SPWF04Sx AT-S.Http客户端错误：1

AT-S.Http客户端错误：当与指定主机（192.168.0.2）的连接被拒绝时，实际上是打印的，这不是在指定端口（443）上侦听的进程，或者防火墙拒绝访问。
这是你的情况吗？



以下为原文




AT-S.Http Client Error:1 is actually printed when the connection to the specified host (192.168.0.2) is refused, that is not a process listening on the specified port (443) or a firewall is denying the access.
Is this your case?

，
 ，
嗨，
第一个错误是因为在主机（192.168.0.2）上路径不好（tls / cert.pem）。
现在，我有新的错误：
AT + S.HTTPGET = 192.168.0.2，TLS / cert.pem，443,2 ,,, servercert.pem中，
 ，
AT-S.Skip CA，
AT-S.Skip CA，
AT-S.加载：1：2，
AT-S.加载：2：2，
AT-S.加载：3：2，
AT-S.Http服务器状态代码：400，
AT-S.Http服务器错误：400，
AT-S.ERROR：111：请求主机失败，日志服务器是：
certifs_1，| 2018/01/17 17:50:32 [info]6♯6：* 2客户端SSL证书验证错误：（21：无法验证第一个证书）读取客户端请求头时，客户端：192.168.0.1，server :,请求：'GET /tls/cert.pem HTTP / 1.1'，主持人：'192.168.0.2'
问题是它与spwf04sx的兼容性，支持的ciphhers？ PEM编码的长期捆绑包含3个ECC
（
prime256v1又名NIST P-256）证书。
谢谢
约恩



以下为原文

,
,

Hi,
first error was because on host (192.168.0.2) path was not good (tls/cert.pem).
Now, i have new error:
AT+S.HTTPGET=192.168.0.2,tls/cert.pem,443,2,,,ServerCert.pem,
,
AT-S.Skip CA ,
AT-S.Skip CA ,
AT-S.Loading:1:2 ,
AT-S.Loading:2:2 ,
AT-S.Loading:3:2 ,
AT-S.Http Server Status Code:400 ,
AT-S.Http Server Error:400 ,
AT-S.ERROR:111:Request failedon host, log server is:
certifs_1 , | 2018/01/17 17:50:32 [info] 6 ♯ 6: *2 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 192.168.0.1, server: , request: 'GET /tls/cert.pem HTTP/1.1', host: '192.168.0.2'
the problem is it the compatibility with spwf04sx ,supported ciphhers? PEM-encoded long term bundle containing 3 ECC
(
prime256v1 aka NIST P-256) certificates.

Thanks

Yoann

你好Yoann，
从SPWF04Sx日志开始，似乎相互认证成功，而HTTP服务器拒绝连接（错误请求）。请注意，从HTTP服务器收到Http服务器状态代码。
TCP / TLS问题将报告为Http客户端错误/证书错误（TLS错误将传播回客户端）。
无论如何，您可以通过SOCKON命令进一步诊断TLS连接。以下是我在模块上完成的示例（单向认证）：
- 错误的证书（未找到CA证书）：
AT + S.HTTPGET = 192.168.1.112，443,2 ,,,,
 
AT-S.Certificate错误：23
AT-S.Http客户端错误：2
AT-S.ERROR：111：请求失败AT + S.SOCKON = 192.168.1.112,443 ,, s
 
AT-S.Certificate错误：23
AT-S.ERROR：74：无法打开套接字证书，找不到页面
AT + S.HTTPGET = 192.168.1.129，443,2 ,,,,
 
AT-S.Loading：1：1
AT-S.Http服务器状态码：404
AT-S.Http服务器错误：404
AT-S.ERROR：111：请求失败AT + S.SOCKON = 192.168.1.129,443 ,, s
 
AT-S.Loading：1：1
AT-S.On：192.168.1.129：0
AT-S.OK
+ WIND：58：套接字关闭：0：0＆lt; - 在超时帮助后，Apache HTTP服务器关闭连接，否则请发送事务的wireshark日志。
问候，
埃利奥



以下为原文




Hi Yoann,
from SPWF04Sx log, it seems the mutual authentication succeeded, whereas the HTTP server has refused the connection (Bad Request). Please note that the Http Server Status Code is received from HTTP server.
A TCP/TLS problem would be reported as Http Client Error/Certificate Error (a TLS error would be propagated back to the client).
Anyway, you can further diagnose the TLS connection by means of the SOCKON command. Following an example I have done on my module (1-way authentication):
- wrong certificate (CA certificate not found):
AT+S.HTTPGET=192.168.1.112,,443,2,,,,

AT-S.Certificate Error:23
AT-S.Http Client Error:2
AT-S.ERROR:111:Request failedAT+S.SOCKON=192.168.1.112,443,,s

AT-S.Certificate Error:23
AT-S.ERROR:74:Failed to open socket- good certificate, page not found
AT+S.HTTPGET=192.168.1.129,,443,2,,,,

AT-S.Loading:1:1
AT-S.Http Server Status Code:404
AT-S.Http Server Error:404
AT-S.ERROR:111:Request failedAT+S.SOCKON=192.168.1.129,443,,s

