ESP8266 Webserver Project

Moderator: Sprite_tm

User avatar
By davydnorris
#66084 All,

I need a hand. I've modded the esphttpd server and added secure web capability to the Non-OS port, but it's not quite working. I've added debug lines to each of the call backs, so anybody who knows the espconn process should be able to work out what each line means, but this is the sequence of callbacks triggered by me hitting the root URL (which then redirects to the index page), and then hitting the wifi root (which redirects to the wifi page).

In each case, the first connection and header is served, but the content doesn't follow. For non SSL versions of the same page it all works fine. The error code of -5 seems to indicate that the SSL connection thinks it's still in progress, however the sent callback is fired and the connection state says it's connected and ready.

Any hints greatly welcomed. This is the very latest code drop from the git repo

Code: Select allserver handshake start.
server handshake ok!
Conn... port = 443, state = 3
Conn req from  10.1.1.7:61075, using pool slot 0
ConS... port = 443, state = 3
Recv... port = 443, state = 5
URL = /
Is url index 0
Is url index 1
Pool slot 0 is done. Cleaning up for next req
RTSn... port = 443, state= 5
Sending... port = 443, len = 128, state= 4, ret = 0
Sent... port = 443, state = 3
Recv... port = 443, state = 5
URL = /index.tpl
Is url index 0
Is url index 3
Heatshrink compressed file; decode parms = b4
RTSn... port = 443, state= 5
Sending... port = 443, len = 99, state= 4, ret = -5
Disc... port = 443, state = 6
Pool slot 0: socket closed.
server handshake start.
server handshake ok!
Conn... port = 443, state = 3
Conn req from  10.1.1.7:61076, using pool slot 0
ConS... port = 443, state = 3
Recv... port = 443, state = 5
URL = /index.tpl
Is url index 0
Is url index 3
Heatshrink compressed file; decode parms = b4
RTSn... port = 443, state= 5
Sending... port = 443, len = 99, state= 4, ret = 0
Sent... port = 443, state = 3
RTSn... port = 443, state= 3
Sending... port = 443, len = 1024, state= 4, ret = -5
Disc... port = 443, state = 6
Pool slot 0: socket closed.
server handshake start.
server handshake ok!
Conn... port = 443, state = 3
Conn req from  10.1.1.7:61077, using pool slot 0
ConS... port = 443, state = 3
Recv... port = 443, state = 5
URL = /wifi/
Is url index 0
Is url index 9
Pool slot 0 is done. Cleaning up for next req
RTSn... port = 443, state= 5
Sending... port = 443, len = 136, state= 4, ret = 0
Sent... port = 443, state = 3
Recv... port = 443, state = 5
URL = /wifi/wifi.tpl
Is url index 0
Is url index 11
Heatshrink compressed file; decode parms = b4
RTSn... port = 443, state= 5
Sending... port = 443, len = 99, state= 4, ret = -5
Disc... port = 443, state = 6
Pool slot 0: socket closed.
server handshake start.
server handshake ok!
Conn... port = 443, state = 3
Conn req from  10.1.1.7:61078, using pool slot 0
ConS... port = 443, state = 3
Recv... port = 443, state = 5
URL = /wifi/wifi.tpl
Is url index 0
Is url index 11
Heatshrink compressed file; decode parms = b4
RTSn... port = 443, state= 5
Sending... port = 443, len = 99, state= 4, ret = 0
Sent... port = 443, state = 3
RTSn... port = 443, state= 3
Sending... port = 443, len = 1031, state= 4, ret = -5
Disc... port = 443, state = 6
Pool slot 0: socket closed.
Last edited by davydnorris on Mon May 22, 2017 9:57 am, edited 1 time in total.
User avatar
By davydnorris
#66191 For those playing along at home...

The changes I made to esphttpd to get SSL working were actually trivial, thanks to the amazing job done by @Sprite_tm. Almost all the changes bar one (adding a port parameter to httpd_init) are in the httpd_nonos.c file.

All I had to do was:
- add another set of espconn and tcp_udp structures for the secure web listener
- add a variable to hold the SSL port number passed in (more on that later)
- add an extra parameter to the platform and top level init function for the secure port
- add logic in the platform init function to check the SSL port number, and if >0 then save it, set the certificates and keys, set the SSL heap size, and start the SSL listener. This code looks almost exactly the same as the standard code except with espconn_secure calls. I also wrapped the standard HTTP port code in a check for the standard port >0. This means you can set either port to zero and have just a standard server, a secure server, or both running
- add logic around the send and disconnect calls (only 3 in total) to check the local port of the passed in connection and if it's the secure port then call the espconn_secure version of the function

The other thing that's also very easy to manage is the captive portal, However for this you will need both secure and standard HTTP listeners, at least initially.

What you need to do is generate SSL certificates for your internal webserver, using a proper URL (although I also used a SubjectAlternativeName containing the internal IP address as a DNSname entry so I could test on a laptop with, however this is a security issue in the wild), and then you set your server name in the DNS code to be that name, and change the prefix in the httpdRedirect function to be "https://" instead of "http://"

The incoming device (including Android and iOS) will connect to the AP, then attempt to hit their list of pages via the standard HTTP listener because of the captive portal. They will then be redirected to the secure URL, where they will establish a secure connection with YOUR server using YOUR certificate, and you now have a secure captive portal login page.

The only thing you need to look out for is if you use a self-signed or private CA signed SSL server certificate. In that case you will have to manually install the CA certificate into your smart device. For an iPhone this is as simple as mailing the CA certificate to your smart phone mail account, clicking on the attachment on your phone, and following the numerous bouncing prompts.

Now if espconn_secure_send() would only work more than once at a time, I would be very happy!!
User avatar
By davydnorris
#66627 So I had a response from Espressif.

Apparently the issues I have seen are a known problem and they've asked me to switch to the mbedTLS library instead.

I've tried that and it half works - now it appears I get the first page served properly but the next connection is broken. Going to dig around and see what I can see.

Apart from that it appears to make a bigger firmware (50k more).