Skip to main content
U
ugurtumer4
Graduate II
December 19, 2024
Solved

ThreadX NetXDuo https client post request problem

  • December 19, 2024
  • 1 reply
  • 1475 views

I'm currently working on sending an HTTPS POST request using NetX Duo. However, I encounter a TLS-related error during the process. i am using cloudflare CA cert(CA works ok i did mqtts).

#define NX_SECURE_TLS_UNSUPPORTED_TLS_VERSION 0x110 /* An incoming record had a valid TLS version, but one that isn't supported. */

Below is the relevant part of my code:

tls_setup_callback

static NX_SECURE_X509_CERT trusted_certificate;
static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
static UCHAR remote_cert_buffer[4096];
static UCHAR remote_issuer_buffer[4096];

static UINT tls_setup_callback(NX_WEB_HTTP_CLIENT *client_ptr, NX_SECURE_TLS_SESSION *tls_session)
{
UINT status;
 /* Initialize and create TLS session. */
 status = nx_secure_tls_session_create(tls_session, &nx_crypto_tls_ciphers, crypto_metadata_client, sizeof(crypto_metadata_client));
 
 /* Check status. */
 if (status)
 {
 return(status);
 }

 /* Allocate space for packet reassembly. */
 status = nx_secure_tls_session_packet_buffer_set(&(client_ptr -> nx_web_http_client_tls_session), tls_packet_buffer, sizeof(tls_packet_buffer));

 /* Check status. */
 if (status)
 {
 return(status);
 }

 /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
 nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)origin_ca_rsa_root_der, origin_ca_rsa_root_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 nx_secure_tls_trusted_certificate_add(&(client_ptr -> nx_web_http_client_tls_session), &trusted_certificate);

 /* Need to allocate space for the certificate coming in from the remote host. */
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));

 return(NX_SUCCESS);
}

http_request

static NX_WEB_HTTP_CLIENT my_client;
static UINT error_counter;

void http_request()
{
 NX_PACKET *recv_packet;
 NX_PACKET *send_packet;
 UINT i;
 UINT status;
 UINT chunked_size = 0;

 static char pkt[] = {
 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 /* AAAAAAAAAA */
 };

 /* Create an HTTP client instance. */
 status = nx_web_http_client_create(&my_client, "HTTP Client", &EthIP, &EthPool, 1536);

 #define SERVER_DNS_NAME "locall.ugurtumer.tech"
 NXD_ADDRESS server_ip_address;
 server_ip_address.nxd_ip_version = 4;
 status = nx_dns_host_by_name_get(&dns_client, (UCHAR *)SERVER_DNS_NAME,
 &server_ip_address.nxd_ip_address.v4, DEFAULT_TIMEOUT);
 if (status != NX_SUCCESS)
 {
 printf("DNS lookup failed\n");
 Error_Handler();
 }
 printf(
 "Server IP: %lu.%lu.%lu.%lu\n", 
 (server_ip_address.nxd_ip_address.v4 >> 24) & 0xFF, 
 (server_ip_address.nxd_ip_address.v4 >> 16) & 0xFF, 
 (server_ip_address.nxd_ip_address.v4 >> ‌‌ & 0xFF, 
 server_ip_address.nxd_ip_address.v4 & 0xFF
 );

 nx_web_http_client_response_header_callback_set(&my_client, http_response_callback);

 status = nx_web_http_client_post_secure_start(&my_client, &server_ip_address, NX_WEB_HTTPS_SERVER_PORT,
 "/index.htm",
 "locall.ugurtumer.tech",
 NX_NULL, NX_NULL, sizeof(pkt), tls_setup_callback, NX_WAIT_FOREVER);

 printf("Post secure start status: 0x%02X\n", status); // ERROR IS HERE. i got 0x110