AT-S.Loading:1:1
AT-S.On:192.168.1.129:0
AT-S.OK
+WIND:58:Socket Closed:0:0  <-- the connection was closed by the Apache HTTP server after a timeoutHope it helps, otherwise please send a wireshark log of the transaction.
Regards,
Elio

嗨，
我发现了我的问题，
certificat存储在flash系统中，我使用cmd AT + S.FSP来读取文件。我使用回调ind_wifi_file_data_available fct来存储结果，并且在init wifi模块（AT + STLSCERT ...）大小证书是2642bytes之后如果结果（AT + S.FSP）存储在DMA缓冲区（4096）的中间，证书是坏（缓冲区中间的旧字符串）Process_DMA_Buffer_Messages（）
所以用AT + S.TLSCERT我加载了一部分证书（未完整）。
在调试中逐步结果（AT + S.FSP）是正确的，我可以在wifi模块中加载证书。
新：
我测试了，我收到了一个好的日志：;-(
T + S.HTTPGET = 192.168.0.2，TLS / cert.pem，443,2 ,,, servercert.pem中，
 
AT-S.Skip CA.
AT-S.Skip CA.
AT-S.Loading：1：2
A + -S.Loading：2：2
WIND：8：硬故障：TcpIp：47427153：08009a56：00000002：00000000：0806bd6b：0806c249：08097aee：21000000i需要修复cmd AT + S.FSP的结果才能获得完整的证书，但我想知道为什么硬故障。
链接到我下载的文件大小（＆gt; 2500bytes）
谢谢
约恩



以下为原文




Hi,
i found my problem,
certificat is stored in flash system and i use cmd AT+S.FSP to read file. i use callback ind_wifi_file_data_available fct to store result and after init wifi module (AT+STLSCERT...) size certificate is 2642bytes and if result (AT+S.FSP) is stored in the middle of DMA buffer (4096), the certificate is bad (old string in the middle of buffer) Process_DMA_Buffer_Messages()
so with AT+S.TLSCERT i loaded a part of certificate (not full).
in debug step by step result (AT+S.FSP) is correct and i can load certificate in wifi module.
new:
i tested and i receive a GOOD log: ;-(
T+S.HTTPGET=192.168.0.2,tls/cert.pem,443,2,,,ServerCert.pem,

AT-S.Skip CA
AT-S.Skip CA
AT-S.Loading:1:2
A+-S.Loading:2:2
WIND:8:Hard Fault:TcpIp:47427153:08009a56:00000002:00000000:0806bd6b:0806c249:08097aee:21000000i need to fix the result of cmd AT+S.FSP to get full certificate but i would like to know why hard Fault.
link to size of file i download (> 2500bytes)
thanks
Yoann

要完成消息，
我测试下载文件大小2500bytes和300bytes =相同的错误！
显示消息服务器端：
certifs_1 | 2018/01/19 10:30:17 [info] 6＆amp; sharp6：* 5客户端超时（110：操作超时），而SSL握手，客户端：192.168.0.1，服务器：
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F0.0.0.0%3A443&data=02%7C01%7Cyoann.lebeller%40hill-rom.com%7C1bf5a5def3974f59cfd908d55f27f970%7Cf4dcdb22a4c74f4ca3901954365b828c ％7C0％7C0％7C636519547685738756＆安培; SDATA =％2BgCTspO2WO1pfK2P2GDWXs7k4Porpq3QK％2FR3U8SaowA％3D＆安培;保留= 0
你对wifi模块中的硬故障有什么看法吗？
AT + S.HTTPGET = 192.168.0.2，TLS / priv.pem，443,2 ,,, servercert.pem中，
 
AT-S.Skip CA.
AT-S.Skip CA.
AT-S.Loading：1：2
A + -S.Loading：2：2
WIND：8：Hard Fault：TcpIp：47427153：08009a56：00000002：00000000：0806bd6b：0806c249：08097aee：21000000Thanks
约恩



以下为原文




To complet the message,
i tested with a download of file size 2500bytes and 300bytes = same error!
Show the message server side:

certifs_1  | 2018/01/19 10:30:17 [info] 6&sharp6: *5 client timed out (110: Operation timed out) while SSL handshaking, client: 192.168.0.1, server:
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F0.0.0.0%3A443&data=02%7C01%7Cyoann.lebeller%40hill-rom.com%7C1bf5a5def3974f59cfd908d55f27f970%7Cf4dcdb22a4c74f4ca3901954365b828c%7C0%7C0%7C636519547685738756&sdata=%2BgCTspO2WO1pfK2P2GDWXs7k4Porpq3QK%2FR3U8SaowA%3D&reserved=0
Do you have an idea on Hard Fault in the wifi module?
AT+S.HTTPGET=192.168.0.2,tls/priv.pem,443,2,,,ServerCert.pem,

AT-S.Skip CA
AT-S.Skip CA
AT-S.Loading:1:2
A+-S.Loading:2:2
WIND:8:Hard Fault:TcpIp:47427153:08009a56:00000002:00000000:0806bd6b:0806c249:08097aee:21000000Thanks
Yoann

