Michael,

I am getting:

OVMS# script eval 'HTTP.Request({url: "http://dexters-web.de/f/test.json",always: function() { JSON.print(this, false); } });'
I (140781) script: [eval:1:] {"url":"https://dexters-web.de/f/test.json","always":function () { [ecmascript code] },"redirectCount":1,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:05 GMT"},{"Content-Type":"application/json"}]}}

OVMS# script eval 'HTTP.Request({url: "https://dexters-web.de/f/test.json",always: function() { JSON.print(this, false); } });'
I (169991) script: [eval:1:] {"url":"https://dexters-web.de/f/test.json","always":function () { [ecmascript code] },"redirectCount":0,"error":"","response":{"statusCode":200,"statusText":"OK","body":"{\"foo\":\"bar\"}","headers":[{"Date":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Server":"Apache/2.2.15 (CentOS)"},{"Last-Modified":"Sun, 01 Dec 2019 20:36:31 GMT"},{"ETag":"\"73806cb-d-598aa6b0f7003\""},{"Accept-Ranges":"bytes"},{"Content-Length":"13"},{"Cache-Control":"max-age=0"},{"Expires":"Fri, 14 Feb 2020 08:45:34 GMT"},{"Content-Type":"application/json"}]}}

OVMS# metrics list version
m.version                                3.2.010-15-g931ca3d3-dirty/factory/edge (build idf v3.3-beta3-770-ge97f72ea2 Feb 13 2020 13:01:16)

That seems correct to me.

Maybe increased ram usage for you? I your memory status ok?

The change I made to mongoose would only affect if the ca_cert started with “-----“. Nothing else should have changed (at least in that part). Maybe the increase of fragment size to 16384 has impacted something?

I've seen you set opts.ssl_server_name in server V2 & V3. This could be left NULL for using the hostname before, is it now necessary to set this?

I think you are right. I hadn’t noticed that default ca_cert != NULL, but server_name is null. I don’t think it is necessary to set explicitly, but should not matter.

However, I have just noticed:

void mg_ssl_if_conn_free(struct mg_connection *nc) {
  struct mg_ssl_if_ctx *ctx = (struct mg_ssl_if_ctx *) nc->ssl_if_data;
  if (ctx == NULL) return;
  nc->ssl_if_data = NULL;
  MG_FREE(ctx->ssl_cert);
  MG_FREE(ctx->ssl_key);
  MG_FREE(ctx->ssl_ca_cert);
  MG_FREE(ctx->ssl_server_name);
  memset(ctx, 0, sizeof(*ctx));
  MG_FREE(ctx);
}

Which is scary. But that seems to be the ’simplessl’ version of that function. There are two other ones, for different SSL implementations, which seem to behave differently. That monolithic mongoose.{h,c} is really confusing to work through. Maybe I should look at their python mechanism to pack/unpack from individual scripts and then try to build a mongoose.{h,c} specific to our needs (without the crud we don’t use such as openssl, simplessl)?

Regards, Mark.

On 14 Feb 2020, at 6:25 AM, Michael Balzer <dexter@expeedo.de> wrote:

Mark,

something's wrong now with the Mongoose SSL support. I could do this javascript call before (example from scripting API doc):

      HTTP.Request({
        url: "https://dexters-web.de/f/test.json",
        always: function() { JSON.print(this, false); }
      });

This now no longer works, neither with the previous opts.ssl_ca_cert = "*":

E (37350) mongoose: mg_ssl_if_mbed_err   0x3f85befc SSL error: -17040
I (37410) script: [eval:3:] {"url":"https://dexters-web.de/f/test.json","always":function () { [ecmascript code] },"redirectCount":0,"error":"SSL error"}

…nor with opts.ssl_ca_cert = MyOvmsTLS.GetTrustedList(), it then sometimes fails with…

{"url":"https://dexters-web.de/f/test.json","always":function () { [ecmascript code] },"redirectCount":0,"error":"Failed to create SSL session"}

…but mostly causes some kind of lockup (USB console not responding) and / or wifi / mongoose restart:

