<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Mark,<br>
<br>
it's really a memory issue, but I wouldn't have expected that,
given…<br>
<blockquote><tt>OVMS# mo me</tt><br>
<tt>Free 8-bit 58944/271108, 32-bit 1900/27848, SPIRAM
3761072/4194252</tt><br>
</blockquote>
Switching to vehicle NONE gave me<br>
<blockquote><tt>OVMS# mo me</tt><br>
<tt>Free 8-bit 69124/271108, 32-bit 1900/27848, SPIRAM
3802648/4194252</tt><br>
</blockquote>
… and a working HTTP.Request with SSL (but it's sloooooow, see
below).<br>
<br>
I now did some more tests and could get it working with…<br>
<blockquote><tt>> CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=y</tt><br>
</blockquote>
… so I assume we need to add that change to our default sdkconfig as
well.<br>
<br>
Regarding the performance, SSL connections are somewhere beteen
awful & unusable now. Test:<br>
<blockquote><tt>(function(){</tt><br>
<tt> var t0 = performance.now();</tt><br>
<tt> HTTP.Request({</tt><br>
<tt> url: <a class="moz-txt-link-rfc2396E" href="http://ovms.dexters-web.de/f/test.json">"http://ovms.dexters-web.de/f/test.json"</a>,</tt><br>
<tt> always: function() {</tt><br>
<tt> var t1 = performance.now();</tt><br>
<tt> print(this.url + " => " + (t1-t0).toFixed(0) + " ms,
body.length=" + this.response.body.length);</tt><br>
<tt> }</tt><br>
<tt> });</tt><br>
<tt>})();</tt><br>
</blockquote>
This gives me:<br>
<blockquote><tt>I (520500) script: [eval:7:]
<a class="moz-txt-link-freetext" href="http://ovms.dexters-web.de/f/test.json">http://ovms.dexters-web.de/f/test.json</a> => 267 ms,
body.length=13</tt><br>
<tt>I (550250) script: [eval:7:]
<a class="moz-txt-link-freetext" href="https://ovms.dexters-web.de/f/test.json">https://ovms.dexters-web.de/f/test.json</a> => 5347 ms,
body.length=13<br>
… up to …</tt><br>
<tt>I (68270) script: [eval:7:]
<a class="moz-txt-link-freetext" href="https://ovms.dexters-web.de/f/test.json">https://ovms.dexters-web.de/f/test.json</a> => 11930 ms,
body.length=13</tt><br>
</blockquote>
… regardless of actually using the CA verification or reverting to
"*".<br>
<br>
I don't know how much of this is TLS session init overhead. Do you
have better performance with the persistent V2 SSL connection?
Haven't had time to test that yet.<br>
<br>
Regards,<br>
Michael<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Am 14.02.20 um 10:08 schrieb Mark
Webb-Johnson:<br>
</div>
<blockquote type="cite"
cite="mid:8417C4F5-10C2-4008-BA0C-0100DC2DE4ED@webb-johnson.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Michael,
<div class=""><br class="">
</div>
<div class="">I am getting:</div>
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding:
0px;" class="">
<div class="">
<div class="">OVMS# script eval 'HTTP.Request({url: "<a
href="http://dexters-web.de/f/test.json" class=""
moz-do-not-send="true">http://dexters-web.de/f/test.json</a>",always:
function() { JSON.print(this, false); } });'</div>
<div class="">I (140781) script: [eval:1:] {"url":"<a
href="https://dexters-web.de/f/test.json" class=""
moz-do-not-send="true">https://dexters-web.de/f/test.json</a>","always":function
() { [ecmascript code]
},"redirectCount":1,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri,
14 Feb 2020 08:45:05 GMT"},{"Server":"Apache/2.2.15
(CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31
GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri,
14 Feb 2020 08:45:05
GMT"},{"Content-Type":"application/json"}]}}</div>
<div class=""><br class="">
</div>
<div class="">OVMS# script eval 'HTTP.Request({url: "<a
href="https://dexters-web.de/f/test.json" class=""
moz-do-not-send="true">https://dexters-web.de/f/test.json</a>",always:
function() { JSON.print(this, false); } });'</div>
<div class="">I (169991) script: [eval:1:] {"url":"<a
href="https://dexters-web.de/f/test.json" class=""
moz-do-not-send="true">https://dexters-web.de/f/test.json</a>","always":function
