<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Michael,<div class=""><br class=""></div><div class="">I am getting:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">OVMS# script eval 'HTTP.Request({url: "<a href="http://dexters-web.de/f/test.json" class="">http://dexters-web.de/f/test.json</a>",always: function() { JSON.print(this, false); } });'</div><div class="">I (140781) script: [eval:1:] {"url":"<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>","always":function () { [ecmascript code] },"redirectCount":1,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Content-Type":"application/json"}]}}</div><div class=""><br class=""></div><div class="">OVMS# script eval 'HTTP.Request({url: "<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>",always: function() { JSON.print(this, false); } });'</div><div class="">I (169991) script: [eval:1:] {"url":"<a href="https://dexters-web.de/f/test.json" class="">https://dexters-web.de/f/test.json</a>","always":function () { [ecmascript code] },"redirectCount":0,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Content-Type":"application/json"}]}}</div><div class=""><br class=""></div><div class="">OVMS# metrics list version</div><div class="">m.version                                3.2.010-15-g931ca3d3-dirty/factory/edge (build idf v3.3-beta3-770-ge97f72ea2 Feb 13 2020 13:01:16)</div></div></blockquote><div class=""><div><br class=""></div><div>That seems correct to me.</div><div><br class=""></div><div>Maybe increased ram usage for you? I your memory status ok?</div><div><br class=""></div><div>The change I made to mongoose would only affect if the ca_cert started with “-----“. Nothing else should have changed (at least in that part). Maybe the increase of fragment size to 16384 has impacted something?</div><div><br class=""></div><div><blockquote type="cite" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">I've seen you set opts.ssl_server_name in server V2 & V3. This could be left NULL for using the hostname before, is it now necessary to set this?</span></blockquote><br class=""></div><div>I think you are right. I hadn’t noticed that default ca_cert != NULL, but server_name is null. I don’t think it is necessary to set explicitly, but should not matter.</div><div><br class=""></div><div>However, I have just noticed:</div></div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">void mg_ssl_if_conn_free(struct mg_connection *nc) {</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  struct mg_ssl_if_ctx *ctx = (struct mg_ssl_if_ctx *) nc->ssl_if_data;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  if (ctx == NULL) return;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  nc->ssl_if_data = NULL;</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  MG_FREE(ctx->ssl_cert);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  MG_FREE(ctx->ssl_key);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  MG_FREE(ctx->ssl_ca_cert);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  MG_FREE(ctx->ssl_server_name);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  memset(ctx, 0, sizeof(*ctx));</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">  MG_FREE(ctx);</span></font></div><div><font face="Andale Mono" class=""><span style="font-style: normal; font-size: 14px;" class="">}</span></font></div></div></div></blockquote><div class=""><div><br class=""></div><div>Which is scary. But that seems to be the ’simplessl’ version of that function. There are two other ones, for different SSL implementations, which seem to behave differently. That monolithic mongoose.{h,c} is really confusing to work through. Maybe I should look at their python mechanism to pack/unpack from individual scripts and then try to build a mongoose.{h,c} specific to our needs (without the crud we don’t use such as openssl, simplessl)?</div><div><br class=""></div><div>Regards, Mark.</div><div><br class=""><blockquote type="cite" class=""><div class="">On 14 Feb 2020, at 6:25 AM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="">dexter@expeedo.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
  
  <div class="">
    Mark,<br class="">
    <br class="">
    something's wrong now with the Mongoose SSL support. I could do this
    javascript call before (example from scripting API doc):<br class="">
    <br class="">
    <tt class="">      HTTP.Request({</tt><tt class=""><br class="">
    </tt><tt class="">        url: <a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,</tt><tt class=""><br class="">
    </tt><tt class="">        always: function() { JSON.print(this, false); }</tt><tt class=""><br class="">
    </tt><tt class="">      });</tt><br class="">
    <br class="">
    This now no longer works, neither with the previous opts.ssl_ca_cert
    = "*":<br class="">
    <br class="">
    <tt class="">E (37350) mongoose: mg_ssl_if_mbed_err   0x3f85befc SSL error:
      -17040</tt><tt class=""><br class="">
    </tt><tt class="">I (37410) script: [eval:3:]
      {"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function () {
      [ecmascript code] },"redirectCount":0,"error":"SSL error"}</tt><br class="">
    <br class="">
    …nor with opts.ssl_ca_cert = MyOvmsTLS.GetTrustedList(), it then
    sometimes fails with…<br class="">