I (55980) wifi: bcn_timout,ap_probe_send_start
I (58480) wifi: ap_probe_send over, resett wifi status to disassoc
I (58480) wifi: state: run -> init (c800)
I (58490) wifi: pm stop, total sleep time: 35296441 us / 53655320 us
I (58490) wifi: new:<11,0>, old:<11,2>, ap:<11,2>, sta:<11,0>, prof:11
E (58490) mongoose: mg_ssl_if_mbed_err   0x3f85dd64 SSL error: -1
D (58520) events: Signal(server.web.socket.closed)
I (58580) script: [eval:3:] {"url":"https://dexters-web.de/f/test.json","always":function () { [ecmascript code] },"redirectCount":0,"error":"SSL error"}
W (58600) wifi: Haven't to connect to a suitable AP now!
W (58630) wifi: Haven't to connect to a suitable AP now!
W (58640) wifi: Haven't to connect to a suitable AP now!
W (58660) wifi: Haven't to connect to a suitable AP now!
W (58680) wifi: Haven't to connect to a suitable AP now!
W (58700) wifi: Haven't to connect to a suitable AP now!
W (58720) wifi: Haven't to connect to a suitable AP now!
W (58740) wifi: Haven't to connect to a suitable AP now!
D (58770) events: Signal(system.event)
D (58780) events: Signal(system.wifi.sta.disconnected)


I've seen you set opts.ssl_server_name in server V2 & V3. This could be left NULL for using the hostname before, is it now necessary to set this?

Regards,
Michael


Am 13.02.20 um 08:26 schrieb Mark Webb-Johnson:

And #2 now done. To add to the trusted CA list we can now add the CA into firmware (like the 3 already there), or put the PEM formatted certificate in /store/trustedca on the module itself. A set of commands (like ’tls trusted reload’, ’tls trusted list’, etc) are also now provided to help management.

I’ve also added a short document to the user guide to explain this.

Regards, Mark.

On 12 Feb 2020, at 3:25 PM, Mark Webb-Johnson <mark@webb-johnson.net> wrote:

I managed to get quite a lot done last night, and just committed my changes. Current status:

#1 is done. An extension had to be made to mongoose to support this, so please update submodules. I’ve added the trusted CAs for openvehicles, dexters (letsencrypt) and pushover.

#3 is done. A couple of lines of code. It is enabled by ‘config set server.v2 tls yes’.

#4 is done. A couple of lines of code. It is enabled by ‘config set server.v3 tls yes’.

#5 is done, and live on api.openvehicles.com.

#8 can start when ready. Have a look at the ovms_server_v[23] code for an example - it is literally a couple of lines to be added.

I did find a few servers that didn’t support the segment size negotiation option in SSL that we were relying on (including mosquitto!). So had to change my sdkconfig to:

CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384

I suggest you do the same for best compatibility.

The rest is pending. I will work on #2 next, then move on to the iOS App.

Regards, Mark.

On 10 Feb 2020, at 11:24 AM, Mark Webb-Johnson <mark@webb-johnson.net> wrote:


Given that we use the mongoose library for most of our stuff, adding SSL support should not be hard. This would finally bring strong encryption and server side authentication. Given the number of attacks now on IoT devices that would not be a bad thing.

I think what we need is:

  1. A set of helper functions to make it easier for components to use SSL. Build on top of mongoose.

  2. A way to manage a list of trusted Certificate Authorities, including adding to the trusted list via:
    • Components providing Certificate Authorities in firmware.
    • Certificate Authorities in configuration.

  3. Extensions to ovms_server_v2 to support an SSL connection option.

  4. Extensions to ovms_server_v3 to support an SSL connection option.

  5. Extensions to the Ovms Server v2 code to support an SSL connection listener.

  6. Extensions to the iOS App to support an SSL connection option.

  7. Extensions to the Android App to support an SSL connection option.

  8. Migration of any components already supporting SSL to this new standardised approach.

  9. Then we can open up the discussion of the whole thing of passwords. We have far too many of these at the moment (user account+password, vehicle ID, server password, module password, hologram account+password, etc). Once we have an encrypted connection, we don’t need to use the password for encryption, but merely for authentication. That simplifies things, as we can perhaps just use the user account+password for most things (giving access to all vehicles registered under that user account - in a similar way to MQTT does it already for ovms_server_v3).

I will take on the majority of this project. I can do #1, #2, #3, #4, #5, and #6).

If anyone has any feedback on requirements, please let me know.

Regards, Mark.

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev


_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev


-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev