Page 1 of 1

HttpsUploadCert example

Posted: Mon Oct 11, 2021 10:56 am
by SeeCwriter
Using v3.3.3, I built the HttpsUploadCert example and loaded into a NANO. According to the example description, it has a cert & key compiled in so that a secure connection can be made before a cert & key are uploaded. Trying to make a secure connection with Chrome, it generates error "NET::ERR_CERT_AUTHORITY_INVALID."

Using batch files makeca and makeserver, I created CA.crt, CA.key, server.crt, and server.key. I added CR.crt to Chrome, and uploaded the server cert & key to the module via the unsecure link. The module printout says the cert & key were valid and saved. I still can't make a secure connection. I get the same invalid authority error.

For CA.crt, I entered the following:

Country name: US
State: California
Locality: Santa Clara
Oranization: Comtech-Test
Oranization Unit: .
Common Name: Comtech-Test
email: .

For Server.crt:

Country name: US
State: California
Locality: Santa Clara
Oranization: Comtech-Test
Oranization Unit: .
Common Name: 10.250.5.143
email: .

Challenge Password: .
Optional Company name: .


What did I do wrong?

Re: HttpsUploadCert example

Posted: Mon Oct 11, 2021 2:33 pm
by Jon
Hi SeeCwriter,

Are you able to click past that error and get to the page, or does it completely shut you down? I would look at the certificate on the page and verify that it's getting the new one that you've uploaded to the device. If it's not, then uploading the CA that you've created won't help, unfortunately. Chrome seems to have a habit of hanging onto old certificates instead of getting newer ones (even in Incognito mode), which is an issue I've run into before. Firefox seems to be better about this in general.

Additionally, Chrome also requires that certificates include Subject Alternate Names. Our scripts can be modified to do this. You'll want to open makeserver.bat and read the comments there in order to do so. Let me know if that helps, or if you run into any other issues.

Kind Regards,
Jon

Re: HttpsUploadCert example

Posted: Tue Oct 12, 2021 1:15 pm
by SeeCwriter
No, I can't click past the error. I can go back to unsecure connection, port 80, but nothing on port 443. The certificate displayed when clicking the "Display public key" matches the server.crt file I uploaded to the module.

I created new certificates with the alternate name per the instructions in makeserver.bat. Still didn't work.
I don't know if this helps, but I captured the secure connection attempt via wireshark. When I click the "Make a HTTPS IPv4 request..." The browser makes two tcp connections, one from port 65131 and one from 65132. The browser then sends two Client Hello packets, both are acknowledged. The module responds with a Server Hello message. The browser then responds with a Change Cipher Spec packet and closes the connection. It does that with both connections.

Re: HttpsUploadCert example

Posted: Tue Oct 12, 2021 2:27 pm
by SeeCwriter
Looking at the certificate in the browser, it doesn't show an alternate name. This is the contents of file makeancert.ext:

#If you have an IP use:
subjectAltName = 10.250.5.143
#otherwise use
#subjectAltName = DNS:yourname

And this is the commandline in makerserver.bat that is used:

openssl x509 -req -SHA384 -days 7300 -extfile makeancert.ext -in Server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out Server.crt

Re: HttpsUploadCert example

Posted: Tue Oct 12, 2021 2:55 pm
by SeeCwriter
The problem was that file makeancert must have a .cnf for a file extension in order get an alternate name. Now I can make a secure connection. Also, I just noticed that the cert & key uploaded to the module don't appear to be saved in non-volatile memory because after every reboot I have to upload them again in order to make a secure connection.

Re: HttpsUploadCert example

Posted: Tue Oct 12, 2021 5:35 pm
by Jon
HI SeeCWriter,

I'll look into both of those. The .cnf file extension should be a configuration file for OpenSSL, while the -extfile flag is used to signal the certificate extensions used. I'll see if I can get the same issue on the NANO as well. The certs should certainly survive a reboot.

Kind Regards,
Jon

Re: HttpsUploadCert example

Posted: Wed Oct 13, 2021 3:51 pm
by Jon
Hi SeeCWriter,

The issue with the certs not surviving a reboot is fixed in 3.3.4 (being released as we speak). The same issue was also causing issues for config record saves.

Kind Regards,
Jon

Re: HttpsUploadCert example

Posted: Thu Oct 14, 2021 9:35 am
by SeeCwriter
Great. Thank you.