Enable hawkbit Channel using non-strict ssl settings

Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
---
 suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

Hi Ayoub,

On 07/11/2017 10:49, Ayoub Zaki wrote:
> Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
> ---
>  suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
>  1 file changed, 21 insertions(+), 10 deletions(-)
> 
> diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
> index cc30cb9..f3d00a0 100644
> --- a/suricatta/channel_hawkbit.c
> +++ b/suricatta/channel_hawkbit.c
> @@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t *this,
>  	    (curl_easy_setopt(channel_curl->handle, CURLOPT_FOLLOWLOCATION, 1) !=
>  	     CURLE_OK) ||
>  	    (curl_easy_setopt(channel_curl->handle, CURLOPT_REDIR_PROTOCOLS,
> -			      CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
> +			      CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
> +	    (curl_easy_setopt(channel_curl->handle,
> +			      CURLOPT_CAINFO,
> +			      channel_data->cafile) != CURLE_OK) ||
> +	    (curl_easy_setopt(channel_curl->handle,
> +			      CURLOPT_SSLKEY,
> +			      channel_data->sslkey) != CURLE_OK) ||
> +	    (curl_easy_setopt(channel_curl->handle,
> +			      CURLOPT_SSLCERT,
> +			      channel_data->sslcert) != CURLE_OK)) {

I am still missing what this change does. Currently, we have two options:

- strictssl set: all options set for verification
- strictssl not set: no SSL at all.

I understand you want to have some steps between, as SSL without host
verification for self-signed certificate. But if we set this here, is
https a must ? Does it work again with just http connections ? That
means, if no SSL at all is selected ?


>  		result = CHANNEL_EINIT;
>  		goto cleanup;
>  	}
> @@ -372,21 +381,23 @@ channel_op_res_t channel_set_options(channel_t *this,
>  				      CURLOPT_SSL_VERIFYHOST,
>  				      2L) != CURLE_OK) ||
>  		    (curl_easy_setopt(channel_curl->handle,
> -				      CURLOPT_CAINFO,
> -				      channel_data->cafile) != CURLE_OK) ||
> -		    (curl_easy_setopt(channel_curl->handle,
> -				      CURLOPT_SSLKEY,
> -				      channel_data->sslkey) != CURLE_OK) ||
> -		    (curl_easy_setopt(channel_curl->handle,
> -				      CURLOPT_SSLCERT,
> -				      channel_data->sslcert) != CURLE_OK) ||
> -		    (curl_easy_setopt(channel_curl->handle,
>  				      CURLOPT_SSL_VERIFYPEER,
>  				      1L) != CURLE_OK)) {
>  			result = CHANNEL_EINIT;
>  			goto cleanup;
>  		}
>  	}
> +	else {
> +		if ((curl_easy_setopt(channel_curl->handle,
> +				      CURLOPT_SSL_VERIFYHOST,
> +				      0L) != CURLE_OK) ||
> +		    (curl_easy_setopt(channel_curl->handle,
> +				      CURLOPT_SSL_VERIFYPEER,
> +				      0L) != CURLE_OK)) {
> +			result = CHANNEL_EINIT;
> +			goto cleanup;
> +		}
> +	}
>  
>  	switch (method) {
>  	case CHANNEL_GET:
> 

Best regards,
Stefano

Hi Stefano,

> Hi Ayoub,
>
> On 07/11/2017 10:49, Ayoub Zaki wrote:
>> Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
>> ---
>>   suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
>>   1 file changed, 21 insertions(+), 10 deletions(-)
>>
>> diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
>> index cc30cb9..f3d00a0 100644
>> --- a/suricatta/channel_hawkbit.c
>> +++ b/suricatta/channel_hawkbit.c
>> @@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t *this,
>>   	    (curl_easy_setopt(channel_curl->handle, CURLOPT_FOLLOWLOCATION, 1) !=
>>   	     CURLE_OK) ||
>>   	    (curl_easy_setopt(channel_curl->handle, CURLOPT_REDIR_PROTOCOLS,
>> -			      CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
>> +			      CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
>> +	    (curl_easy_setopt(channel_curl->handle,
>> +			      CURLOPT_CAINFO,
>> +			      channel_data->cafile) != CURLE_OK) ||
>> +	    (curl_easy_setopt(channel_curl->handle,
>> +			      CURLOPT_SSLKEY,
>> +			      channel_data->sslkey) != CURLE_OK) ||
>> +	    (curl_easy_setopt(channel_curl->handle,
>> +			      CURLOPT_SSLCERT,
>> +			      channel_data->sslcert) != CURLE_OK)) {
> I am still missing what this change does. Currently, we have two options:
>
> - strictssl set: all options set for verification
> - strictssl not set: no SSL at all.
>
> I understand you want to have some steps between, as SSL without host
> verification for self-signed certificate. But if we set this here, is

Yes exactly this patch adresses the case of using ssl with self-signed 
certificates.


> https a must ? Does it work again with just http connections ? That
> means, if no SSL at all is selected ?

Yes this is working in case of base URL is specified only with http. so 
I think that all cases are covered here ?

>
>
>>   		result = CHANNEL_EINIT;
>>   		goto cleanup;
>>   	}
>> @@ -372,21 +381,23 @@ channel_op_res_t channel_set_options(channel_t *this,
>>   				      CURLOPT_SSL_VERIFYHOST,
>>   				      2L) != CURLE_OK) ||
>>   		    (curl_easy_setopt(channel_curl->handle,
>> -				      CURLOPT_CAINFO,
>> -				      channel_data->cafile) != CURLE_OK) ||
>> -		    (curl_easy_setopt(channel_curl->handle,
>> -				      CURLOPT_SSLKEY,
>> -				      channel_data->sslkey) != CURLE_OK) ||
>> -		    (curl_easy_setopt(channel_curl->handle,
>> -				      CURLOPT_SSLCERT,
>> -				      channel_data->sslcert) != CURLE_OK) ||
>> -		    (curl_easy_setopt(channel_curl->handle,
>>   				      CURLOPT_SSL_VERIFYPEER,
>>   				      1L) != CURLE_OK)) {
>>   			result = CHANNEL_EINIT;
>>   			goto cleanup;
>>   		}
>>   	}
>> +	else {
>> +		if ((curl_easy_setopt(channel_curl->handle,
>> +				      CURLOPT_SSL_VERIFYHOST,
>> +				      0L) != CURLE_OK) ||
>> +		    (curl_easy_setopt(channel_curl->handle,
>> +				      CURLOPT_SSL_VERIFYPEER,
>> +				      0L) != CURLE_OK)) {
>> +			result = CHANNEL_EINIT;
>> +			goto cleanup;
>> +		}
>> +	}
>>   
>>   	switch (method) {
>>   	case CHANNEL_GET:
>>
Regards,

Ayoub

Hi Ayoub,

On 07/11/2017 18:36, Ayoub Zaki wrote:
> Hi Stefano,
> 
>> Hi Ayoub,
>>
>> On 07/11/2017 10:49, Ayoub Zaki wrote:
>>> Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
>>> ---
>>>   suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
>>>   1 file changed, 21 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
>>> index cc30cb9..f3d00a0 100644
>>> --- a/suricatta/channel_hawkbit.c
>>> +++ b/suricatta/channel_hawkbit.c
>>> @@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t
>>> *this,
>>>           (curl_easy_setopt(channel_curl->handle,
>>> CURLOPT_FOLLOWLOCATION, 1) !=
>>>            CURLE_OK) ||
>>>           (curl_easy_setopt(channel_curl->handle,
>>> CURLOPT_REDIR_PROTOCOLS,
>>> -                  CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
>>> +                  CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
>>> +        (curl_easy_setopt(channel_curl->handle,
>>> +                  CURLOPT_CAINFO,
>>> +                  channel_data->cafile) != CURLE_OK) ||
>>> +        (curl_easy_setopt(channel_curl->handle,
>>> +                  CURLOPT_SSLKEY,
>>> +                  channel_data->sslkey) != CURLE_OK) ||
>>> +        (curl_easy_setopt(channel_curl->handle,
>>> +                  CURLOPT_SSLCERT,
>>> +                  channel_data->sslcert) != CURLE_OK)) {
>> I am still missing what this change does. Currently, we have two options:
>>
>> - strictssl set: all options set for verification
>> - strictssl not set: no SSL at all.
>>
>> I understand you want to have some steps between, as SSL without host
>> verification for self-signed certificate. But if we set this here, is
> 
> Yes exactly this patch adresses the case of using ssl with self-signed
> certificates.
> 
> 
>> https a must ? Does it work again with just http connections ? That
>> means, if no SSL at all is selected ?
> 
> Yes this is working in case of base URL is specified only with http. so
> I think that all cases are covered here ?

