FEZ Raptor and SSL

vishnusharma · March 17, 2015, 4:33am

I have a FEZ Raptor and I have connected it with a WiFi RS21 module (https://www.ghielectronics.com/catalog/product/282)

I was trying to work with SSL and here is a sequence of steps that I followed:

I tried to first perform “Update SSL Seed” using the FEZ Config utility. When I click the button, the mouse pointer show “busy” for a couple of seconds and then nothing happens.
I used MF Deploy utility and performed “Update SSL Seed” again. This time, I could see success messages.

After that, I tried to do a GET on the URL https://www.google.com
I got an error CLR_E_FAIL
After reading some posts on this website, I realized that we need to set the certificates. All sample codes posted, talk about some root CA certificate. Can someone point me out on what is this certificate and where do I get this. Is this any root certificate or I need to get a root certificate for every website I want to connect (I am a little low on SSL knowledge)

I simply downloaded a root certificate from GeoCerts website. The code is given below:

HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(“https://www.google.com/”);
req.Method = “GET”;

        var certs = new X509Certificate[] { 
            new X509Certificate(ClientCertificates.GetBytes(ClientCertificates.BinaryResources.GeoTrust_Global_CA))
        };
        req.HttpsAuthentCerts = certs;
        req.KeepAlive = true;
        
       HttpWebResponse resp = (HttpWebResponse)req.GetResponse();

First time, the call hanged on “GetResponse”. After that , I consistently get the error given below:

Exception System.Net.Sockets.SocketException - CLR_E_FAIL (4)

#### Message: 
#### Microsoft.SPOT.Net.Security.SslNative::SecureConnect [IP: 0000] ####
#### Microsoft.SPOT.Net.Security.SslStream::Authenticate [IP: 0060] ####
#### Microsoft.SPOT.Net.Security.SslStream::AuthenticateAsClient [IP: 000c] ####
#### System.Net.HttpWebRequest::EstablishConnection [IP: 0247] ####

…
…
…

SocketException ErrorCode = 1

#### SocketException ErrorCode = 1

The last lines where ErrorCode = 1 is given, perhaps means SSL context is not valid (Though MSDN says the error code should be -1)

I’m sure the error is somewhere in the certificate declaration. Can someone point me to the right direction.

Thanks in advance.

John_Brochue · March 18, 2015, 7:42am

@ vishnusharma - We usually see that error when the certificate is not working for whatever reason. We are working on getting more details on how to find proper certificates.

vishnusharma · March 18, 2015, 10:11am

@ John Thanks. So does it mean we cannot use SSL for now ? :’(

John_Brochue · March 18, 2015, 11:45am

@ vishnusharma - You can, it does work, we just don’t have specific and reliable guidance for finding a certificate yet.

Duke_Nukem · March 18, 2015, 1:41pm

Are you setting up the correct system time on your system as that matter to SSL.

vishnusharma · March 19, 2015, 4:18am

Thank you Duke for your inputs.
I did suspect that and I did hardcode the system time using the snippet below:

Utility.SetLocalTime(new DateTime(2015, 3, 10)

My guess is that the internal implementation of certificate checking should be using the system time. The error I posted before is the one that is thrown even with the above code.

Duke_Nukem · March 19, 2015, 5:45am

That is likely your problem as date isn’t enough, you need reasonably accurate time as well. Your connecting to the internet so make a call to a time server with something like this


         void GetInternetTime() 
         { 
             // Initializes the time client 
             SNTP_Client TimeClient = new SNTP_Client(new IntegratedSocket("time-a.nist.gov", 123)); 
 
 
             // Displays the time in three ways: 
             Debug.Print("Amount of seconds since 1 jan. 1900: " + TimeClient.Timestamp.ToString()); 
             Debug.Print("UTC time: " + TimeClient.UTCDate.ToString()); 
             Debug.Print("Local time: " + TimeClient.LocalDate.ToString()); 
 
 
            // Synchronizes the internal clock 
             TimeClient.Synchronize(); 
         }

vishnusharma · March 20, 2015, 1:24am

Thanks Duke.
I checked the source code of TimeClient.Synchronize().
It does exactly the same thing as I did before. Just setup the system time.
Your concern was that I was only setting the date and not the time. When you use only date parts, the time part is set to zero (i.e. midnight).

If an SSL certificate is valid from a date much earlier than the date set in the system, and expires after the date set in the system, the time part is irrelevant. I did choose a certificate which starts in 2014 and ends in 2016.

vishnusharma · March 20, 2015, 2:21am

I did further tests with a small code snippet as given below:

Utility.SetLocalTime(new DateTime(2015, 3, 20));
HttpRequest req = WebClient.GetFromWeb(httpsUrl);
req.ResponseReceived += delegate(HttpRequest request, HttpResponse response)
{
       Debug.Print(response.Text);
};
req.SendRequest();

With this code and with different HTTPS URLs I get the following results:

https://github.com → CLR_E_FAIL(7), #### SocketException ErrorCode = -1
https://example.com → Success, but T43 display is cleaned and a text ***** ASSERT ***** is shown on the display
https://www.coapworks.com → No response received
https://coapworks.com → No response received, but T43 display is cleaned and a text ***** ASSERT ***** is shown on the display
https://www.youtube.com → After about 60 seconds, I get CLR_E_FAIL (7), #### SocketException ErrorCode = 5,T43 display is cleaned and a text ***** ASSERT ***** is shown on the display

ErrorCode=5 means >> “The certificate revocation list signature could not be decrypted.”

https://adobe.com → No response received
https://login.live.com → After about 30 seconds, No response received,T43 display is cleaned and a text ***** ASSERT ***** is shown on the display

I guess the “***** ASSERT *****” is coming from some GHI library

Brett · March 20, 2015, 3:59am

when I see ASSERT errors I always suggest making sure you reapply the firmware from the SDK you have installed to make sure there’s no chance of a mis-match. And please then show us the output from Fez Config checking versions (so we know what versions you’re running)

vishnusharma · March 20, 2015, 6:41am

@ Brett - Please find the screenshots.

ppatierno · March 22, 2015, 10:18am

It seems to be the opposite problem I have.

I described it here

http://netmf.codeplex.com/discussions/576556

The raw SSL connection to the service bus works perfectly without any CA certificate specified.

Paolo

vishnusharma · March 22, 2015, 11:58pm

@ ppatierno - Thanks

What is even more confusing is that in the rare case, when I do get a response, I also get the ***** ASSERT ***** message on the connected LCD. There is no failure in my application code and it executes normally