• AVR Freaks

Hot!Hv3 https

Author
BillP
Super Member
  • Total Posts : 389
  • Reward points : 0
  • Joined: 2014/09/28 07:53:35
  • Location: CA
  • Status: offline
2020/02/17 10:56:48 (permalink)
5 (1)

Hv3 https

A previous post (https://www.microchip.com/forums/FindPost/1127144) started a discussion of https using Hv3.  This post continues just for that issue.  

https uses encryption and TLS handshaking which is provided by wolfSSL in the Harmony distro.  Here are the problems (and solutions) I discovered in order to make an https web server work in Hv3.

1.  Add the wolfSSL library to the Project Graph.  This resulted in compile errors.  The problem is the wrong version of the wolfSSL library is downloaded from github.  The version should be 4.1.2-stable, not the latest version.  This will be fixed in a future release.
2.  Connect the wolfCrypt library to the wolfSSL Library, and the wolfSSL Library to the TLS Provider (Instance 0) of the Presentation Layer.  Set the configuration options for encryption.  Set the HTTP NET Listening port to 443 in the HTTPNET SERVER.
3.  Go to a browser and type in https://192.168.100.10.  Either nothing happens or you get a warming message about an unsafe host. Try to go to the website.  Chrome may allow it, others will not.  

The problem is the TLS handshake and the certificate that is used in the browser and the server.  wolfSSL provides a generic cert that seems to work in Chrome, but not in the other browsers.  WolfSSL was very helpful in solving this issue.  They provided the following guides for the various browsers:

Firefox guide: https://knowledge.digicer.com/solution/SO5437.html
Safari guide: https://knowledge.digicer..m/solution/SO29278.html
Chrome/Explorer guide: https://knowledge.digicer.com/solution/SO7085.html

These certificates (aka certs) are magic (to me).  In Firefox you must import a file with a .p12 extension (the file contains both the cert and a key). In Safari, you need a .cer extension for the import using a file copied from the guide URL.  

My guess/opinion is that if you want to add an https server to your Hv3 project, you will need to get help from the 3rd party vendor (i.e. wolfSSL).  If anyone has figured out the certs for a Harmony project, please post your experiences.



#1

4 Replies Related Threads

    aschen0866
    Super Member
    • Total Posts : 4553
    • Reward points : 0
    • Joined: 2006/01/08 22:18:32
    • Location: San Diego
    • Status: offline
    Re: Hv3 https 2020/02/17 16:14:53 (permalink)
    5 (2)
    If you need to host a HTTPS server, the server's certificate needs to be signed by a well-known certificate authority. For example, this is www.amazon.com's certificate chain:

    This means the client's browser or his OS must contain the CA (Certificate Authority) certificate from DigiCert Global Root G2 or DigiCert Global CA G2, otherwise the client will get those warnings you mentioned. In this example, DigiCert Global Root G2 is known as the Root CA and DigiCert Global CA G2 is the intermediate signing certificate.
     
    wolfSSL or Harmony can't "give" you a server certificate as it has to be uniquely representing your organization, and you'll have to have the unique private key installed on the server side.
     
    A common procedure is to use tools like OpenSSL to generate a pair of public/private keys, then generate a Certificate Signing Request (CSR). You send the CSR to a well-know CA. After verification, they will send you the server certificate signed by their signing certificate.
     
    #2
    BillP
    Super Member
    • Total Posts : 389
    • Reward points : 0
    • Joined: 2014/09/28 07:53:35
    • Location: CA
    • Status: offline
    Re: Hv3 https 2020/02/18 12:03:12 (permalink)
    0
    @aschen0866 - thank you for the excellent explanation.  Now I have some questions for wolfSSL.


    wolfSSL or Harmony can't "give" you a server certificate as it has to be uniquely representing your organization, and you'll have to have the unique private key installed on the server side.

     
    There are configuration options for wolfSSL that suggest the certs can be created within Harmony/wolfSSL (see attached).  There is no documentation explaining those options, so I will have to contact wolfSSL and report back later.


    post edited by BillP - 2020/02/18 12:04:36

    Attached Image(s)

    #3
    kaleb
    New Member
    • Total Posts : 5
    • Reward points : 0
    • Joined: 2016/08/11 07:47:44
    • Location: 0
    • Status: offline
    Re: Hv3 https 2020/02/18 13:20:34 (permalink)
    5 (1)
    @aschen0866  is absolutely correct, so how to explain this simply...
     
    What does it take to be a trusted root authority?
     
    Condition 1) A trusted entity that every PC, Mac, chrome web browser, Internet Explorer, Firefox, and so on can trust.
     
    Condition 2) Rigorous oversight from both private enterprises and governments to ensure secure storage of private keys used to sign other certs.
    Condition 3) Root Certificates are pre-loaded in the factory into all browsers and/or operating systems.
     
    Is wolfSSL such a trusted organization? Answer is no. Why not? Because wolfSSL isn't known by everyone and certs we create are not sent to the factory for loading into every browser and OS. wolfSSL is not subject to rigorous oversight from both the government and private corporations who want to ensure there is no possible way that our private keys could be stolen and result in certs issued with a compromise key. So who would be a trusted organization that could sign my cert so every device trusts my cert? Answers are:
     
    Comodo, Symantec, GoDaddy, ... list here: https://en.wikipedia.org/wiki/Certificate_authority
     
    BillP
    @aschen0866 - thank you for the excellent explanation.  Now I have some questions for wolfSSL.


    There are configuration options for wolfSSL that suggest the certs can be created within Harmony/wolfSSL (see attached).  There is no documentation explaining those options, so I will have to contact wolfSSL and report back later.



    Yes wolfSSL can be used to create certs for testing purposes but like you mentioned in the opening you'll have to jump through some hoops to get your browser to trust those certs. You can also use wolfSSL to create a Certificate Signing Request (CSR) like @aschen0866 mentioned, you would then send that CSR to Comodo, or Symantec, or GoDaddy... and pay a fee (I think they charge on a yearly basis) to have your cert be signed by one of the universally trusted Root Authorities! That cert will be good for the amount of time you pay for and every browser, PC, smart phone etc that comes pre-loaded with root certificates from the factory will automatically trust your cert since those devices all have a copy of the Root CA cert who's' associated private key ultimately signed your certificate.
     
    I was actually just writing an explanation on this topic the other day, once we have the document edited and posted on our website I'll update this post with a link.
     
    Cheers,
     
    K
     
     
    #4
    kaleb
    New Member
    • Total Posts : 5
    • Reward points : 0
    • Joined: 2016/08/11 07:47:44
    • Location: 0
    • Status: offline
    Re: Hv3 https 2020/02/18 15:05:20 (permalink)
    5 (1)
    As promised here is a link to that document describing certs, keys, and chains of trust/how the chain of trust is established and what it is.
     
    https://www.wolfssl.com/c...ate-chain-chain-trust/
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 4.5