<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Michael,<div class=""><br class=""></div><div class="">I am getting:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">OVMS# script eval 'HTTP.Request({url: "<a href="http://dexters-web.de/f/test.json" class="">http://dexters-web.de/f/test.json</a>",always: function() { JSON.print(this, false); } });'</div><div class="">I (140781) script: [eval:1:] {"url":"<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>","always":function () { [ecmascript code] },"redirectCount":1,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Content-Type":"application/json"}]}}</div><div class=""><br class=""></div><div class="">OVMS# script eval 'HTTP.Request({url: "<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>",always: function() { JSON.print(this, false); } });'</div><div class="">I (169991) script: [eval:1:] {"url":"<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>","always":function () { [ecmascript code] },"redirectCount":0,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Content-Type":"application/json"}]}}</div><div class=""><br class=""></div><div class="">OVMS# metrics list version</div><div class="">m.version 3.2.010-15-g931ca3d3-dirty/factory/edge (build idf v3.3-beta3-770-ge97f72ea2 Feb 13 2020 13:01:16)</div></div></blockquote><div class=""><div><br class=""></div><div>That seems correct to me.</div><div><br class=""></div><div>Maybe increased ram usage for you? I your memory status ok?</div><div><br class=""></div><div>The change I made to mongoose would only affect if the ca_cert started with “-----“. Nothing else should have changed (at least in that part). Maybe the increase of fragment size to 16384 has impacted something?</div><div><br class=""></div><div><blockquote type="cite" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">I've seen you set opts.ssl_server_name in server V2 & V3. This could be left NULL for using the hostname before, is it now necessary to set this?</span></blockquote><br class=""></div><div>I think you are right. I hadn’t noticed that default ca_cert != NULL, but server_name is null. I don’t think it is necessary to set explicitly, but should not matter.</div><div><br class=""></div><div>However, I have just noticed:</div></div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">void mg_ssl_if_conn_free(struct mg_connection *nc) {</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> struct mg_ssl_if_ctx *ctx = (struct mg_ssl_if_ctx *) nc->ssl_if_data;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> if (ctx == NULL) return;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> nc->ssl_if_data = NULL;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> MG_FREE(ctx->ssl_cert);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> MG_FREE(ctx->ssl_key);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> MG_FREE(ctx->ssl_ca_cert);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> MG_FREE(ctx->ssl_server_name);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> memset(ctx, 0, sizeof(*ctx));</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class=""> MG_FREE(ctx);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">}</span></font></div></div></div></blockquote><div class=""><div><br class=""></div><div>Which is scary. But that seems to be the ’simplessl’ version of that function. There are two other ones, for different SSL implementations, which seem to behave differently. That monolithic mongoose.{h,c} is really confusing to work through. Maybe I should look at their python mechanism to pack/unpack from individual scripts and then try to build a mongoose.{h,c} specific to our needs (without the crud we don’t use such as openssl, simplessl)?</div><div><br class=""></div><div>Regards, Mark.</div><div><br class=""><blockquote type="cite" class=""><div class="">On 14 Feb 2020, at 6:25 AM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="">dexter@expeedo.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class="">
Mark,<br class="">
<br class="">
something's wrong now with the Mongoose SSL support. I could do this
javascript call before (example from scripting API doc):<br class="">
<br class="">
<tt class=""> HTTP.Request({</tt><tt class=""><br class="">
</tt><tt class=""> url: <a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,</tt><tt class=""><br class="">
</tt><tt class=""> always: function() { JSON.print(this, false); }</tt><tt class=""><br class="">
</tt><tt class=""> });</tt><br class="">
<br class="">
This now no longer works, neither with the previous opts.ssl_ca_cert
= "*":<br class="">
<br class="">
<tt class="">E (37350) mongoose: mg_ssl_if_mbed_err 0x3f85befc SSL error:
-17040</tt><tt class=""><br class="">
</tt><tt class="">I (37410) script: [eval:3:]
{"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function () {
[ecmascript code] },"redirectCount":0,"error":"SSL error"}</tt><br class="">
<br class="">
…nor with opts.ssl_ca_cert = MyOvmsTLS.GetTrustedList(), it then
sometimes fails with…<br class="">
<br class="">
<tt class="">{"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function ()
{ [ecmascript code] },"redirectCount":0,"error":"Failed to create
SSL session"}</tt><br class="">
<br class="">
…but mostly causes some kind of lockup (USB console not responding)
and / or wifi / mongoose restart:<br class="">
<br class="">
<tt class="">I (55980) wifi: bcn_timout,ap_probe_send_start</tt><tt class=""><br class="">
</tt><tt class="">I (58480) wifi: ap_probe_send over, resett wifi status to
disassoc</tt><tt class=""><br class="">
</tt><tt class="">I (58480) wifi: state: run -> init (c800)</tt><tt class=""><br class="">
</tt><tt class="">I (58490) wifi: pm stop, total sleep time: 35296441 us /
53655320 us</tt><tt class=""><br class="">
</tt><tt class="">I (58490) wifi: new:<11,0>, old:<11,2>,
ap:<11,2>, sta:<11,0>, prof:11</tt><tt class=""><br class="">
</tt><tt class="">E (58490) mongoose: mg_ssl_if_mbed_err 0x3f85dd64 SSL
error: -1</tt><tt class=""><br class="">
</tt><tt class="">D (58520) events: Signal(server.web.socket.closed)</tt><tt class=""><br class="">
</tt><tt class="">I (58580) script: [eval:3:]
{"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function () {
[ecmascript code] },"redirectCount":0,"error":"SSL error"}</tt><tt class=""><br class="">
</tt><tt class="">W (58600) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58630) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58640) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58660) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58680) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58700) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58720) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58740) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">D (58770) events: Signal(system.event)</tt><tt class=""><br class="">
</tt><tt class="">D (58780) events: Signal(system.wifi.sta.disconnected)</tt><br class="">
<br class="">
<br class="">
I've seen you set opts.ssl_server_name in server V2 & V3. This
could be left NULL for using the hostname before, is it now
necessary to set this?<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Am 13.02.20 um 08:26 schrieb Mark
Webb-Johnson:<br class="">
</div>
<blockquote type="cite" cite="mid:FA48611F-5376-4758-A701-A4F901B83802@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><br class="">
</div>
And #2 now done. To add to the trusted CA list we can now add the
CA into firmware (like the 3 already there), or put the PEM
formatted certificate in /store/trustedca on the module itself. A
set of commands (like ’tls trusted reload’, ’tls trusted list’,
etc) are also now provided to help management.