() { [ecmascript code]
},"redirectCount":0,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri,
14 Feb 2020 08:45:34 GMT"},{"Server":"Apache/2.2.15
(CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31
GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri,
14 Feb 2020 08:45:34
GMT"},{"Content-Type":"application/json"}]}}</div>
<div class=""><br class="">
</div>
<div class="">OVMS# metrics list version</div>
<div class="">m.version
3.2.010-15-g931ca3d3-dirty/factory/edge (build idf
v3.3-beta3-770-ge97f72ea2 Feb 13 2020 13:01:16)</div>
</div>
</blockquote>
<div class="">
<div><br class="">
</div>
<div>That seems correct to me.</div>
<div><br class="">
</div>
<div>Maybe increased ram usage for you? I your memory status ok?</div>
<div><br class="">
</div>
<div>The change I made to mongoose would only affect if the
ca_cert started with “-----“. Nothing else should have changed
(at least in that part). Maybe the increase of fragment size
to 16384 has impacted something?</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class=""><span style="caret-color:
rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">I've seen you
set opts.ssl_server_name in server V2 & V3. This could
be left NULL for using the hostname before, is it now
necessary to set this?</span></blockquote>
<br class="">
</div>
<div>I think you are right. I hadn’t noticed that default
ca_cert != NULL, but server_name is null. I don’t think it is
necessary to set explicitly, but should not matter.</div>
<div><br class="">
</div>
<div>However, I have just noticed:</div>
</div>
<div><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding:
0px;" class="">
<div class="">
<div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">void
mg_ssl_if_conn_free(struct mg_connection *nc) {</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
struct mg_ssl_if_ctx *ctx = (struct mg_ssl_if_ctx *)
nc->ssl_if_data;</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
if (ctx == NULL) return;</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
nc->ssl_if_data = NULL;</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
MG_FREE(ctx->ssl_cert);</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
MG_FREE(ctx->ssl_key);</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
MG_FREE(ctx->ssl_ca_cert);</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
MG_FREE(ctx->ssl_server_name);</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
memset(ctx, 0, sizeof(*ctx));</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">
MG_FREE(ctx);</span></font></div>
<div><font class="" face="Andale Mono"><span
style="font-style: normal; font-size: 14px;" class="">}</span></font></div>
</div>
</div>
</blockquote>
<div class="">
<div><br class="">
</div>
<div>Which is scary. But that seems to be the ’simplessl’
version of that function. There are two other ones, for
different SSL implementations, which seem to behave
differently. That monolithic mongoose.{h,c} is really
confusing to work through. Maybe I should look at their python
mechanism to pack/unpack from individual scripts and then try
to build a mongoose.{h,c} specific to our needs (without the
crud we don’t use such as openssl, simplessl)?</div>
<div><br class="">
</div>
<div>Regards, Mark.</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 14 Feb 2020, at 6:25 AM, Michael Balzer
<<a href="mailto:dexter@expeedo.de" class=""
moz-do-not-send="true">dexter@expeedo.de</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class=""> Mark,<br class="">
<br class="">
something's wrong now with the Mongoose SSL support. I
could do this javascript call before (example from
scripting API doc):<br class="">
<br class="">
<tt class=""> HTTP.Request({</tt><tt class=""><br
class="">
</tt><tt class=""> url: <a
class="moz-txt-link-rfc2396E"
