14 posts / 0 new
Last post
dar63
SSL/TLS certificates

Hi everyone,

I started to develop a javascript module. In a few words, the idea is to monitor a set of data in OVMS module and to send sometimes data to a public website which offers an API.
This API can be reached through a https post.
So I tried with a few lines of code, and unfortunately, here's what I got:

E (13094212) mongoose: mg_ssl_if_mbed_err 0x3f84693c SSL error: -29312
E (13094222) script: DuktapeHTTPRequest: failed error='SSL error' url='https://api.pushover.net/1/messages.json'
I (13094222) script: error="SSL error"

So reading the documentation, I saw the following note:

SSL requests (https) can take up to 12 seconds on an idle module. SSL errors also may not reflect the actual error, for example an empty server response with code 400 may be reported as a general “SSL error”. If you get “SSL error” on a valid request, you may need to install a custom root CA certificate; see SSL/TLS.

Makes sense, but then I jumped to the other chapter "SSL/TLS", and discovered this command:
OVMS# tls trust list

and here I am stuck. Tried this command through the OVMS shell console: doesn't work. Then in a SSH session: doesn't work.

Please help !!!

Kindly regards
David

dar63
I also tried to put a pen

I also tried to put a pen file in /store/trustedca/, but no change.
Any idea ?

dexter
dexter's picture
SSL/TLS certificates

If the "tls" command doesn't work for you, my first idea would be to check the firmware version. As you can see from the changes.txt file, TLS support has only been released to edge yet.

Also, as Pushover support is a standard component, I already verified that accessing their API with the predefined CA set is possible. IOW you don't need a custom cert.
But my tests also revealed that the pushover API server is often overloaded, in which case you will get an error result and need to retry the send.

Regards,
Michael

dar63
Thank you Michael, I add a

Thank you Michael, I add a look to the source code in git, I was thinking that I probably didn't have the right version.
Kindly regards
David

dar63
try again. fail again :-(

Hi,

I installed the latest version I could find on dexter-web repo.
After running my own script, I have this
I (120924) webserver: HTTP POST /api/execute
I (120934) webcommand: HttpCommandStream[0x3f8527bc]: 3913964 bytes free, executing: script run /store/scripts/test_pushover.js
E (131174) mongoose: mg_ssl_mbed_log 0x3f84d7a8 mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
E (131174) mongoose: mg_ssl_mbed_log 0x3f84d7a8 ssl_get_next_record() returned -29312 (-0x7280)
E (131174) mongoose: mg_ssl_mbed_log 0x3f84d7a8 mbedtls_ssl_read_record() returned -29312 (-0x7280)
E (131174) mongoose: mg_ssl_if_mbed_err 0x3f84d7a8 SSL error: -29312
I (131264) script: [/store/scripts/test_pushover.js:66:OnRequestFail] error="SSL error"

So I tried with the official pushover function, I got this:
(179404) pushover: Sending message test with priority 0
E (191474) mongoose: mg_ssl_mbed_log 0x3f8551ac mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
E (191474) mongoose: mg_ssl_mbed_log 0x3f8551ac ssl_get_next_record() returned -29312 (-0x7280)
E (191474) mongoose: mg_ssl_mbed_log 0x3f8551ac mbedtls_ssl_read_record() returned -29312 (-0x7280)
E (191474) mongoose: mg_ssl_if_mbed_err 0x3f8551ac SSL error: -29312
I (191474) pushover: PushoverMongooseCallback(MG_EV_CONNECT=-3:)
E (191474) pushover: Connection failed

=> same issue !

Any idea on this?

Kindly regards
David

dexter
dexter's picture
SSL/TLS to api.pushover.net

David,

I can confirm that it's now nearly impossible to connect to api.pushover.net. I've had one successful request in about 30 attempts.

After doing some debug traces I'm pretty sure this is caused by the pushover server, most probably because of a very short SSL handshake timeout. The initial SSL handshake of mbedtls takes anywhere from 3 to 10 seconds depending on the current load on the module. Which is arguably much longer than normal (milliseconds on a standard platform), and it's also a potential DoS vector for an API server to allow long SSL handshakes.