你好Yoann，
如安全应用说明（AN4963）中所述，证书/密钥的最大允许大小为2.5KB。
您可以将证书保存在任何文件系统中，否则会导致握手失败，但会阻止获取WIND：8。
在之前的评论中，您编写了'PEM编码的长期捆绑包含3个ECC（prime256v1又名NIST P-256）证书。'，所以我理解您在证书部分加载的证书是由3个ECC证书链组成的（ SPWF04S的证书+中级CA证书+根CA证书）。
如果是这种情况，实际上支持这种证书，你应该在flash中的cert部分（或文件系统上的tls.cert）加载模块证书（PEM编码）+中间CA证书（PEM编码）的串联，同时相应的根CA证书应该在对等方（PC上的HTTP服务器）的可用性中。我有点惊讶的是，两个ECC证书链超过2.5KB（即使证书包含大量信息......）。
您能否确认证书不包含根CA证书？



以下为原文




Hi Yoann,
as stated in the Security application note (AN4963) the maximum allowed size for certificates/key is 2.5KB.
You may save the certificates in any of the filesystems, that will anyway lead to handshake failure but will prevent from getting the WIND:8.
In a previous comment you wrote 'PEM-encoded long term bundle containing 3 ECC ( prime256v1 aka NIST P-256) certificates.', so I understood that the certificate you are loading in cert section is composed by a chain of 3 ECC certificate (SPWF04S's cert + intermediate CA cert + Root CA cert).
If this is your case, this kind of certificate is actually supported and you should load the concatenation of module's certificate (PEM encoded) + intermediate CA certificate (PEM encoded) in the cert section in flash (or tls.cert on filesystem), while the respective Root CA cert should be in the availability of the peer (the HTTP server on your PC). I'm a bit surprised that the chain of two ECC certificates exceeds 2.5KB (even though possible if the certificates include lot of info...).
Could you please confirm the certificate does not include the Root CA certificate?

嗨，
我在证书部分加载的证书由3个ECC证书链（SPWF04S的证书+中间证或站点CA证书+委托CA证书）组成。不是根CA证书！
我已经使用大小为＆lt;的套接字验证了捆绑证书2.5KB
我将测试证书＆lt; 2.5KB检查我是否有相同的pb。
所以我确认certificat不包括根CA.
THKS
约恩



以下为原文




Hi,
the certificate i am loading in cert section is composed by a chain of 3 ECC certificate (SPWF04S's cert + intermediate or site CA cert + delegate CA cert). Not Root CA cert!
i already validated bundle certificate with  a socket with size < 2.5KB
I will test with certificate < 2.5KB to check if i have same pb.
So i confirm certificat does not include the root CA.
Thks
Yoann

嗨，
这解释了证书的大小...如果它的大小小于2.5K，也支持这种证书。
不幸的是，我没有看到减少证书大小的方法，因为SPWF04S支持连接证书的唯一方法是对每个证书进行PEM编码。
问候，
埃利奥



以下为原文




Hi,
this explain the size of certificate... This kind of certificate is also supported if it's size is less than 2.5K.
Unfortunately, I don't see a way to reduce the size of your certificate, since the only method supported by SPWF04S to concatenate certificates is to PEM encode each of them.
Regards,
Elio

喜
我测试了证书包x3。大小是2488Bytes。同样的错误WIND：8：硬故障：TcpIp ....
我测试了证书包x2。大小是1698Bytes，它的工作原理。
你说'如果它的尺寸小于2.5K，也支持这种证书。'
支持的最大尺寸是多少？
THKS
约恩
 
 注意：原始帖子包含大量线程对话，只能迁移到第9级



以下为原文




hi,
i tested with a certificate bundle x3. size is 2488Bytes. same error WIND:8:Hard Fault:TcpIp....
I tested with a certificate bundle x2. size is 1698Bytes and it works.
You said 'This kind of certificate is also supported if it's size is less than 2.5K.'
What is the max size supported?
thks
Yoann

Note: the original post contained a large number of threaded conversations and was only able to be migrated to the 9th level

嗨Elio，
你有没有收到Gerardo GALLUCCI我寄给他的证书？
大小＆lt; 2.5KB ECC bundle x3，有什么问题？
谢谢
约恩



以下为原文




Hi Elio,
did you receive with Gerardo GALLUCCI the certificat set i sent him?
with size <2.5KB ECC bundle x3, what is the problem?
Thanks
Yoann

你好Yoann，
我为延误道歉。
我没有充分了解情况。实际上，2.5K限制是指从对等方接收的捆绑中的每个证书。这适用于从服务器接收的证书（单向/相互认证）和从客户端接收的证书（相互认证）。
相反，存储在“cert”部分或“tls.cert”文件中的证书包的大小必须限制为1475个字节。
问候，
埃利奥



以下为原文




Hi Yoann,
my apologizes for the delay.
I was not well informed. Actually the 2.5K limits refer to each certificate in the bundle received from a peer. This apply to certificates received from a server (1way/mutual authentication) and to certificates received from a client (mutual authentication).
Instead, the size of the certificate bundle stored in 'cert' section or in 'tls.cert' file must be limited to 1475 bytes.
Regards,
Elio