<div class=""><br class="">
</div>
<div class="">I’ve also added a short document to the user guide
to explain this.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 12 Feb 2020, at 3:25 PM, Mark Webb-Johnson
<<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">I
managed to get quite a lot done last night, and just
committed my changes. Current status:
<div class=""><br class="">
</div>
<div class="">#1 is done. An extension had to be made to
mongoose to support this, so please update submodules.
I’ve added the trusted CAs for openvehicles, dexters
(letsencrypt) and pushover.</div>
<div class=""><br class="">
</div>
<div class="">#3 is done. A couple of lines of code. It
is enabled by ‘config set server.v2 tls yes’.</div>
<div class=""><br class="">
</div>
<div class=""><span style="caret-color: rgb(0, 0, 0);" class="">#4 is done. A couple of lines of code. It
is enabled by ‘config set server.v3 tls yes’.</span></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class=""><br class="">
</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class="">#5 is done, and live on <a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a>.</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class=""><br class="">
</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class="">#8 can start when ready.
Have a look at the ovms_server_v[23] code for an
example - it is literally a couple of lines to be
added.</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class=""><br class="">
</span></font></div>
<div class=""><font class="">I did find a few servers
that didn’t support the segment size negotiation
option in SSL that we were relying on (including
mosquitto!). So had to change my sdkconfig to:</font></div>
<div class=""><font class=""><br class="">
</font></div>
<blockquote style="margin: 0 0 0 40px; border: none;
padding: 0px;" class="">
<div class=""><font class="">CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384</font></div>
</blockquote>
<div class=""><font class=""><br class="">
</font></div>
<div class=""><font class="">I suggest you do the same
for best compatibility.</font></div>
<div class=""><font class=""><br class="">
</font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class="">The rest is pending. I
will work on #2 next, then move on to the iOS App.</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class=""><br class="">
</span></font></div>
<div class=""><font class=""><span style="caret-color:
rgb(0, 0, 0);" class="">Regards, Mark.<br class="">
</span></font>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 10 Feb 2020, at 11:24 AM, Mark
Webb-Johnson <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class="">
<div class=""><br class="">
</div>
<div class="">Given that we use the mongoose
library for most of our stuff, adding SSL
support should not be hard. This would
finally bring strong encryption and server
side authentication. Given the number of
attacks now on IoT devices that would not be
a bad thing.</div>
<div class=""><br class="">
</div>
<div class="">I think what we need is:</div>
<div class=""><br class="">
</div>
<div class="">
<ol class="MailOutline">
<li class="">A set of helper functions to
make it easier for components to use
SSL. Build on top of mongoose.<br class="">
<br class="">
</li>
<li class="">A way to manage a list of
trusted Certificate Authorities,
including adding to the trusted list
via:<br class="">
</li>
<ul class="">
<li class=""><span style="caret-color:
rgb(0, 0, 0);" class="">Components
providing Certificate Authorities in
firmware.</span></li>
<li class=""><span style="caret-color:
rgb(0, 0, 0);" class="">Certificate
Authorities in configuration.<br class="">
<br class="">
</span></li>
</ul>
<li class="">Extensions to ovms_server_v2
to support an SSL connection option.<br class="">
<br class="">
</li>
<li class="">Extensions to ovms_server_v3
to support an SSL connection option.<br class="">
<br class="">
</li>
<li class="">Extensions to the Ovms Server
v2 code to support an SSL connection
listener.<br class="">
<br class="">
</li>
<li class="">Extensions to the iOS App to
support an SSL connection option.<br class="">
<br class="">
</li>
<li class=""><span style="caret-color:
rgb(0, 0, 0);" class="">Extensions to
the Android App to support an SSL
connection option.</span><br class="">
<br class="">
</li>
<li class="">Migration of any components
already supporting SSL to this new
standardised approach.<br class="">
<br class="">
</li>
<li class="">Then we can open up the
discussion of the whole thing of
passwords. We have far too many of these
at the moment (user account+password,
vehicle ID, server password, module
password, hologram account+password,
etc). Once we have an encrypted
connection, we don’t need to use the
password for encryption, but merely for
authentication. That simplifies things,
as we can perhaps just use the user
account+password for most things (giving
access to all vehicles registered under
that user account - in a similar way to
MQTT does it already for
ovms_server_v3).</li>
</ol>
</div>
<div class=""><br class="">
</div>
<div class="">I will take on the majority of
this project. I can do #1, #2, #3, #4, #5,
and #6).</div>
<div class=""><br class="">
</div>
<div class="">If anyone has any feedback on
requirements, please let me know.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="">OvmsDev@lists.openvehicles.com</a><br class="">http://lists.openvehicles.com/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></div></body></html>