href="https://dexters-web.de/f/test.json"
moz-do-not-send="true">"https://dexters-web.de/f/test.json"</a>,</tt><tt
class=""><br class="">
</tt><tt class=""> always: function() {
JSON.print(this, false); }</tt><tt class=""><br
class="">
</tt><tt class=""> });</tt><br class="">
<br class="">
This now no longer works, neither with the previous
opts.ssl_ca_cert = "*":<br class="">
<br class="">
<tt class="">E (37350) mongoose: mg_ssl_if_mbed_err
0x3f85befc SSL error: -17040</tt><tt class=""><br
class="">
</tt><tt class="">I (37410) script: [eval:3:] {"url":<a
class="moz-txt-link-rfc2396E"
href="https://dexters-web.de/f/test.json"
moz-do-not-send="true">"https://dexters-web.de/f/test.json"</a>,"always":function
() { [ecmascript code]
},"redirectCount":0,"error":"SSL error"}</tt><br
class="">
<br class="">
…nor with opts.ssl_ca_cert = MyOvmsTLS.GetTrustedList(),
it then sometimes fails with…<br class="">
<br class="">
<tt class="">{"url":<a class="moz-txt-link-rfc2396E"
href="https://dexters-web.de/f/test.json"
moz-do-not-send="true">"https://dexters-web.de/f/test.json"</a>,"always":function
() { [ecmascript code]
},"redirectCount":0,"error":"Failed to create SSL
session"}</tt><br class="">
<br class="">
…but mostly causes some kind of lockup (USB console not
responding) and / or wifi / mongoose restart:<br
class="">
<br class="">
<tt class="">I (55980) wifi:
bcn_timout,ap_probe_send_start</tt><tt class=""><br
class="">
</tt><tt class="">I (58480) wifi: ap_probe_send over,
resett wifi status to disassoc</tt><tt class=""><br
class="">
</tt><tt class="">I (58480) wifi: state: run -> init
(c800)</tt><tt class=""><br class="">
</tt><tt class="">I (58490) wifi: pm stop, total sleep
time: 35296441 us / 53655320 us</tt><tt class=""><br
class="">
</tt><tt class="">I (58490) wifi: new:<11,0>,
old:<11,2>, ap:<11,2>, sta:<11,0>,
prof:11</tt><tt class=""><br class="">
</tt><tt class="">E (58490) mongoose:
mg_ssl_if_mbed_err 0x3f85dd64 SSL error: -1</tt><tt
class=""><br class="">
</tt><tt class="">D (58520) events:
Signal(server.web.socket.closed)</tt><tt class=""><br
class="">
</tt><tt class="">I (58580) script: [eval:3:] {"url":<a
class="moz-txt-link-rfc2396E"
href="https://dexters-web.de/f/test.json"
moz-do-not-send="true">"https://dexters-web.de/f/test.json"</a>,"always":function
() { [ecmascript code]
},"redirectCount":0,"error":"SSL error"}</tt><tt
class=""><br class="">
</tt><tt class="">W (58600) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58630) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58640) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58660) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58680) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58700) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58720) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">W (58740) wifi: Haven't to connect to
a suitable AP now!</tt><tt class=""><br class="">
</tt><tt class="">D (58770) events: Signal(system.event)</tt><tt
class=""><br class="">
</tt><tt class="">D (58780) events:
Signal(system.wifi.sta.disconnected)</tt><br class="">
<br class="">
<br class="">
I've seen you set opts.ssl_server_name in server V2
& V3. This could be left NULL for using the hostname
before, is it now necessary to set this?<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Am 13.02.20 um 08:26
schrieb Mark Webb-Johnson:<br class="">
</div>
<blockquote type="cite"
cite="mid:FA48611F-5376-4758-A701-A4F901B83802@webb-johnson.net"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class=""><br class="">
</div>
And #2 now done. To add to the trusted CA list we can
now add the CA into firmware (like the 3 already
there), or put the PEM formatted certificate in
/store/trustedca on the module itself. A set of
commands (like ’tls trusted reload’, ’tls trusted
list’, etc) are also now provided to help management.
