我目前正在使用 NetX Duo 发送 HTTPS POST 请求。但是,我在此过程中遇到了与 TLS 相关的错误。我正在使用 cloudflare CA 证书(CA 工作正常,我做了 mqtts)。
#define NX_SECURE_TLS_UNSUPPORTED_TLS_VERSION 0x110 /* 传入记录具有有效的 TLS 版本,但不受支持。 */
下面是我的代码的相关部分:
tls_setup_callback
static NX_SECURE_X509_CERT trusted_certificate;
static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
static UCHAR remote_cert_buffer[4096];
static UCHAR remote_issuer_buffer[4096];
static UINT tls_setup_callback(NX_WEB_HTTP_CLIENT *client_ptr, NX_SECURE_TLS_SESSION *tls_session)
{
UINT status;
/* Initialize and create TLS session. */
status = nx_secure_tls_session_create(tls_session, &nx_crypto_tls_ciphers, crypto_metadata_client, sizeof(crypto_metadata_client));
/* Check status. */
if (status)
{
return(status);
}
/* Allocate space for packet reassembly. */
status = nx_secure_tls_session_packet_buffer_set(&(client_ptr -> nx_web_http_client_tls_session), tls_packet_buffer, sizeof(tls_packet_buffer));
/* Check status. */
if (status)
{
return(status);
}
/* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)origin_ca_rsa_root_der, origin_ca_rsa_root_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
nx_secure_tls_trusted_certificate_add(&(client_ptr -> nx_web_http_client_tls_session), &trusted_certificate);
/* Need to allocate space for the certificate coming in from the remote host. */
nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
return(NX_SUCCESS);
}
http_请求
static NX_WEB_HTTP_CLIENT my_client;
static UINT error_counter;
void http_request()
{
NX_PACKET *recv_packet;
NX_PACKET *send_packet;
UINT i;
UINT status;
UINT chunked_size = 0;
static char pkt[] = {
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 /* AAAAAAAAAA */
};
/* Create an HTTP client instance. */
status = nx_web_http_client_create(&my_client, "HTTP Client", &EthIP, &EthPool, 1536);
#define SERVER_DNS_NAME "locall.ugurtumer.tech"
NXD_ADDRESS server_ip_address;
server_ip_address.nxd_ip_version = 4;
status = nx_dns_host_by_name_get(&dns_client, (UCHAR *)SERVER_DNS_NAME,
&server_ip_address.nxd_ip_address.v4, DEFAULT_TIMEOUT);
if (status != NX_SUCCESS)
{
printf("DNS lookup failed\n");
Error_Handler();
}
printf(
"Server IP: %lu.%lu.%lu.%lu\n",
(server_ip_address.nxd_ip_address.v4 >> 24) & 0xFF,
(server_ip_address.nxd_ip_address.v4 >> 16) & 0xFF,
(server_ip_address.nxd_ip_address.v4 >> 8) & 0xFF,
server_ip_address.nxd_ip_address.v4 & 0xFF
);
nx_web_http_client_response_header_callback_set(&my_client, http_response_callback);
status = nx_web_http_client_post_secure_start(&my_client, &server_ip_address, NX_WEB_HTTPS_SERVER_PORT,
"/index.htm",
"locall.ugurtumer.tech",
NX_NULL, NX_NULL, sizeof(pkt), tls_setup_callback, NX_WAIT_FOREVER);
printf("Post secure start status: 0x%02X\n", status); // ERROR IS HERE. i got 0x110
/* Allocate a packet. */
status = nx_web_http_client_request_packet_allocate(&my_client, &send_packet, NX_WAIT_FOREVER);
/* Write data into the packet payload. */
nx_packet_data_append(send_packet, pkt, sizeof(pkt), &EthPool, NX_WAIT_FOREVER);
status = nx_web_http_client_put_packet(&my_client, send_packet, 1 * NX_IP_PERIODIC_RATE);
if (status)
{
nx_packet_release(send_packet);
error_counter++;
}
while (1)
{
/* Get response from server. */
status = nx_web_http_client_response_body_get(&my_client, &recv_packet, NX_WAIT_FOREVER);
if (status)
{
break;
}
else
{
chunked_size += recv_packet -> nx_packet_length;
