Netduino home hardware projects downloads community

Jump to content


The Netduino forums have been replaced by new forums at community.wildernesslabs.co. This site has been preserved for archival purposes only and the ability to make new accounts or posts has been turned off.
Photo

TLS Crypto algorithm support questions

crypto certificates pki

  • Please log in to reply
6 replies to this topic

#1 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 15 July 2015 - 11:13 AM

Hi all,

 

I have been using the https capabilities of the new N3 over the last couple of months and they have been working really well.  

 

Over the last week I had been playing around with an Azure gateway based on my initial proof of concept here.

 

I'm getting a generic exception(s) when I try to access https://myhomemonito...us.windows.net/

 

A first chance exception of type 'System.Exception' occurred in System.Net.Security.dll
A first chance exception of type 'System.Exception' occurred in System.Net.Security.dll
A first chance exception of type 'System.Net.WebException' occurred in System.Http.dll

 

 

I initially though it might be due to the wildcard cert,

 

The cert subject is

CN = servicebus.windows.net

 

with SANs

DNS Name=*.servicebus.windows.net
DNS Name=servicebus.windows.net
 
I'm not certain the wildcard cert is the necessarily the problem because I can access other wildcard cert protected sites e.g. wordpress hosted blog sites
 
 
The cert subject is 
CN = *.wordpress.com
 
with SANs
DNS Name=*.wordpress.com
DNS Name=wordpress.com
 
Using Chrome there is a subtle difference if you look at the connection details 
 
"Your connection to myhomemonitor.windows.net" is encrypted with obselete cryptography."
 
I have attached sample code and screen grabs of the connection properties in Chrome.
// Baseline check with google
Debug.Print("https://www.google.co.nz");
try
{
   using (HttpWebRequest request = (HttpWebRequest)WebRequest.Create(@"https://www.google.co.nz"))
   {
      request.Method = "GET";
      request.KeepAlive = false;
      request.Timeout = 5000;
      request.ReadWriteTimeout = 5000;

      using (var response = (HttpWebResponse)request.GetResponse())
      {
        Debug.Print("HTTP Status:"+ response.StatusCode + " : " + response.StatusDescription);
      }
   }
}
catch (Exception ex)
{
   Debug.Print(ex.Message);
}

/*
DNS Name=*.wordpress.com
DNS Name=wordpress.com
*/
Debug.Print("https://justanotherblog.wordpress.com/");
try
{
   using (HttpWebRequest request = (HttpWebRequest)WebRequest.Create(@"https://justanotherblog.wordpress.com/"))
   {
      //request.Proxy = proxy; 
      request.Method = "GET";
      request.KeepAlive = false;
      request.Timeout = 5000;
      request.ReadWriteTimeout = 5000;

      using (var response = (HttpWebResponse)request.GetResponse())
      {
         Debug.Print("HTTP Status:"+response.StatusCode + " : " + response.StatusDescription);
      }
   }
}
catch (Exception ex)
{
   Debug.Print(ex.Message);
}


/*
DNS Name=*.servicebus.windows.net
DNS Name=servicebus.windows.net
*/
Debug.Print(@"https://myhomemonitor.servicebus.windows.net/");
try
{
   using (HttpWebRequest request = (HttpWebRequest)WebRequest.Create(@"https://myhomemonitor.servicebus.windows.net/"))
   {
      //request.Proxy = proxy; 
      request.Method = "GET";
      request.KeepAlive = false;
      request.Timeout = 5000;
      request.ReadWriteTimeout = 5000;

      using (var response = (HttpWebResponse)request.GetResponse())
      {
         Debug.Print("HTTP Status:"+response.StatusCode + " : "+response.StatusDescription);
      }
   }
}
catch (Exception ex)
{
   Debug.Print(ex.Message);
}
 
It's late here, so any suggestions before I dive deeper tomorrow would be greatly appreciated
 
Thanks
 
@KiwiBryn
blog.devmobile.co.nz
 

Attached Files



#2 Chris Walker

Chris Walker

    Secret Labs Staff

  • Moderators
  • 7767 posts
  • LocationNew York, NY

Posted 15 July 2015 - 05:43 PM

Hey KiwiDev,

Interesting. It's possible that the CC3100 disables obsolete crypto methods by default. There are quite a few crypto options and modes that can be optionally enabled/disabled...so this may be a case where we can expose an API to do so from managed code.

This is an SNI SSL website?

Quite a few folks use Netduino 3 Wi-Fi with Azure regularly (including yourself) so we know things work well there...but it is possible that Microsoft uses different security configs in different parts of the system.

