人类的孤独像是一种与生俱来的残疾。

iot-edge-c-sdk中BOS证书问题

C语言 smallfish 1790℃
在嵌入式开发板上使用百度iot-edge-c-sdk的BOS测试时,出现
Error: Time:Fri Oct 12 13:18:51 2018 File:/root/Clion_Projects/Security_IoT/iot-edge-c-sdk/c-utility/adapters/httpapi_curl.c Func:HTT
PAPI_ExecuteRequest Line:582 curl_easy_perform() failed: Peer certificate cannot be authenticated with given CA certificates
Error: Time:Fri Oct 12 13:18:51 2018 File:/root/Clion_Projects/Security_IoT/iot-edge-c-sdk/c-utility/adapters/httpapi_curl.c Func:HTT
PAPI_ExecuteRequest Line:584 (result = HTTPAPI_OPEN_REQUEST_FAILED)Error: Time:Fri Oct 12 13:18:51 2018 File:/root/Clion_Projects/Security_IoT/iot-edge-c-sdk/c-utility/src/httpapiex.c Func:HTTPAPIEX_E
xecuteRequest Line:475 unable to recover sending to a working stateError: Time:Fri Oct 12 13:18:51 2018 File:/root/Clion_Projects/Security_IoT/iot-edge-c-sdk/iothub_client/src/bos.c Func:BOS_UploadDow
nload Line:129 failed to HTTPAPIEX_ExecuteRequestInfo: Download finished. result = 3, httpStatus=494444, content size=0.
Error: Time:Fri Oct 12 13:18:51 2018 File:/root/Clion_Projects/Security_IoT/security_iot/platform/src/baidu_bos.c Func:bos_run_downlo
ad Line:63 failure in BOS_Download
 
百度反馈为openssl版本问题,经过多方多次验证,可以排除此可能。
 
猜测原因可能是:
1、SDK所包含的证书问题(certs/certs.c);
2、板载环境缺失,导致信任证书链未能正确引用到。
 
临时解决办法:
1、在iot-edge-c-sdk/c-utility/adapters/httpapi_curl.c第833行处添加:
                if (curl_easy_setopt(httpHandleData->curl, CURLOPT_SSL_CTX_DATA, httpHandleData) != CURLE_OK)
                {
                    LogError("failure in curl_easy_setopt - CURLOPT_SSL_CTX_DATA");
                    result = HTTPAPI_ERROR;
                }
                else if (curl_easy_setopt(httpHandleData->curl, CURLOPT_CAINFO, "cacert.pem") != CURLE_OK)
                {
                    LogError("failure in curl_easy_setopt -CURLOPT_CAINFO");
                    result = HTTPAPI_ERROR;
                }
                else
                {
                    httpHandleData->certificates = (const char*)value;
                    result = HTTPAPI_OK;
                }
 
或者在此iot-edge-c-sdk/c-utility/adapters/httpapi_curl.c第376行处添加:
            else if (curl_easy_setopt(httpHandleData->curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1) != CURLE_OK)
            {
                result = HTTPAPI_SET_OPTION_FAILED;
                LogError("failed to set CURLOPT_HTTP_VERSION (result = %s)", ENUM_TO_STRING(HTTPAPI_RESULT, result));
            }
            else if (curl_easy_setopt(httpHandleData->curl, CURLOPT_CAINFO, "cacert.pem") != CURLE_OK)
            {
                result = HTTPAPI_SET_OPTION_FAILED;
                LogError("failed to set CURLOPT_CAINFO (result = %s)", ENUM_TO_STRING(HTTPAPI_RESULT, result));
            }
            else
            {
                result = HTTPAPI_OK;
优先选择在第833行处添加。
 
2、与第一点类似,不过将添加内容改为:
            else if (curl_easy_setopt(httpHandleData->curl,CURLOPT_SSL_VERIFYPEER, 0) != CURLE_OK)
            {
                result = HTTPAPI_SET_OPTION_FAILED;
                LogError("failed to set CURLOPT_SSL_VERIFYPEER(result = %s)", ENUM_TO_STRING(HTTPAPI_RESULT, result));
            }
 
方式1为主动添加信任证书链,该文件可以在https://curl.haxx.se/docs/caextract.html下载,并将cacert.pem文件放置在与应用程序同级别目录,当然,也可以放在其他目录,但需要相应地修改此文件所在路径。
 
方式2为取消对服务器端的验证,通常不建议这么做。

转载请注明:OpenMind » iot-edge-c-sdk中BOS证书问题

喜欢 (0)