nx_packet_release(recv_packet);
}
}
printf("Received response body:\n");
printf("%.*s\n", recv_packet->nx_packet_length, recv_packet->nx_packet_prepend_ptr);
nx_packet_release(recv_packet);
nx_packet_release(send_packet);
status = nx_web_http_client_delete(&my_client);
if (status)
error_counter++;
}
服务器IP地址正确,DNS服务器没有错误。
我可以使用 TLS v1.2 通过 https 向服务器发送请求(您尝试时可能无法发送请求,我使用的是 CF 隧道。)
我尝试更改 nx_web_http_client_post_secure_start 其他安全功能,但问题仍然相同
我通过以下步骤解决了该问题:
初始问题:首先,我确定了与nx_secure_user.h相关的问题。
警报错误:之后遇到错误0x114,警报级别为0x02,警报值为0x28(数据包数据:15 03 03 00 02 02 28)。我意识到我的 HTTPS 客户端使用了错误的 CA。 (要测试您的 CA 证书,您可以使用以下命令:openssl s_client -connect locall.ugurtumer.tech:443 -servername locall.ugurtumer.tech -CAfile r4.pem -tls1_2。您应该看到验证返回代码:0(确定) )如果 CA 正确的话。)
密码错误:修复CA问题后,我再次遇到同样的错误,结果发现与错误的密码有关。 (要识别正确的密码,您可以使用 Postman。发送请求并检查 Postman 控制台以获取 standardName 下的密码详细信息,例如 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256。)
配置更新:为了解决这个问题,我必须定义以下宏:
NX_SECURE_ENABLE_AEAD_CIPHER NX_SECURE_ENABLE_ECC_CIPHERSUITE 回调函数:最后,我更新了我的 tls_setup_callback 函数。
const unsigned char r4_crt[] = {...}
const unsigned int r4_crt_len = 525;
static NX_SECURE_X509_CERT trusted_certificate;
static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
static UCHAR remote_cert_buffer[1024]; // 946 tanesi dolu 947'si \000 gerekirse sonradan kontrol et arttır.
static UCHAR remote_issuer_buffer[768]; // 674 tanesi dolu 675'si \000 gerekirse sonradan kontrol et arttır.
NX_SECURE_X509_DNS_NAME dns_name;
#define SERVER_DNS_NAME "locall.ugurtumer.tech"
extern const USHORT nx_crypto_ecc_supported_groups[];
extern const NX_CRYPTO_METHOD *nx_crypto_ecc_curves[];
extern const UINT nx_crypto_ecc_supported_groups_size;
static UINT http_tls_setup_callback(NX_WEB_HTTP_CLIENT *client_ptr, NX_SECURE_TLS_SESSION *tls_session)
{
UINT status;
/* Initialize and create TLS session. */
status = nx_secure_tls_session_create(tls_session, &nx_crypto_tls_ciphers_ecc, crypto_metadata_client, sizeof(crypto_metadata_client));
/* Check status. */
if (status)
{
return(status);
}
status = nx_secure_tls_ecc_initialize(tls_session,
nx_crypto_ecc_supported_groups,
nx_crypto_ecc_supported_groups_size,
nx_crypto_ecc_curves);
if (status)
{
printf("Error: Unable to initialize ECC ciphers! 0x%x\n", status);
return(status);
}
memset(tls_packet_buffer, 0, sizeof(tls_packet_buffer));
/* Allocate space for packet reassembly. */
status = nx_secure_tls_session_packet_buffer_set(&(client_ptr -> nx_web_http_client_tls_session), tls_packet_buffer, sizeof(tls_packet_buffer));
/* Check status. */
if (status)
{
return(status);
}
/* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
nx_secure_x509_certificate_initialize(&trusted_certificate, (UCHAR*)r4_crt, r4_crt_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
nx_secure_tls_trusted_certificate_add(&(client_ptr -> nx_web_http_client_tls_session), &trusted_certificate);
nx_secure_x509_dns_name_initialize(&dns_name,(UCHAR *)SERVER_DNS_NAME,strlen(((const char*)SERVER_DNS_NAME)));
nx_secure_tls_session_sni_extension_set(tls_session, &dns_name);
/* Need to allocate space for the certificate coming in from the remote host. */
nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
nx_secure_tls_remote_certificate_allocate(&(client_ptr -> nx_web_http_client_tls_session), &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
return(NX_SUCCESS);
}