 /* Allocate a packet. */
 status = nx_web_http_client_request_packet_allocate(&my_client, &send_packet, NX_WAIT_FOREVER);
 /* Write data into the packet payload. */
 nx_packet_data_append(send_packet, pkt, sizeof(pkt), &EthPool, NX_WAIT_FOREVER);

 status = nx_web_http_client_put_packet(&my_client, send_packet, 1 * NX_IP_PERIODIC_RATE);
 if (status)
 {
 nx_packet_release(send_packet);
 error_counter++;
 }

 while (1)
 {

 /* Get response from server. */
 status = nx_web_http_client_response_body_get(&my_client, &recv_packet, NX_WAIT_FOREVER);

 if (status)
 {
 break;
 }
 else
 {
 chunked_size += recv_packet -> nx_packet_length;
 nx_packet_release(recv_packet);
 }
 }
 printf("Received response body:\n");
 printf("%.*s\n", recv_packet->nx_packet_length, recv_packet->nx_packet_prepend_ptr);

 nx_packet_release(recv_packet);
 nx_packet_release(send_packet);

 status = nx_web_http_client_delete(&my_client);
 if (status)
 error_counter++;
}

  • The server IP address is correct, there is no error in the DNS server.

  • I can send a request to the server via https using TLS v1.2 (you may not be able to send a request when you try, I am using a CF tunnel.)

  • i tried to change nx_web_http_client_post_secure_start other secure funcs but problem still same

 

    This topic has been closed for replies.
    Best answer by ugurtumer4

     

    I fixed the issue with the following steps:

    1. Initial Problem: Firstly, I identified the problem related to nx_secure_user.h.

    2. Alert Error: After that, I encountered the error 0x114, where the alert level was 0x02 and the alert value was 0x28 (Packet data: 15 03 03 00 02 02 28). I realized I was using the wrong CA for my HTTPS client.
      (To test your CA certificate, you can use the following command: openssl s_client -connect locall.ugurtumer.tech:443 -servername locall.ugurtumer.tech -CAfile r4.pem -tls1_2. You should see Verify return code: 0 (ok) if the CA is correct.)

    3. Cipher Error: After fixing the CA issue, I encountered the same error again, which turned out to be related to an incorrect cipher.
      (To identify the correct cipher, you can use Postman. Send a request and check the Postman console for the cipher details under standardName, e.g., TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.)

    4. Configuration Updates: To resolve this, I had to define the following macros:

      • NX_SECURE_ENABLE_AEAD_CIPHER
      • NX_SECURE_ENABLE_ECC_CIPHERSUITE

    5. Callback Function: Finally, I updated my tls_setup_callback function.

     
     

     

    const unsigned char r4_crt[] = {...}
const unsigned int r4_crt_len = 525;

static NX_SECURE_X509_CERT trusted_certificate;
static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
static UCHAR remote_cert_buffer[1024]; // 946 tanesi dolu 947'si \000 gerekirse sonradan kontrol et arttır.
static UCHAR remote_issuer_buffer[768]; // 674 tanesi dolu 675'si \000 gerekirse sonradan kontrol et arttır.

NX_SECURE_X509_DNS_NAME dns_name;

#define SERVER_DNS_NAME "locall.ugurtumer.tech"


extern const USHORT nx_crypto_ecc_supported_groups[];
extern const NX_CRYPTO_METHOD *nx_crypto_ecc_curves[];
extern const UINT nx_crypto_ecc_supported_groups_size;

static UINT http_tls_setup_callback(NX_WEB_HTTP_CLIENT *client_ptr, NX_SECURE_TLS_SESSION *tls_session)
{
 UINT status;

 /* Initialize and create TLS session. */
 status = nx_secure_tls_session_create(tls_session, &nx_crypto_tls_ciphers_ecc, crypto_metadata_client, sizeof(crypto_metadata_client));

 /* Check status. */
 if (status)
 {
 return(status);
 }

 status = nx_secure_tls_ecc_initialize(tls_session,
 nx_crypto_ecc_supported_groups,
 nx_crypto_ecc_supported_groups_size,
 nx_crypto_ecc_curves);
 if (status)
 {
 printf("Error: Unable to initialize ECC ciphers! 0x%x\n", status);
 return(status);
 }

 memset(tls_packet_buffer, 0, sizeof(tls_packet_buffer));

 /* Allocate space for packet reassembly. */
 status = nx_secure_tls_session_packet_buffer_set(&(client_ptr -> nx_web_http_client_tls_session), tls_packet_buffer, sizeof(tls_packet_buffer));