But no other https server I've tried has issues with this. So I suggest not depending on pushover, or if you absolutely need to, set up some proxy service to do the API communication.

Regards,
Michael

dar63
Thank you for your answer,

Thank you for your answer, Michael.
As usual, very clear.
Thanks to have taken time to test it, it is much appreciated.

Kindly regards
David

markwj
markwj's picture
For what it is worth, I agree

For what it is worth, I agree with Michael:

$time telnet api.pushover.net 443
Trying 199.115.115.85...
Connected to api.pushover.net.
Escape character is '^]'.
Connection closed by foreign host.

real 0m5.452s
user 0m0.001s
sys 0m0.003s

dar63
thank you markwj

thank you markwj

it seems pushbullet is an alternative to pushover ?

markwj
markwj's picture
Pushbullet is twice as good,

Pushbullet is twice as good, but still pretty crappy:

$ time telnet api.pushbullet.com 443
Trying 216.58.197.115...
Connected to api.pushbullet.com.
Escape character is '^]'.
Connection closed by foreign host.

real 0m10.124s
user 0m0.001s
sys 0m0.002s

dar63
Hi again,

Hi again,

 

I tried with another API. This time error message is different, maybe not the same issue.

I (14365634) webserver: HTTP POST /api/execute

I (14365644) webcommand: HttpCommandStream[0x3f84abec]: 3935288 bytes free, executing: script run /store/scripts/test_niceapi.js

E (14370704) mongoose: mg_ssl_mbed_log 0x3f858ae0 mbedtls_ssl_fetch_input() returned -1 (-0x0001)

E (14370704) mongoose: mg_ssl_mbed_log 0x3f858ae0 ssl_get_next_record() returned -1 (-0x0001)

E (14370704) mongoose: mg_ssl_mbed_log 0x3f858ae0 mbedtls_ssl_read_record() returned -1 (-0x0001)

E (14370704) mongoose: mg_ssl_if_mbed_err 0x3f858ae0 SSL error: -1

I (14370764) script: [/store/scripts/test_niceapi.js:47:OnRequestFail] error="SSL error"

I ran also the time telnet command, but I am not sure to understand results

 

Your thoughts ?

time telnet niceapi.net 443

Trying 198.38.83.113...

Connected to niceapi.net.

Escape character is '^]'.

Connection closed by foreign host.

 

real    2m5.625s

user    0m0.019s

sys    0m0.011s

 

 

/David

dexter
dexter's picture
SSL/TLS to niceapi.net

David,

this one was a real bug. The niceapi.net server requires SNI (server name indication), which should have been working but actually wasn't up to now.

The fixed version is on dexters-web in the edge release directory (3.2.010-391-gad039ce0).

HTTP.Request({
  url: "https://niceapi.net/API",
  post: "test",
  headers: [{
    "X-APIId": "xy42",
    "X-APIMobile": "123456789",
  }],
  always: function() { JSON.print(this, false); }
});

I (260333) script: [eval:8:] {"url":"https://niceapi.net/API","post":"test","headers":[{"X-APIId":"xy42","X-APIMobile":"123456789"}],"always":function () { [ecmascript code] },"redirectCount":0,"error":"","response":{
"statusCode":200,"statusText":"OK","body":"X-APIId unknown","headers":[{"Cache-Control":"private"},{"Content-Type":"text/plain; charset=utf-8"},{"Server":"Microsoft-IIS/10.0"},{"X-AspNet-Version":"4.0.30319"},{"X-Powe
red-By":"ASP.NET"},{"Date":"Sat, 04 Apr 2020 16:52:00 GMT"},{"Content-Length":"15"}]}}

Regards,
Michael

PS: …and no, that doesn't affect api.pushover.net.

dar63
Thanks a lot, dear Michael !!

Thanks a lot, dear Michael !!!

 

KommyKT
Pushover working again?

Now the pushover working for me, with 3.2.012-6-g7cf76cde fw.

Log in or register to post comments
randomness