SSL not working? - Netduino 3 - Netduino Forums
   
Netduino home hardware projects downloads community

Jump to content


The Netduino forums have been replaced by new forums at community.wildernesslabs.co. This site has been preserved for archival purposes only and the ability to make new accounts or posts has been turned off.
Photo

SSL not working?

SSL Certificates Certificate Authority CA Event Hubs Azure

  • Please log in to reply
8 replies to this topic

#1 pdii

pdii

    Member

  • Members
  • PipPip
  • 29 posts

Posted 14 August 2015 - 09:39 PM

I just got my hands on a few N3Ws and was most interested in their support for SSL/TLS.  The #1 thing I want to do with these is send data to an Event Hub in Azure.

It is my understanding that:

  • To connect to https:// or amqps://<event_hub_namespace>-ns.servicebus.windows.net/<event_hub_name> my N3W will need to have the root CA cert for the *.servicebus.windows.net certificate available to validate each call to my event hub.
  • .NET MF doesn’t include root CA certificates due to space constraints and therefore I must embed the root CA for any endpoint to which I want to establish a SSL connection with the project that is deployed to my N3W.  I followed the advice here to acquire the CA certificate for my event hub.
  • For SSL to work on .NET MF, my N3W needs
    • to have an accurate device time (which it can acquire via a NTP server)
    • the “SSL seed” needs to be generated using the MFDeploy tool (not exactly sure why or in which scenarios I need to regen again)
  • I can’t use the portable http client because it doesn’t support .NET MF, and instead must use either:
    1. HttpWebRequest and pass the embedded CA cert for the event hub endpoint in the HttpWebRequest.HttpsAuthentCerts property.
    2. wrap a NetworkStream generated from a TcpClient in a SslStream and implement the SslStream’s certificateSelection and certificateValidation callbacks (potentially like this) the in order to make this connection.

I’ve tried implementing the HttpWebRequest approach first.  I ran into issues similar to what was described in this post.

 

After facing these issues, I decided that I would try a different endpoint.  I issued a HTTPS GET request to https://www.google.com/.  This seemed to work.  However, it would work if I didn’t present the root CA cert, if I did present the root CA cert and even if I presented the wrong root CA cert in the HttpWebRequest.HttpsAuthentCerts property.  I think this is the same issue that ppatierno raises on the .NET MF's github site.

 

I’m concerned that cert validation isn’t working.  The GET to https://www.google.com scenario makes me think that even if I go through the trouble of adding the root CA cert, I could still fall victim to a man in the middle attack.

 

Has anyone validated that they get some sort of exception when attempting to make an SSL connect to an endpoint that is presenting an invalid cert?

 

In order to get this level of verification, do I need to skip the HttpWebRequest approach and go down the TcpClient/NetworkStream/SslStream approach?

 

Where can I get more details on the purpose of SSL Seed generation?

 

I’m new to .NET MF, so I’m somewhat expecting that there’s just something obviously wrong with my approach.  If not, and if it is helpful, I’m willing to upload a small sample program that illustrates these issues.

 

Thanks in advance for any help you can provide!



#2 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 17 August 2015 - 11:40 AM

Hi pddi,

 

I have been experiencing a similar issue

 

http://forums.netdui...port-questions/

 

Once my MS Ignite presentation finished going to have some time for some serious debugging session.

 

More info about what I tried at

 

http://blog.devmobil...rtificate-issue

 

 

@KiwiBryn

blog.devmobile.co.nz



#3 pdii

pdii

    Member

  • Members
  • PipPip
  • 29 posts

Posted 17 August 2015 - 01:48 PM

Thanks for the response KiwiDev.  I read a few of your blog posts while investigating this issue.

 

One thing that I didn't quite understand is why you didn't use the HttpWebRequest.HttpsAuthentCerts property in the netduino post and the blog entry you've linked to like you did in one of your other blog posts.  Under what scenarios do you and don't you need to use this property?

 

I'm new to .NET MF, so apologies if this is a stupid question.



#4 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 19 August 2015 - 11:15 AM

Hi pdii,

 

I didn't use the HttpsAuthentCerts param as in the source the X509 cert parameters are not used.

