, 0x39, 0x81, 0x35, 0xdf, 0x63, 0x58, 0x84, 0xd5, 0x73,
  0xbf, 0x44, 0x5c, 0xdf, 0x5e, 0xd5, 0x3c, 0x8c, 0x43, 0x5f, 0x53, 0x45,
  0x4d, 0x9d, 0xc2, 0x10, 0xf7, 0xae, 0xbb, 0xde, 0x03, 0x9f, 0x99, 0x36,
  0xd1, 0x1d, 0x3d, 0x78, 0xe9, 0xf9, 0x53, 0xe1, 0xaa, 0x53
};


void setup()
{
  Serial.begin(115200);
  
  WiFi.begin(wifi.c_str(), pass.c_str());

  while (WiFi.status() != WL_CONNECTED)
  {
    delay(1000);
    Serial.print(".");
  }

  Serial.println("Set CA Cert");
  if (!g_client.setCACert(root_ca, sizeof(root_ca)))
  {
    Serial.println("Failed to load CA certificate");
    while(true) yield();
  }
  Serial.println("CA Cert set");

  Serial.print("Connecting to ");
  Serial.println(host);
  if(!g_client.connect(host, port))  **//<== always failed on this line and return. not even go to varify().**
  {
    Serial.println("Connection failed");
    return;
  }
//============================
  if(g_client.verifyCertChain(host))
  {
    Serial.println("Server certificate verified");
  }
  else
  {
    Serial.println("ERROR: certificate verification failed!");
    return;
  }

  g_client.stop();

}

void loop() {}


### Debug Messages:

SDK:2.2.1(cfd48f3)/Core:2.4.1/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1)
scandone
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 2
cnt 

connected with ssid, channel 1
dhcp client start...
......ip:192.168.1.132,mask:255.255.255.0,gw:192.168.1.1
.Set CA Cert
=== CERTIFICATE ISSUED TO ===
Common Name (CN):	192.168.1.210
Organization (O):		BestMe CO.
Organizational Unit (OU):MIS
Location (L):			Tokyo
Country (C):			JPN
State (ST):			Japan
Basic Constraints:		critical, CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN):	192.168.1.210
Organization (O):		BestMe CO.
Organizational Unit (OU):MIS
Location (L):			Tokyo
Country (C):			JPN
State (ST):			Japan
Not Before:			Mon Jun 11 10:30:37 2018
Not After:			Sun Apr 11 04:02:21 1982
RSA bitsize:			2048
Sig Type:				SHA256
CA Cert set
Connecting to 192.168.1.210
State:	sending Client Hello (1)
Alert: handshake failure **<== why failed, but browser always sucess ?**
Error: SSL error 40
Alert: unexpected message **<== why strange message here?**
Error: SSL error 40
Alert: close notify
Connection failed
pm open,type:2 0

[devyte]

@earlephilhower could you please assess this?

[earlephilhower]

Unless @iamneo2416 can reproduce this on a public website, there's nothing to even test with. axTLS can connect to the majority of https websites, so there's something unique in his TLS server.

My guess is this is the same problem as others where the server is sending multiple messages in a single fragment, which breaks axTLS but not (all?) other SSL implementations like the one used in full fat browsers/etc.

[earlephilhower]

Issue #3661 would be the original one. May be a 1-line patch to axtls suggested, but w/o a reproducible test case it's hard to say by inspection alone.

[devyte]

@earlephilhower Does bearssl have this issue?

[earlephilhower]

@devyte BearSSL shouldn't have this issue, assuming it's a duplicate of #3661, as it is specific to the axtls lib parsing of TLS messages.

I also just saw the text also shows a certificate with a silly "not after" date for the CA cert (> 2038, which axtls doesn't support so Hello 1982!) which is also an axtls specific thing. BearSSL should work for this.

@iamneo2416 can try a CA that's valid only until 2037, which may make things work. Unless we get feedback from him about it after trying this, or if it still fails we'd still need a public website or this will not be reproducible.

[myfathany]

Maybe you can refer to #1460 .

[devyte]

Closing due to lack of feedback from OP.