Quick question: would you have time to load debug firmware and step into System.Net.Security, to pull the actual SocketException ErrorCode (or SSL error message)?

SSL/TLS is a big beast with lots of complications--but we chose defaults on Netduino 3 that should make it super-easy to use in most circumstances (similar to navigating to a secure site through a browser). Let's figure out what's up and try to do the same for this site.

Chris

#3 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 15 July 2015 - 07:51 PM

Hi Chris,

 

I was intending to fire up the debugger this evening to do some more investigation. Where would be the best place to download the debug build bits from?

 

Odd thing is, my code used to work a few months ago (I went back and checked dates on my blog posts), but MS did update the *.servicebus.windows.net cert on 29/4/2015 which makes me wonder....

 

THanks

 

Bryn

@KiwDev

blog.devmobile.co.nz



#4 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 16 July 2015 - 09:12 AM

Hi Chris,

 

Grabbed the source off github and fired up the debugger. Some slight issues the source may not be most recent, plus the debugger was a bit flakey but hopefully this is useful

 

In my C# code it started at 
 
using (var response = (HttpWebResponse)request.GetResponse())
 
My cut n past call stack
 
public override WebResponse GetResponse()

private void SubmitRequest()

private InputNetworkStreamWrapper EstablishConnection(Uri proxyServer, Uri targetServer)

sslStream.AuthenticateAsClient(m_originalUrl.Host, null, m_caCerts, SslVerification.CertificateRequired, SslProtocols.Default);

public void AuthenticateAsClient(string targetHost, X509Certificate cert, X509Certificate[] ca, SslVerification verify, params SslProtocols[] sslProtocols)

 internal void Authenticate(bool isServer, string targetHost, X509Certificate certificate, X509Certificate[] ca, SslVerification verify, params SslProtocols[] sslProtocols)

 

In the debugger the parameters at this stage were

 

false
"myhomemonitor.servicebus.windows.net"
null
null
Verify 4
SslProtocols - 24

 

Then the debugger started to get quite flakey

 

I think the exception came from inside

 

_socket.GetSocketOption(SocketOptionLevel.Socket, (SocketOptionName)0x400002, addressAndHandle);
 
addressAndHandle contained
 
[0]0
[1]0
[2]1
[3]187
[4]191
[5]239
[6]64
[7]144
[8]4
[9]255

 

Hope this helps, anything else I can do?

 

Bryn

 

@KiwiDev

blog.devmobile.co.nz



#5 Paolo Patierno

Paolo Patierno

    Advanced Member

  • Members
  • PipPipPip
  • 169 posts
  • LocationItaly

Posted 23 July 2015 - 08:37 AM

Hi KiwiDev,

 

I'm big fan of AMQP instead of HTTP and today I'm able to use service bus without problems.

However, I opened the following question on CodePlex related to SSL access from .Net MF without any replies from team :

 

http://netmf.codeple...m/workitem/2381

 

What do you think about that ? It's strictly related to certificate verification and how it works on .Net MF.

 

Thanks,

Paolo.


Paolo Patierno

Microsoft MVP on Windows Embedded & IoT

Azure Advisor

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience

Blog : Embedded101
?


#6 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 30 July 2015 - 10:49 AM

Hi Paolo,

 

Been a bit mad here working on a project pitch document and my MS Ignite NZ presentation.

 

I think it's related to the crypto options supported/setup on the CC3100.

 

Will build a debug version of IP Stack and drill down into the code once presentation done.

 

@KiwiBryn

blog.devmobile.co.nz



#7 Paolo Patierno

Paolo Patierno

    Advanced Member

  • Members
  • PipPipPip
  • 169 posts
  • LocationItaly

Posted 02 August 2015 - 02:18 PM

I don't know if the problem is related to the crypto suites supported by CC3100 but there is a very strange behaviour in SSL handshake using .Net Micro Framework.

 

You HTTP based methods as last step use a Socket and SSL handshake on it. It's the same in the applications I developed that use Socket directly. On my side, as I described as an issue on Net MF interpreter repository on GitHub it seems that no validation happens.

On your side (with HTTP) it seems that a bit of validation happens and now you have the problem.

 

Very strange ...

 

Paolo.


Paolo Patierno

Microsoft MVP on Windows Embedded & IoT

Azure Advisor

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience

Blog : Embedded101
?






Also tagged with one or more of these keywords: crypto, certificates, pki

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

home    hardware    projects    downloads    community    where to buy    contact Copyright © 2016 Wilderness Labs Inc.  |  Legal   |   CC BY-SA
This webpage is licensed under a Creative Commons Attribution-ShareAlike License.