    <br class="">
    <tt class="">{"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function ()
      { [ecmascript code] },"redirectCount":0,"error":"Failed to create
      SSL session"}</tt><br class="">
    <br class="">
    …but mostly causes some kind of lockup (USB console not responding)
    and / or wifi / mongoose restart:<br class="">
    <br class="">
    <tt class="">I (55980) wifi: bcn_timout,ap_probe_send_start</tt><tt class=""><br class="">
    </tt><tt class="">I (58480) wifi: ap_probe_send over, resett wifi status to
      disassoc</tt><tt class=""><br class="">
    </tt><tt class="">I (58480) wifi: state: run -> init (c800)</tt><tt class=""><br class="">
    </tt><tt class="">I (58490) wifi: pm stop, total sleep time: 35296441 us /
      53655320 us</tt><tt class=""><br class="">
    </tt><tt class="">I (58490) wifi: new:<11,0>, old:<11,2>,
      ap:<11,2>, sta:<11,0>, prof:11</tt><tt class=""><br class="">
    </tt><tt class="">E (58490) mongoose: mg_ssl_if_mbed_err   0x3f85dd64 SSL
      error: -1</tt><tt class=""><br class="">
    </tt><tt class="">D (58520) events: Signal(server.web.socket.closed)</tt><tt class=""><br class="">
    </tt><tt class="">I (58580) script: [eval:3:]
      {"url":<a class="moz-txt-link-rfc2396E" href="https://dexters-web.de/f/test.json">"https://dexters-web.de/f/test.json"</a>,"always":function () {
      [ecmascript code] },"redirectCount":0,"error":"SSL error"}</tt><tt class=""><br class="">
    </tt><tt class="">W (58600) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58630) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58640) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58660) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58680) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58700) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58720) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">W (58740) wifi: Haven't to connect to a suitable AP now!</tt><tt class=""><br class="">
    </tt><tt class="">D (58770) events: Signal(system.event)</tt><tt class=""><br class="">
    </tt><tt class="">D (58780) events: Signal(system.wifi.sta.disconnected)</tt><br class="">
    <br class="">
    <br class="">
    I've seen you set opts.ssl_server_name in server V2 & V3. This
    could be left NULL for using the hostname before, is it now
    necessary to set this?<br class="">
    <br class="">
    Regards,<br class="">
    Michael<br class="">
    <br class="">
    <br class="">
    <div class="moz-cite-prefix">Am 13.02.20 um 08:26 schrieb Mark
      Webb-Johnson:<br class="">
    </div>
    <blockquote type="cite" cite="mid:FA48611F-5376-4758-A701-A4F901B83802@webb-johnson.net" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
      <div class=""><br class="">
      </div>
      And #2 now done. To add to the trusted CA list we can now add the
      CA into firmware (like the 3 already there), or put the PEM
      formatted certificate in /store/trustedca on the module itself. A
      set of commands (like ’tls trusted reload’, ’tls trusted list’,
      etc) are also now provided to help management.
      <div class=""><br class="">
      </div>
      <div class="">I’ve also added a short document to the user guide
        to explain this.</div>
      <div class=""><br class="">
      </div>
      <div class="">Regards, Mark.<br class="">
        <div class=""><br class="">
          <blockquote type="cite" class="">
            <div class="">On 12 Feb 2020, at 3:25 PM, Mark Webb-Johnson
              <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
              wrote:</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <meta http-equiv="Content-Type" content="text/html;
                charset=UTF-8" class="">
              <div style="word-wrap: break-word; -webkit-nbsp-mode:
                space; line-break: after-white-space;" class="">I
                managed to get quite a lot done last night, and just
                committed my changes. Current status:
                <div class=""><br class="">
                </div>
                <div class="">#1 is done. An extension had to be made to
                  mongoose to support this, so please update submodules.
                  I’ve added the trusted CAs for openvehicles, dexters
                  (letsencrypt) and pushover.</div>
                <div class=""><br class="">
                </div>
                <div class="">#3 is done. A couple of lines of code. It
                  is enabled by ‘config set server.v2 tls yes’.</div>
                <div class=""><br class="">
                </div>
                <div class=""><span style="caret-color: rgb(0, 0, 0);" class="">#4 is done. A couple of lines of code. It
                    is enabled by ‘config set server.v3 tls yes’.</span></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class=""><br class="">
                    </span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class="">#5 is done, and live on <a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a>.</span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class=""><br class="">
                    </span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class="">#8 can start when ready.
