2.1.1 introduced SNI extension to fix issue created by GitHub new CDN

- without SNI the server presents the wrong certificate
- no need to add the intermediate certificate since it is offered by
the server
- this means the certificate file remains the same as in version 2.0.2

Changelog.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 2.1.1 introduced SNI extension to fix issue created by GitHub new CDN
+- without SNI the server presents the wrong certificate
+- no need to add the intermediate certificate since it is offered by the server
+- this means the certificate file remains the same as in version 2.0.2
+
 ## 2.1.0 updated to the new certificate used by GitHub for the content distribution server
 - GitHub switched to their own domain and now use a DigiCert CA instead of Baltimore CA
 - make a final 0x0a and or 0x0d optional for the prerelease file

Makefile

@@ -17,6 +17,8 @@ EXTRA_WOLFSSL_CFLAGS = \
 	-DUSE_SLOW_SHA \
 	-DUSE_SLOW_SHA2 \
 	-DHAVE_AESGCM \
+    -DHAVE_TLS_EXTENSIONS \
+	-DHAVE_SNI \
 	-DNO_MD5 \
 	-DNO_FILESYSTEM \
 	-DNO_WRITEV \

README.md

@@ -197,7 +197,7 @@ Download Certificates
 This is a file that contains the checksum of the sector containing three certificates/keys
 - public key of HomeACessoryKid that signs the certificate/key sector 
 - root CA used by GitHub
-- root CA used by the DistributedContentProvider (now GitHub's own, Amazon until release 2.1.0)
+- root CA used by the DistributedContentProvider (now GitHub's own, Amazon before release 2.1.0)
 
 Once downloaded, the signature is checked against the known public key and the sha384 checksum of the active sector is compared to the checksum in the signature file. If equal, we move on. If not, we download the updated sector file to the standby sector.
 

deploy.md

@@ -10,30 +10,30 @@ cd life-cycle-manager
 - initial steps to be expanded
 
 #### These are the steps if not introducing a new key pair
-- create/update the file versions1/latest-pre-release without new-line and setup 2.1.0 version folder
+- create/update the file versions1/latest-pre-release without new-line and setup 2.1.1 version folder
 ```
-mkdir versions1/2.1.0v
-echo -n 2.1.0 > versions1/2.1.0v/latest-pre-release
-cp versions1/certs.sector* versions1/2.1.0v
-cp versions1/public*key*   versions1/2.1.0v
+mkdir versions1/2.1.1v
+echo -n 2.1.1 > versions1/2.1.1v/latest-pre-release
+cp versions1/certs.sector versions1/certs.sector.sig versions1/2.1.1v
+cp versions1/public*key*   versions1/2.1.1v
 ```
 - set local.mk to the ota-main program
 ```
-make -j6 rebuild OTAVERSION=2.1.0
-mv firmware/otamain.bin versions1/2.1.0v
+make -j6 rebuild OTAVERSION=2.1.1
+mv firmware/otamain.bin versions1/2.1.1v
 ```
 - set local.mk back to ota-boot program
 ```
-make -j6 rebuild OTAVERSION=2.1.0
-mv firmware/otaboot.bin versions1/2.1.0v
-make -j6 rebuild OTAVERSION=2.1.0 OTABETA=1
-cp firmware/otaboot.bin versions1/2.1.0v/otabootbeta.bin
+make -j6 rebuild OTAVERSION=2.1.1
+mv firmware/otaboot.bin versions1/2.1.1v
+make -j6 rebuild OTAVERSION=2.1.1 OTABETA=1
+cp firmware/otaboot.bin versions1/2.1.1v/otabootbeta.bin
 ```
 - remove the older version files
 #
 - update Changelog
-- commit this as version 2.1.0  
-- set up a new github release 2.1.0 as a pre-release using the just commited master...  
+- commit this as version 2.1.1  
+- set up a new github release 2.1.1 as a pre-release using the just commited master...  
 - upload the certs and binaries to the pre-release assets on github  
 #
 - erase the flash and upload the privatekey
@@ -43,18 +43,18 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-pr
 ```
 - upload the ota-boot BETA program to the device that contains the private key
 ```
-make flash OTAVERSION=2.1.0 OTABETA=1
+make flash OTAVERSION=2.1.1 OTABETA=1
 ```
 - power cycle to prevent the bug for software reset after flash  
 - setup wifi and select the ota-demo repo without pre-release checkbox  
 - create the 2 signature files next to the bin file and upload to github one by one  
 - verify the hashes on the computer  
 ```
-openssl sha384 versions1/2.1.0v/otamain.bin
-xxd versions1/2.1.0v/otamain.bin.sig
+openssl sha384 versions1/2.1.1v/otamain.bin
+xxd versions1/2.1.1v/otamain.bin.sig
 ```
 
-- upload the file versions1/2.1.0v/latest-pre-release to the 'latest release' assets on github
+- upload the file versions1/2.1.1v/latest-pre-release to the 'latest release' assets on github
 
 #### Testing
 
@@ -107,14 +107,14 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versionsN-1-
 ```
 - collect public-1.key.sig and store it in the new version folder and copy it to versions1
 ```
-cp  versions1/2.1.0v/public-1.key.sig versions1
+cp  versions1/2.1.1v/public-1.key.sig versions1
 ```
 - then flash the new private key
 ```
 esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-privatekey.der
 ```
 - collect cert.sector.sig and store it in the new version folder and copy it to versions1 
 ```
-cp  versions1/2.1.0v/certs.sector.sig versions1
+cp  versions1/2.1.1v/certs.sector.sig versions1
 ```
 - continue with a normal deployment to create the 2 signature files next to the bin files

ota.c

@@ -491,6 +491,14 @@ static int ota_connect(char* host, int port, int *socket, WOLFSSL** ssl) {
     wolfSSL_set_fd(*ssl, *socket);
     UDPLGP("set_fd ");
 
+    ret = wolfSSL_UseSNI(*ssl, WOLFSSL_SNI_HOST_NAME, host, strlen(host));
+    if (ret != SSL_SUCCESS) {
+        UDPLGP("failed, return [-0x%x]\n", -ret);
+        ret=wolfSSL_get_error(*ssl,ret);
+        UDPLGP("wolfSSL_UseSNI error = %d\n", ret);
+        return -1;
+    }
+
     if (verify) ret=wolfSSL_check_domain_name(*ssl, host);
 //wolfSSL_Debugging_OFF();
 

versions1/2.1.1v/latest-pre-release

@@ -0,0 +1 @@
+2.1.1