<div class=""><br class="">
</div>
<div class="">I’ve also added a short document to the
user guide to explain this.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 12 Feb 2020, at 3:25 PM, Mark
Webb-Johnson <<a
href="mailto:mark@webb-johnson.net" class=""
moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class="">I managed to
get quite a lot done last night, and just
committed my changes. Current status:
<div class=""><br class="">
</div>
<div class="">#1 is done. An extension had
to be made to mongoose to support this, so
please update submodules. I’ve added the
trusted CAs for openvehicles, dexters
(letsencrypt) and pushover.</div>
<div class=""><br class="">
</div>
<div class="">#3 is done. A couple of lines
of code. It is enabled by ‘config set
server.v2 tls yes’.</div>
<div class=""><br class="">
</div>
<div class=""><span style="caret-color:
rgb(0, 0, 0);" class="">#4 is done. A
couple of lines of code. It is enabled
by ‘config set server.v3 tls yes’.</span></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class="">#5 is done, and live on <a
href="http://api.openvehicles.com/"
class="" moz-do-not-send="true">api.openvehicles.com</a>.</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class="">#8 can start when ready. Have
a look at the ovms_server_v[23] code
for an example - it is literally a
couple of lines to be added.</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
<div class=""><font class="">I did find a
few servers that didn’t support the
segment size negotiation option in SSL
that we were relying on (including
mosquitto!). So had to change my
sdkconfig to:</font></div>
<div class=""><font class=""><br class="">
</font></div>
<blockquote style="margin: 0 0 0 40px;
border: none; padding: 0px;" class="">
<div class=""><font class="">CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384</font></div>
</blockquote>
<div class=""><font class=""><br class="">
</font></div>
<div class=""><font class="">I suggest you
do the same for best compatibility.</font></div>
<div class=""><font class=""><br class="">
</font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class="">The rest is pending. I will
work on #2 next, then move on to the
iOS App.</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class=""><br class="">
</span></font></div>
<div class=""><font class=""><span
style="caret-color: rgb(0, 0, 0);"
class="">Regards, Mark.<br class="">
</span></font>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 10 Feb 2020, at 11:24
AM, Mark Webb-Johnson <<a
href="mailto:mark@webb-johnson.net"
class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8"
class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;"
class="">
<div class=""><br class="">
</div>
<div class="">Given that we use
the mongoose library for most of
our stuff, adding SSL support
should not be hard. This would
finally bring strong encryption
and server side authentication.
Given the number of attacks now
on IoT devices that would not be
a bad thing.</div>
<div class=""><br class="">
</div>
<div class="">I think what we need
is:</div>
<div class=""><br class="">
</div>
<div class="">
<ol class="MailOutline">
<li class="">A set of helper
functions to make it easier
for components to use SSL.
Build on top of mongoose.<br
class="">
<br class="">
</li>
<li class="">A way to manage a
list of trusted Certificate
Authorities, including
adding to the trusted list
via:<br class="">
</li>
<ul class="">
<li class=""><span
style="caret-color:
rgb(0, 0, 0);" class="">Components
providing Certificate
Authorities in firmware.</span></li>
<li class=""><span
style="caret-color:
rgb(0, 0, 0);" class="">Certificate
Authorities in
configuration.<br
class="">
<br class="">
</span></li>
</ul>
<li class="">Extensions to
ovms_server_v2 to support an
SSL connection option.<br
class="">
<br class="">
</li>
<li class="">Extensions to
ovms_server_v3 to support an
SSL connection option.<br
class="">
<br class="">
</li>
<li class="">Extensions to the
Ovms Server v2 code to
support an SSL connection
listener.<br class="">
<br class="">
</li>
<li class="">Extensions to the
iOS App to support an SSL
connection option.<br
class="">
<br class="">
</li>
<li class=""><span
style="caret-color: rgb(0,
0, 0);" class="">Extensions
to the Android App to
support an SSL connection
option.</span><br class="">
<br class="">
</li>
<li class="">Migration of any
components already
supporting SSL to this new
standardised approach.<br
class="">
<br class="">
</li>
<li class="">Then we can open
up the discussion of the
whole thing of passwords. We
have far too many of these
at the moment (user
account+password, vehicle
ID, server password, module
password, hologram
account+password, etc). Once
we have an encrypted
connection, we don’t need to
use the password for
encryption, but merely for
authentication. That
simplifies things, as we can
perhaps just use the user
account+password for most
things (giving access to all
vehicles registered under
that user account - in a
similar way to MQTT does it
already for ovms_server_v3).</li>
</ol>
</div>
<div class=""><br class="">
</div>
<div class="">I will take on the
majority of this project. I can
do #1, #2, #3, #4, #5, and #6).</div>
<div class=""><br class="">
</div>
<div class="">If anyone has any
feedback on requirements, please
let me know.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a
href="mailto:OvmsDev@lists.openvehicles.com"
class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br
class="">
<a
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a
href="mailto:OvmsDev@lists.openvehicles.com"
class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br
class="">
<a class="moz-txt-link-freetext"
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br
class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class=""
moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</body>
</html>