This is what I am asking as I have not tested myself. If ssl fields are
not set as without the patch, I am sure libcurl does nothing. If they
are set, I have not checked what libcurl is doing.

Should we put the patchin "test" before merging ?

Best regards,
Stefano

Hi Ayoub,

On 07/11/2017 19:42, Ayoub Zaki wrote:
> Hi Stefano,
> 
>>>> On 07/11/2017 10:49, Ayoub Zaki wrote:
>>>>> Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
>>>>> ---
>>>>>    suricatta/channel_hawkbit.c | 31 +++++++++++++++++++++----------
>>>>>    1 file changed, 21 insertions(+), 10 deletions(-)
>>>>>
>>>>> diff --git a/suricatta/channel_hawkbit.c b/suricatta/channel_hawkbit.c
>>>>> index cc30cb9..f3d00a0 100644
>>>>> --- a/suricatta/channel_hawkbit.c
>>>>> +++ b/suricatta/channel_hawkbit.c
>>>>> @@ -362,7 +362,16 @@ channel_op_res_t channel_set_options(channel_t
>>>>> *this,
>>>>>            (curl_easy_setopt(channel_curl->handle,
>>>>> CURLOPT_FOLLOWLOCATION, 1) !=
>>>>>             CURLE_OK) ||
>>>>>            (curl_easy_setopt(channel_curl->handle,
>>>>> CURLOPT_REDIR_PROTOCOLS,
>>>>> -                  CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK)) {
>>>>> +                  CURLPROTO_HTTP | CURLPROTO_HTTPS) != CURLE_OK) ||
>>>>> +        (curl_easy_setopt(channel_curl->handle,
>>>>> +                  CURLOPT_CAINFO,
>>>>> +                  channel_data->cafile) != CURLE_OK) ||
>>>>> +        (curl_easy_setopt(channel_curl->handle,
>>>>> +                  CURLOPT_SSLKEY,
>>>>> +                  channel_data->sslkey) != CURLE_OK) ||
>>>>> +        (curl_easy_setopt(channel_curl->handle,
>>>>> +                  CURLOPT_SSLCERT,
>>>>> +                  channel_data->sslcert) != CURLE_OK)) {
>>>> I am still missing what this change does. Currently, we have two
>>>> options:
>>>>
>>>> - strictssl set: all options set for verification
>>>> - strictssl not set: no SSL at all.
>>>>
>>>> I understand you want to have some steps between, as SSL without host
>>>> verification for self-signed certificate. But if we set this here, is
>>> Yes exactly this patch adresses the case of using ssl with self-signed
>>> certificates.
>>>
>>>
>>>> https a must ? Does it work again with just http connections ? That
>>>> means, if no SSL at all is selected ?
>>> Yes this is working in case of base URL is specified only with http. so
>>> I think that all cases are covered here ?
>> This is what I am asking as I have not tested myself. If ssl fields are
>> not set as without the patch, I am sure libcurl does nothing. If they
>> are set, I have not checked what libcurl is doing.
>>
>> Should we put the patchin "test" before merging ?
>>
> I already did testing with both base urls set to http and https, log
> files are attached.


ok, fine.

Applied to -master, thanks !

Best regards,
Stefano Babic

Hi,

I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate. 

But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:

* connect to <IP> port 8080 failed: Connection timed out
* Failed to connect to <IP> port 8080: Connection timed out
* Closing connection 3
[ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'

[ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found

[ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
[ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
[TRACE] : SWUPDATE running :  [network_initializer] : Main thread sleep again !
[INFO ] : No SWUPDATE running :  Waiting for requests...
[TRACE] : SWUPDATE running :  [network_initializer] : Main loop Daemon
[ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found

I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.

Hi!


