RTOS: HTTPS client for getting response from websites other than www.example.com

Looks like my full question is not posted. Going to repeat the question.

I wanted to connect to an other site other than "www.example.com:443". Its certificate is given on "ev-root.digicert.com/.../index.html". I then used this certificate to connect with the "www.yahoo.com" for secure connection. It failed.
I then tried to connect with the "https://www.digicert.com" ( same certificate used by the example.com" but again I get -102 error.

I wanted to know how to connect to other sites using the HTTPS client example? because current example works with the "www.example.com" but not with other web sites.

Hi Fehan,

Each server may have a different Root CA certificate. You will need to use the Root CA certificate of the server you are trying to connect to, instead of using example.com's Root CA.

Vikram

I agree. but "www.digicert.com" has the same Root CA certificate. I used HTTP Client example to access "www.digicert.com" with following HOSTNAME
1. HOSTNAME "www.digicert.com"
2. HOSTNAME "www.digicert.com:443"

I both cases, I get -103 or -102 error. Kindly suggest some way to fix this issue.
ALso can you please run the same example at your end to find if "www.digicert.com:443" is accessable there.

Fehan,

Which TI device/board are using? Also, please list out the software versions that you are using?

Regarding the error - Yes, the root CA for digicert.com is same as that for example.com. But the TLS cipher used are different. Digicert expects ECDHE-RSA-AES256-GCM-SHA384 (public key size 4096 bit) whereas example.com expects ECDHE-RSA-AES128-GCM-SHA256 (public key 2048 bit). We would need to first look at the error code from SSL layer to determine the type of error. That can done by calling HTTPCli_getSocketError() API after you hit failure (i.e. error code -103 or -102).

Vikram

I am using following software and hardware versions.

1. EK_TM4C1294XL board
2. tirtos_tivac_2_16_01_14
3. IAR 7.4


also TLS_create function is created successfully. I get errror when this function is executed.

ret = HTTPCli_sendRequest(&cli, HTTPStd_GET, REQUEST_URI, false);
if (ret < 0) {
printError("httpsTask: send failed", ret);
}

I get following error withing printError function

00009.000 TcpTimeoutRexmt: Retransmit Timeout
Error! code = -103, desc = httpsTask: send failed

Sometime I also get following error

TcpTimeoutRexmt: Retransmit Timeout
00079.300 TcpTimeoutKeep: Keep Timeout
Error! code = -102, desc = httpsTask: connect failed

Can you please suggest me how to change the Cypher to ECDHE-RSA-AES256-GCM-SHA384 from this ECDHE-RSA-AES128-GCM-SHA256

Fehan,

Can you also print the return value from HTTPCli_getSocketError(&cli) when you print send failed error? We need to see the error code returned from wolfSSL layer to understand the issue.

For configuring & building WolfSSL for TI-RTOS, please read the instructions in this wiki: processors.wiki.ti.com/.../Using_wolfSSL_with_TI-RTOS

As mentioned in the instructions, you will have to update setttings.h for any wolfSSL configuration changes. For enabling SHA386, you will have to add a define WOLFSSL_SHA384 in the settings.h. You find more information about the build defines in Section 2.4 of the wolfSSL manual: www.wolfssl.com/.../wolfSSL-Manual.pdf

Vikram

Vikram

I have built the WolfSSL with the SHA384. It initially showed error that sys/socket.h is not available. 

But still I am getting -112 error from   HTTPCli_getSocketError(&cli); function. Can you please suggest any other method to overcome this issue. 

Did you built the wolfSSL libraries as per the instructions in the link that I posted earlier?

From wolfSSL error-crypt.h, -112 is defined as MP_EXPTMOD_E (mp_exptmod error state). I haven't seen such an error before. Can you make sure this error code is from HTTPCli_getSocketError(&cli)?

HTTPCli_getResponseStatus() also returns -112 which means "Response received from the server is not a valid HTTP/1.1 response". Is it failing in HTTPCli_getResponseStatus()?

Also, can you set-up wireshark to capture the TLS handshake between the client and server? We should be able to see TLS issues if any on this capture.

Vikram

Vikarm 

Thanks. Yes I got this error from the HTTPCli_getSocketError(&cli). But I will double check it and will let you know it.

Also the website I intended to access does not use SHA384, so right now I am leaving this issue as it is and will come again to it if I need to access some higher level encryption. Meanwhile, if you can build wolfSSL with SHA384 and check it your end then it will be great. I have another question which I have posted in new thread

Fehan,

We have previously built wolfSSL with SHA384 and SHA512, and found it to work as expected.

Let us know if have issues with it.

Vikram