Javax.net.ssl / OpenSSL / wrong version number? (local server)

distans · December 16, 2017, 11:10pm

Tried to get my Arduino UNO to connect to the server with SSL on port 8441. Didn’t go so well. Each connection attempt resulted in this:

22:05:55.392 DEBUG- Unsecured connection attempt. Channel : /myIP:49156. Reason : javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

22:06:06.596 DEBUG- Unsecured connection attempt. Channel : /myIP:49153. Reason : javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

Is it wrong version of OpenSSL or is it Java or something else?

System:

Ubuntu Server 16.04 LTS 64bit
Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 GNU/Linux'
OpenSSL 1.0.2g
Blynk library version 0.4.10
Blynk Server 0.29.1
java version "9.0.1"
Java(TM) SE Runtime Environment (build 9.0.1+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.1+11, mixed mode)

Gunner · December 16, 2017, 11:53pm

SSL is too demanding for Arduinos and even ESP8266… just don’t use it (in fact I don’t think there is even a Blynk library for Arduino that supports SSL).

Gunner · December 17, 2017, 2:13am

I got thinking about this, and after skimming this: http://docs.blynk.cc/#security I was wondering if you are using the Linux version of the USB link method of connecting that UNO… which case I think the gateway script can use SSL as it is running on the PC’s horsepower, not the Arduino’s.

So, in that case… I still can’t help as that is getting beyond my experiential knowledge (The SSL part, not the USB-script part… albeit only the USB script on Windoze ) but just looking for clarification to help direct others.

Dmitriy · December 17, 2017, 10:40am

Gunner · December 17, 2017, 6:20pm

@Dmitriy I did say “a Blynk library for Arduino that supports SSL” Both of those links you supplied are for ESP32 and ESP8266

And even state so in the library itself…

+#ifndef ESP32
+#error This code is intended to run on the ESP32 platform! Please check your Tools->Board setting.

 #error This code is intended to run on the ESP8266 platform! Please check your Tools->Board setting.

distans · December 18, 2017, 6:24pm

The error code had all the hallmarks of a library incompatibility so I didn’t even look at that possibility I will file this under the category “Can’t see the forest for the trees!”

“The thing that hath been is that which shall be; and that which hath been done is that which shall be done; and there is no new thing under the sun.”

I’m gonna check up some “light weight” implementations just to be sure before I mark this as solved.

distans · December 19, 2017, 3:54am

SSL on Arduino UNO is a dead horse! To get some measure of protection I restricted the access based on the two IP-ranges my provider normally assigns me.

Iptables is installed by default on most Linux distribution, but not on RPi I think.

First, accept incoming traffic from the IP-ranges I normally get from my ISP. The second IP-range is actually for my cell phone. If I need to debug or something. The MCU itself will never use it.

iptables -A INPUT -p tcp --dport 8442 -s x.x.0.0/15 -j ACCEPT
iptables -A INPUT -p tcp --dport 8442 -s x.x.0.0/16 -j ACCEPT

Create a chain called LOG_AND_DROP.

iptables -N LOG_AND_DROP

Add login function for the chain. In my system it writes to /var/log/syslog

iptables -A LOG_AND_DROP -j LOG --log-prefix "Source host denied: " --log-level 6

Tell the chain what to do I it gets triggered.

iptables -A LOG_AND_DROP -j REJECT

Apply the rule that triggers the chain.

iptables -A INPUT -p tcp --dport 8442 -j LOG_AND_DROP

This means that all connections to port 8442 that doesn’t match my pre-approved IP-range is automatically rejected. There is some differences between DROP and REJECT, and after some testing I felt REJECT was more suitable. With DROP, the connecting program won’t get any response and might try to connection indefinitely. That will in turn clog up my log files REJECT is more brutal and sends back an ICMP destination-unreachable to the source, which normally terminates further attempts.

Example, first DROP, then REJECT:

~$ telnet host.example.com 8442
Trying 1.2.3.4...
Trying 1.2.3.4...
Trying 1.2.3.4...
...

~$ telnet host.example.com 8442
telnet: Unable to connect to remote host: Connection refused

A sample from the log file:

Dec 19 03:33:42 host kernel: [16747.882041] Source host denied: IN=eth0 OUT= MAC=00:50:56:bd:b1:12:00:11:5d:93:5c:c0:08:00 SRC=2.3.4.5 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=20820 DF PROTO=TCP SPT=45682 DPT=8442 WINDOW=29200 RES=0x00 SYN URGP=0

If someone finds this information useful for their own setup, awesome! If not, maybe next time!

@Gunner Some more Linux commands for you to learn!