 

See Authenticate method around line 68

https://github.com/n...ty/SslStream.cs

 

I have a similar requirement to you, getting data into an Azure Event Hub so I'm going to give AMQPLite by Paolo Patierno at try.

 

Using AMQP most probably going to be a happier place than HTTPS for my application in the longer term.

 

@KiwiBryn

blog.devmobile.co.nz



#5 pdii

pdii

    Member

  • Members
  • PipPip
  • 29 posts

Posted 23 August 2015 - 09:46 PM

Ahh, so it seems this because the Netduino implementation of SslStream for the CC3100 hasn't yet implemented certificate validation.  I'm assuming that the reason why you did reference HttpsAuthentCerts in your other blog post was because you were using a FezSpider and they must have implemented certificate validation in their SslStream?

 

Thanks for the link to AMQPLite.  However, since AMQPS is just a protocol like HTTPS, won't it rely on Netduino's implementation of SslStream and won't it run into the same issues as HTTPS on a N3W?

 

Chris, is this true?  Although the N3W hardware supports SSL 3.0 and TLS 1.2, we'll need an update to Netduino.IP / the CC3100 firmware (not sure if I'm using the proper terminology here) before the N3Ws will be able to communicate securely w/o a gateway device in front of them?

 

If not, would you mind adding happy and sad path test cases to the NetduinoIP_StackTests.zip project you refereed to here so that we can see how to get this working?

 

Thank you!



#6 KiwiDev

KiwiDev

    Advanced Member

  • Members
  • PipPipPip
  • 100 posts
  • LocationNew Zealand

Posted 25 August 2015 - 11:02 AM

Hi pdii,

 

Yes, I was using a Fez Spider which appears to have certificate support.

 

At the time I built my RESTful Event Hub client it was the only platform I had that could do https.

 

I have got an AMQPNetLite & azuresblite based application working on my Netduino 3 wifi this evening and have started writing a blog post about it.

 

My demo applications has telemetry upload to an Azure event hub and command download via a ServiceBus queue.

 

@KiwiBryn

blog.devmobile.co.nz



#7 pdii

pdii

    Member

  • Members
  • PipPip
  • 29 posts

Posted 27 August 2015 - 06:43 AM

I just read your post.  Here it is if others are interested.

 

Based on line 71 of apqpnetlite's TcpTransport class, how is verification of the peer being performed when null is being passed for the certificate in the AuthenticateAsClient method?

 

It is my understanding that we need to provide the root CA's cert for the endpoint we want to connect to in order for verification to be performed.



#8 Paolo Patierno

Paolo Patierno

    Advanced Member

  • Members
  • PipPipPip
  • 169 posts
  • LocationItaly

Posted 01 September 2015 - 01:01 PM

Hi guys !

 

As @KiwiDev already know, how the SSL handshake works fine in the AMQP .Net Lite library on .Net Micro Framework seems to be a mistery ...

I have already opened an issue on the official GitHub project but until today no replies.

 

@pdii, following the link if you are interested in.

 

I hope to have a reply very soon but until that day it seems that the SSL/TLS connection works fine even if the client doesn't check the server certificate validity ! Yeeeee :-)

 

Paolo.


Paolo Patierno

Microsoft MVP on Windows Embedded & IoT

Azure Advisor

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience

Blog : Embedded101
?


#9 Paolo Patierno

Paolo Patierno

    Advanced Member

  • Members
  • PipPipPip
  • 169 posts
  • LocationItaly

Posted 21 October 2015 - 12:14 PM

There is an update from team on this problem : 

 

https://github.com/N...eter/issues/251


Paolo Patierno

Microsoft MVP on Windows Embedded & IoT

Azure Advisor

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience

Blog : Embedded101
?






Also tagged with one or more of these keywords: SSL, Certificates, Certificate Authority, CA, Event Hubs, Azure

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

home    hardware    projects    downloads    community    where to buy    contact Copyright © 2016 Wilderness Labs Inc.  |  Legal   |   CC BY-SA
This webpage is licensed under a Creative Commons Attribution-ShareAlike License.