Wio Terminal SSL failures using v2.1.1 firmware

Products & Technology Wio Terminal
#1

Hello,
I am working on a weather app for the Wio Terminal and I would like to get data from NOAA using the domain api.weather.gov, and Open Weather Map using the domain api.openweathermap.org. Both sites require SSL connections. However, while I am able to get this to work with api.openweathermap.org, it is not working for api.weather.gov. While the connect() call returns successfully, any further IO fails. It appears the socket closes prematurely.

While trying to track down this problem, I wrote a simple test program that connects to www.example.com 1, api.openweathermap.org, api.weather.gov, and www.howsmyssl.com, using WiFiClientSecure and performs a simple GET after connected. The first two work fine. The third (api.weather.gov) fails as mentioned above where the connect succeeds but further I/O fails. The fourth (www.howsmyssl.com) never connects at all and times out. So only two out of four sites work.

Here is a link to my test program: https://drive.google.com/file/d/18rYuFaIJhUcWtbdgM4IFpKLGg7e-ngzV/view?usp=sharing

Note you will need to change the SSID and Wifi Password to run it.

Below is a sample run. Note the first two sites work, the third “connects” but has a file descriptor of -1, so nothing else works after that, and the third simply times out.

Attempting to connect to SSID: <omitted>
Connected to <omitted>

Starting connection to www.example.com
    Connected to server!
    File descriptor: 0
    Sending GET request
    Wrote request, wn=60
    Reading response...
    Headers received
    Read 1256 bytes.
    Stopping WiFiClientSecure connection...

Starting connection to api.openweathermap.org
    Connected to server!
    File descriptor: 0
    Sending GET request
    Wrote request, wn=72
    Reading response...
    Headers received
    Read 107 bytes.
    Stopping WiFiClientSecure connection...

Starting connection to api.weather.gov
    Connected to server!
    File descriptor: -1
    Sending GET request
    Wrote request, wn=0
    fd=-1, errno=88
    Stopping WiFiClientSecure connection...

Starting connection to www.howsmyssl.com
    LastError: SSL - The connection indicated an EOF
    Connection failed!

All sites processed.

I am running 2.1.1 firmware, and downloaded fresh copies of rpcWifi (master), rpcUnified (master), and mbedtls (dev) on 2/14/2021 (yesterday). Any help would be appreciated.

Thanks,
Jim C

#2

Hi @Jim_C,

I have tested your codes and tried using different root CA for api.weather.gov and it worked.

I obtained the root CA using:

openssl s_client -showcerts -verify 5 -connect api.weather.gov:443 < /dev/null

Here is the root CA I used:

"-----BEGIN CERTIFICATE-----\n" \
"MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh\n" \
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" \
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n" \
"QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT\n" \
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg\n" \
"U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" \
"ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83\n" \
"nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd\n" \
"KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f\n" \
"/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX\n" \
"kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0\n" \
"/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C\n" \
"AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY\n" \
"aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6\n" \
"Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1\n" \
"oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD\n" \
"QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v\n" \
"d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh\n" \
"xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB\n" \
"CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl\n" \
"5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA\n" \
"8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC\n" \
"2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit\n" \
"c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0\n" \
"j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz\n" \
"-----END CERTIFICATE-----\n";

Here is my output for the api.weather.gov part:

Starting connection to api.weather.gov
    Connected to server!
    File descriptor: 0
    Sending GET request
    Wrote request, wn=66
    Reading response...
    Headers received
    Read 275 bytes.
    Stopping WiFiClientSecure connection...

However, still there seems to be the problem with www.howsmyssl.com, eventhough I tried to use different root CA for that as well.

I will test further and get back to you if I find any solution.

Best Regards,
Lakshantha

#3

Hi @Jim_C,

The issue for www.howsmyssl.com seems to be somewhat similar to this:

If you check closely, the public-key length for api.weather.gov, api.openweathermap.org and www.example.com are all 2048 bit. You can enter the following to check:

echo | openssl s_client -connect api.weather.gov:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"

echo | openssl s_client -connect api.openweathermap.org:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"

echo | openssl s_client -connect www.example.com:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"

However, the public-key length for www.howsmyssl.com is 256 bit

echo | openssl s_client -connect www.howsmyssl.com:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"

This might be the reason causing this issue.

This is my opinion about this issue. However, it could be due to other reason as well. Will get back to you if I find a solution.

Best Regards,
Lakshantha

#4

Thank you for looking into this. I was able to replicate your results and connect to api.weather.gov!

I guess I botched the certificate. Instead of using openssl, I used the Chrome menus to save it. One area of confusion for me is that Chrome shows two parent certificates, the intermediate and the CA root. So I guess you’re using the intermediate…

Regarding www.howsmyssl.com, I wonder if it’s using something other than RSA for such a short key?

Thanks again,
Jim

#5

My pleasure!

If your intermediate certificate matches with the one I shared, then yes. You are using the intermediate.

You are right. It’s not using RSA. But rather uses ECDSA.

You can check by running:

openssl s_client -showcerts -verify 5 -connect www.howsmyssl.com:443 < /dev/null

In the output, there is a section where it says:

Peer signature type: ECDSA

Best Regards,
Lakshantha

#6

Hello,
I tested your code and cannot confirm your bad observations.
With the three working urls your sketch is now running for a some minutes flawlessly.
For www.howsmyssl.com wireshark reveals an ssl handshake failure, see picture.
It’s strange, that on wireshark I cannot even see a DNS request for this url.

wireshark_20210220
wireshark_202102201049×281 28.1 KB

Are you sure, that you have the latest firmware for the Wio Terminal installed?
There are some posts in the forum how to install the actual firmware in the Arduino IDE.
framework-arduino-samd-seeed@https://github.com/Seeed-Studio/ArduinoCore-samd.git#v1.8.1

However, I also saw occasional hangs and stopping of performing http post requests.


I would be happy if the cause of this were in my App, but I suspect that the reason lies in the Seeed libraries.

#7

Hi RoSchmi,

Yes, you’re right, with the updated certificate for api.weather.gov, three out of four sites in my test program are working. So my weather project I’m in good shape, I think.

Nevertheless it is a mystery as to why www.howsmyssl.com is not working. And I’m fairly confident I’m running the latest code. I went through the procedure to update on 2/14, with 2.1.1, and I made sure I had the latest on the other libraries as well the same day. Given your message it seems you were able to reproduce the problem with www.howsmyssl.com, so I doubt the problem is with my firmware. Is there a way to ask the firmware/library what version it is? That would be nice so we could verify at runtime the version.

Your wireshark log is revealing. While there was no DNS lookup, the right IP address is being used. Also, it seems the site disconnects as soon as the Wio Terminal sends the first “Client Hello” message. Perhaps this indicates the server does not like the TLS version and/or cipher suites advertised by the Wio Terminal? Just a theory.

Thanks,
Jim

#8

Hi, you can check the RTL8720 firmware like this:

char buf[100];
sprintf(buf, "RTL8720 Firmware: %s", rpc_system_version());

The Wio Terminal firmware can be checked with the Arduino IDE Board Manager as shown in this video
-https://www.youtube.com/watch?v=D9VbwTOvf4k

For PlatformIO IDE you an add this to your platformio.ini file to make sure that you have version 1.8.1
platform_packages = framework-arduino-samd-seeed@https://github.com/Seeed-Studio/ArduinoCore-samd.git#v1.8.1

As far as howsmyssl is concerned, this link may be interesting
-https://stackoverflow.com/questions/44900505/tls-handshake-fails-even-though-ciphersuites-in-common