                      Have a look at the ovms_server_v[23] code for an
                      example - it is literally a couple of lines to be
                      added.</span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class=""><br class="">
                    </span></font></div>
                <div class=""><font class="">I did find a few servers
                    that didn’t support the segment size negotiation
                    option in SSL that we were relying on (including
                    mosquitto!). So had to change my sdkconfig to:</font></div>
                <div class=""><font class=""><br class="">
                  </font></div>
                <blockquote style="margin: 0 0 0 40px; border: none;
                  padding: 0px;" class="">
                  <div class=""><font class="">CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384</font></div>
                </blockquote>
                <div class=""><font class=""><br class="">
                  </font></div>
                <div class=""><font class="">I suggest you do the same
                    for best compatibility.</font></div>
                <div class=""><font class=""><br class="">
                  </font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class="">The rest is pending. I
                      will work on #2 next, then move on to the iOS App.</span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class=""><br class="">
                    </span></font></div>
                <div class=""><font class=""><span style="caret-color:
                      rgb(0, 0, 0);" class="">Regards, Mark.<br class="">
                    </span></font>
                  <div class=""><br class="">
                    <blockquote type="cite" class="">
                      <div class="">On 10 Feb 2020, at 11:24 AM, Mark
                        Webb-Johnson <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
                        wrote:</div>
                      <br class="Apple-interchange-newline">
                      <div class="">
                        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; line-break:
                          after-white-space;" class="">
                          <div class=""><br class="">
                          </div>
                          <div class="">Given that we use the mongoose
                            library for most of our stuff, adding SSL
                            support should not be hard. This would
                            finally bring strong encryption and server
                            side authentication. Given the number of
                            attacks now on IoT devices that would not be
                            a bad thing.</div>
                          <div class=""><br class="">
                          </div>
                          <div class="">I think what we need is:</div>
                          <div class=""><br class="">
                          </div>
                          <div class="">
                            <ol class="MailOutline">
                              <li class="">A set of helper functions to
                                make it easier for components to use
                                SSL. Build on top of mongoose.<br class="">
                                <br class="">
                              </li>
                              <li class="">A way to manage a list of
                                trusted Certificate Authorities,
                                including adding to the trusted list
                                via:<br class="">
                              </li>
                              <ul class="">
                                <li class=""><span style="caret-color:
                                    rgb(0, 0, 0);" class="">Components
                                    providing Certificate Authorities in
                                    firmware.</span></li>
                                <li class=""><span style="caret-color:
                                    rgb(0, 0, 0);" class="">Certificate
                                    Authorities in configuration.<br class="">
                                    <br class="">
                                  </span></li>
                              </ul>
                              <li class="">Extensions to ovms_server_v2
                                to support an SSL connection option.<br class="">
                                <br class="">
                              </li>
                              <li class="">Extensions to ovms_server_v3
                                to support an SSL connection option.<br class="">
                                <br class="">
                              </li>
                              <li class="">Extensions to the Ovms Server
                                v2 code to support an SSL connection
                                listener.<br class="">
                                <br class="">
                              </li>
                              <li class="">Extensions to the iOS App to
                                support an SSL connection option.<br class="">
                                <br class="">
                              </li>
                              <li class=""><span style="caret-color:
                                  rgb(0, 0, 0);" class="">Extensions to
                                  the Android App to support an SSL
                                  connection option.</span><br class="">
                                <br class="">
                              </li>
                              <li class="">Migration of any components
                                already supporting SSL to this new
                                standardised approach.<br class="">
                                <br class="">
                              </li>
                              <li class="">Then we can open up the
                                discussion of the whole thing of
                                passwords. We have far too many of these
                                at the moment (user account+password,
                                vehicle ID, server password, module
                                password, hologram account+password,
                                etc). Once we have an encrypted
                                connection, we don’t need to use the
                                password for encryption, but merely for
                                authentication. That simplifies things,
                                as we can perhaps just use the user
                                account+password for most things (giving
                                access to all vehicles registered under
                                that user account - in a similar way to
                                MQTT does it already for
                                ovms_server_v3).</li>
                            </ol>
                          </div>
                          <div class=""><br class="">
                          </div>
                          <div class="">I will take on the majority of
                            this project. I can do #1, #2, #3, #4, #5,
                            and #6).</div>
                          <div class=""><br class="">
                          </div>
                          <div class="">If anyone has any feedback on
                            requirements, please let me know.</div>
                          <div class=""><br class="">
                          </div>
                          <div class="">Regards, Mark.</div>
                          <div class=""><br class="">
                          </div>
                        </div>
                        _______________________________________________<br class="">
                        OvmsDev mailing list<br class="">
                        <a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
                        <a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
                      </div>
                    </blockquote>
                  </div>
                  <br class="">
                </div>
              </div>
              _______________________________________________<br class="">
              OvmsDev mailing list<br class="">
              <a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
              <a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
            </div>
          </blockquote>
        </div>
        <br class="">
      </div>
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
    </blockquote>
    <br class="">
    <pre class="moz-signature" cols="160">-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
  </div>

_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="">OvmsDev@lists.openvehicles.com</a><br class="">http://lists.openvehicles.com/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></div></body></html>