 /* Check status. */
 if (status)
 {
 return(status);
 }

 /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
 nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)r4_crt, r4_crt_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 nx_secure_tls_trusted_certificate_add(&(client_ptr -> nx_web_http_client_tls_session), &trusted_certificate);

 nx_secure_x509_dns_name_initialize(&dns_name,(UCHAR *)SERVER_DNS_NAME,strlen(((const char*)SERVER_DNS_NAME)));
 nx_secure_tls_session_sni_extension_set(tls_session, &dns_name);

 /* Need to allocate space for the certificate coming in from the remote host. */
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
 return(NX_SUCCESS);
}

     

    1 reply

    U
    ugurtumer4AuthorAnswer
    Graduate II
    December 20, 2024

     

    I fixed the issue with the following steps:

    1. Initial Problem: Firstly, I identified the problem related to nx_secure_user.h.

    2. Alert Error: After that, I encountered the error 0x114, where the alert level was 0x02 and the alert value was 0x28 (Packet data: 15 03 03 00 02 02 28). I realized I was using the wrong CA for my HTTPS client.
      (To test your CA certificate, you can use the following command: openssl s_client -connect locall.ugurtumer.tech:443 -servername locall.ugurtumer.tech -CAfile r4.pem -tls1_2. You should see Verify return code: 0 (ok) if the CA is correct.)

    3. Cipher Error: After fixing the CA issue, I encountered the same error again, which turned out to be related to an incorrect cipher.
      (To identify the correct cipher, you can use Postman. Send a request and check the Postman console for the cipher details under standardName, e.g., TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.)

    4. Configuration Updates: To resolve this, I had to define the following macros:

      • NX_SECURE_ENABLE_AEAD_CIPHER
      • NX_SECURE_ENABLE_ECC_CIPHERSUITE

    5. Callback Function: Finally, I updated my tls_setup_callback function.

     
     

     

    const unsigned char r4_crt[] = {...}
const unsigned int r4_crt_len = 525;

static NX_SECURE_X509_CERT trusted_certificate;
static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
static UCHAR remote_cert_buffer[1024]; // 946 tanesi dolu 947'si \000 gerekirse sonradan kontrol et arttır.
static UCHAR remote_issuer_buffer[768]; // 674 tanesi dolu 675'si \000 gerekirse sonradan kontrol et arttır.

NX_SECURE_X509_DNS_NAME dns_name;

#define SERVER_DNS_NAME "locall.ugurtumer.tech"


extern const USHORT nx_crypto_ecc_supported_groups[];
extern const NX_CRYPTO_METHOD *nx_crypto_ecc_curves[];
extern const UINT nx_crypto_ecc_supported_groups_size;

static UINT http_tls_setup_callback(NX_WEB_HTTP_CLIENT *client_ptr, NX_SECURE_TLS_SESSION *tls_session)
{
 UINT status;

 /* Initialize and create TLS session. */
 status = nx_secure_tls_session_create(tls_session, &nx_crypto_tls_ciphers_ecc, crypto_metadata_client, sizeof(crypto_metadata_client));

 /* Check status. */
 if (status)
 {
 return(status);
 }

 status = nx_secure_tls_ecc_initialize(tls_session,
 nx_crypto_ecc_supported_groups,
 nx_crypto_ecc_supported_groups_size,
 nx_crypto_ecc_curves);
 if (status)
 {
 printf("Error: Unable to initialize ECC ciphers! 0x%x\n", status);
 return(status);
 }

 memset(tls_packet_buffer, 0, sizeof(tls_packet_buffer));

 /* Allocate space for packet reassembly. */
 status = nx_secure_tls_session_packet_buffer_set(&(client_ptr -> nx_web_http_client_tls_session), tls_packet_buffer, sizeof(tls_packet_buffer));

 /* Check status. */
 if (status)
 {
 return(status);
 }

 /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
 nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)r4_crt, r4_crt_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 nx_secure_tls_trusted_certificate_add(&(client_ptr -> nx_web_http_client_tls_session), &trusted_certificate);

 nx_secure_x509_dns_name_initialize(&dns_name,(UCHAR *)SERVER_DNS_NAME,strlen(((const char*)SERVER_DNS_NAME)));
 nx_secure_tls_session_sni_extension_set(tls_session, &dns_name);

 /* Need to allocate space for the certificate coming in from the remote host. */
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
 nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
 return(NX_SUCCESS);
}

     

    Terms & ConditionsAccessibility statement