On 10.11.2017 10:56, krupanr@gmail.com wrote:
> Hi,
>
> I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate.
>
> But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:
What's your Swupdate configuration ?
What are your URLs ?
>
> * connect to <IP> port 8080 failed: Connection timed out
> * Failed to connect to <IP> port 8080: Connection timed out
> * Closing connection 3
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'
>
> [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found
>
> [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
> [ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
> [TRACE] : SWUPDATE running :  [network_initializer] : Main thread sleep again !
> [INFO ] : No SWUPDATE running :  Waiting for requests...
> [TRACE] : SWUPDATE running :  [network_initializer] : Main loop Daemon
> [ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found
>
> I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.
>

On Friday, November 10, 2017 at 5:10:05 PM UTC+5:30, ayoub zaki wrote:
> Hi!
> 
> 
> On 10.11.2017 10:56, krupanr@gmail.com wrote:
> > Hi,
> >
> > I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate.
> >
> > But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:
> What's your Swupdate configuration ?
> What are your URLs ?
> >
> > * connect to <IP> port 8080 failed: Connection timed out
> > * Failed to connect to <IP> port 8080: Connection timed out
> > * Closing connection 3
> > [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'
> >
> > [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found
> >
> > [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
> > [ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
> > [TRACE] : SWUPDATE running :  [network_initializer] : Main thread sleep again !
> > [INFO ] : No SWUPDATE running :  Waiting for requests...
> > [TRACE] : SWUPDATE running :  [network_initializer] : Main loop Daemon
> > [ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found
> >
> > I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.
> >
> 
> -- 
> Ayoub Zaki
> Embedded Systems Consultant
> 
> Vaihinger Straße 2/1
> D-71634 Ludwigsburg
> 
> Tel.     : +4971415074546
> Mobile   : +4917662901545
> Email    : ayoub.zaki@embexus.com
> Homepage : https://embexus.com
> VAT No.  : DE313902634

Hi,

Configuration:
enabled image downloading; enabled verification of signed images (sha256); enabled suricatta with SSL support & Hawkbit support. 
I have not enabled webserver for SWUpdate.

URL: using an Ec2 instance https link with port 443

Thanks ,
Krupa

On Monday, November 13, 2017 at 5:31:16 PM UTC+5:30, kru...@gmail.com wrote:
> On Friday, November 10, 2017 at 5:10:05 PM UTC+5:30, ayoub zaki wrote:
> > Hi!
> > 
> > 
> > On 10.11.2017 10:56, krupanr@gmail.com wrote:
> > > Hi,
> > >
> > > I applied the patch and installed swupdate again. Now swupdate connects to https of Hawkbit, even though I am using self-signed certificate.
> > >
> > > But when I try to push an update file to SWUpdate from Hawkbit, I get an error on swupdate. Below is the logs:
> > What's your Swupdate configuration ?
> > What are your URLs ?
> > >
> > > * connect to <IP> port 8080 failed: Connection timed out
> > > * Failed to connect to <IP> port 8080: Connection timed out
> > > * Closing connection 3
> > > [ERROR] : SWUPDATE failed [0] ERROR suricatta/channel_hawkbit.c : channel_get_file : 763 : Channel operation returned error (7): 'Couldn't connect to server'
> > >
> > > [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : get_cpiohdr : 44 : CPIO Format not recognized: magic not found
> > >
> > > [ERROR] : SWUPDATE failed [0] ERROR core/cpio_utils.c : extract_cpio_header : 316 : CPIO Header corrupted, cannot be parsed
> > > [ERROR] : SWUPDATE failed [1] Image invalid or corrupted. Not installing ...
> > > [TRACE] : SWUPDATE running :  [network_initializer] : Main thread sleep again !
> > > [INFO ] : No SWUPDATE running :  Waiting for requests...
> > > [TRACE] : SWUPDATE running :  [network_initializer] : Main loop Daemon
> > > [ERROR] : SWUPDATE failed [0] ERROR suricatta/server_hawkbit.c : server_hawkbit_error : 184 : No suitable .swu image found
> > >
> > > I dont understand why is the process trying to connect to 8080 port ? Thanks for the help.
> > >
> > 
> > -- 
> > Ayoub Zaki
> > Embedded Systems Consultant
> > 
> > Vaihinger Straße 2/1
> > D-71634 Ludwigsburg
> > 
> > Tel.     : +4971415074546
> > Mobile   : +4917662901545
> > Email    : ayoub.zaki@embexus.com
> > Homepage : https://embexus.com
> > VAT No.  : DE313902634
> 
> Hi,
> 
> Configuration:
> enabled image downloading; enabled verification of signed images (sha256); enabled suricatta with SSL support & Hawkbit support. 
> I have not enabled webserver for SWUpdate.
> 
> URL: using an Ec2 instance https link with port 443
> 
> Thanks ,
> Krupa

Hi Ayoub,

Did you get a chance to look into this? Are you able to send updates from Hawkbit to swupdate, or do you get similar error like mine? Please let me know, so I can see if I am missing something on my end. Thanks.