[swupdate][PATCH] Enable hawkbit Channel using non-strict ssl settings

[Ayoub Zaki]

Signed-off-by: Ayoub Zaki <ayoub...@embexus.com>
---
suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
index cc30cb9..f3d00a0 100644
--- a/suricatta/channel_hawkbit.c
+++ b/suricatta/channel_hawkbit.c
@@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t *this,
(curl_easy_setopt(channel_curl->handle, CURLOPT_FOLLOWLOCATION, 1) !=
CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle, CURLOPT_REDIR_PROTOCOLS,
- CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
+ CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
+ (curl_easy_setopt(channel_curl->handle,
+ CURLOPT_CAINFO,
+ channel_data->cafile) != CURLE_OK) ||
+ (curl_easy_setopt(channel_curl->handle,
+ CURLOPT_SSLKEY,
+ channel_data->sslkey) != CURLE_OK) ||
+ (curl_easy_setopt(channel_curl->handle,
+ CURLOPT_SSLCERT,
+ channel_data->sslcert) != CURLE_OK)) {
result = CHANNEL_EINIT;
goto cleanup;
}
@@ -372,21 +381,23 @@ channel_op_res_t channel_set_options(channel_t *this,
CURLOPT_SSL_VERIFYHOST,
2L) != CURLE_OK) ||
(curl_easy_setopt(channel_curl->handle,
- CURLOPT_CAINFO,
- channel_data->cafile) != CURLE_OK) ||
- (curl_easy_setopt(channel_curl->handle,
- CURLOPT_SSLKEY,
- channel_data->sslkey) != CURLE_OK) ||
- (curl_easy_setopt(channel_curl->handle,
- CURLOPT_SSLCERT,
- channel_data->sslcert) != CURLE_OK) ||
- (curl_easy_setopt(channel_curl->handle,
CURLOPT_SSL_VERIFYPEER,
1L) != CURLE_OK)) {
result = CHANNEL_EINIT;
goto cleanup;
}
}
+ else {
+ if ((curl_easy_setopt(channel_curl->handle,
+ CURLOPT_SSL_VERIFYHOST,
+ 0L) != CURLE_OK) ||
+ (curl_easy_setopt(channel_curl->handle,
+ CURLOPT_SSL_VERIFYPEER,
+ 0L) != CURLE_OK)) {
+ result = CHANNEL_EINIT;
+ goto cleanup;
+ }
+ }

switch (method) {
case CHANNEL_GET:
--
2.7.4

[Stefano Babic]

Hi Ayoub,

On 07/11/2017 10:49, Ayoub Zaki wrote:
> Signed-off-by: Ayoub Zaki <ayoub...@embexus.com>
> ---
> suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
> index cc30cb9..f3d00a0 100644
> --- a/suricatta/channel_hawkbit.c
> +++ b/suricatta/channel_hawkbit.c
> @@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t *this,
> (curl_easy_setopt(channel_curl->handle, CURLOPT_FOLLOWLOCATION, 1) !=
> CURLE_OK) ||
> (curl_easy_setopt(channel_curl->handle, CURLOPT_REDIR_PROTOCOLS,
> - CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
> + CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
> + (curl_easy_setopt(channel_curl->handle,
> + CURLOPT_CAINFO,
> + channel_data->cafile) != CURLE_OK) ||
> + (curl_easy_setopt(channel_curl->handle,
> + CURLOPT_SSLKEY,
> + channel_data->sslkey) != CURLE_OK) ||
> + (curl_easy_setopt(channel_curl->handle,
> + CURLOPT_SSLCERT,
> + channel_data->sslcert) != CURLE_OK)) {

I am still missing what this change does. Currently, we have two options:

- strictssl set: all options set for verification
- strictssl not set: no SSL at all.

I understand you want to have some steps between, as SSL without host
verification for self-signed certificate. But if we set this here, is
https a must ? Does it work again with just http connections ? That
means, if no SSL at all is selected ?

Best regards,
Stefano

--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================

[Ayoub Zaki]

Hi Stefano,

Yes exactly this patch adresses the case of using ssl with self-signed
certificates.

> https a must ? Does it work again with just http connections ? That
> means, if no SSL at all is selected ?

Yes this is working in case of base URL is specified only with http. so
I think that all cases are covered here ?

Regards,

Ayoub

--
Ayoub Zaki
Embedded Systems Consultant

Vaihinger Straße 2/1
D-71634 Ludwigsburg

Tel. : +4971415074546
Mobile : +4917662901545
Email : ayoub...@embexus.com
Homepage : https://embexus.com
VAT No. : DE313902634

[Stefano Babic]

Hi Ayoub,

This is what I am asking as I have not tested myself. If ssl fields are
not set as without the patch, I am sure libcurl does nothing. If they
are set, I have not checked what libcurl is doing.

Should we put the patchin "test" before merging ?

[Stefano Babic]

Hi Ayoub,

On 07/11/2017 19:42, Ayoub Zaki wrote:
> Hi Stefano,
>

> I already did testing with both base urls set to http and https, log
> files are attached.


ok, fine.

Applied to -master, thanks !

Best regards,
Stefano Babic

[kru...@gmail.com]

Hi,

I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate.

But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:

* connect to <IP> port 8080 failed: Connection timed out
* Failed to connect to <IP> port 8080: Connection timed out
* Closing connection 3
[ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'

[ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found

[ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
[ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
[TRACE] : SWUPDATE running : [network_initializer] : Main thread sleep again !
[INFO ] : No SWUPDATE running : Waiting for requests...
[TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
[ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found

I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.

[Ayoub Zaki]

Hi!

On 10.11.2017 10:56, kru...@gmail.com wrote:
> Hi,
>
> I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate.
>
> But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:

What's your Swupdate configuration ?
What are your URLs ?

>
> * connect to <IP> port 8080 failed: Connection timed out
> * Failed to connect to <IP> port 8080: Connection timed out
> * Closing connection 3
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'
>
> [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found
>
> [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
> [ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
> [TRACE] : SWUPDATE running : [network_initializer] : Main thread sleep again !
> [INFO ] : No SWUPDATE running : Waiting for requests...
> [TRACE] : SWUPDATE running : [network_initializer] : Main loop Daemon
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found
>
> I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.
>

[kru...@gmail.com]

Hi,

Configuration:
enabled image downloading; enabled verification of signed images (sha256); enabled suricatta with SSL support & Hawkbit support.
I have not enabled webserver for SWUpdate.

URL: using an Ec2 instance https link with port 443

Thanks ,
Krupa

[kru...@gmail.com]

Hi Ayoub,

Did you get a chance to look into this? Are you able to send updates from Hawkbit to swupdate, or do you get similar error like mine? Please let me know, so I can see if I am missing something on my end. Thanks.