Berry webclient : error -1296 with self-signed certificate

[MG695]

PROBLEM DESCRIPTION

A clear and concise description of what the problem is.
Hello. I try to access my PV Enphase Envoy gateway local API using webclient in Berry, with https get request, but get a -1296 error code.
When using curl my request works fine but only if I use -k parameter to accept self-signed certificate (which the Envoy uses).
My understanding is that, when using TLS/https, Tastomata checks certificate against the following two CA's : Let's Encrypt and Amazon root CA
But when a server uses a self-signed certificate, it is not using these CA's.
Therefore, as the -k option with curl is doing (Allow insecure server connections), there should be an option for webclient in Berry to not check CA/allow insecure server connection.
I tried to use fingerprint validation (SetOption132 1) first using real fingerprint of the self-signed certificate (I used tasmota-fingerprint program to get it), then fingerprint auto-learn and finally disable fingerprint but none of them worked. But, as the name of the option/command (mqttfingerprint) suggests, it might apply to MQTT only and is not used by Berry webclient.

REQUESTED INFORMATION

Make sure your have performed every step and checked the applicable boxes before submitting your issue. Thank you!

• [ x] Read the Contributing Guide and Policy and the Code of Conduct
• [x ] Searched the problem in issues
• [x ] Searched the problem in discussions
• [x ] Searched the problem in the docs
• [x ] Searched the problem in the chat
• [x ] Device used (e.g., Sonoff Basic): Eightree Tasmota plug___
• [x ] Tasmota binary firmware version number used: 14.3.0___
  • [x ] Pre-compiled
  • Self-compiled
• [x ] Flashing tools used: OTA___
• Provide the output of command: Backlog Template; Module; GPIO 255:

  Configuration output here:

• If using rules, provide the output of this command: Backlog Rule1; Rule2; Rule3:

  Rules output here:

• [X ] Provide the output of this command: Status 0:

  STATUS 0 output here:
15:28:03.206 MQT: stat/tasmotabuand/STATUS = {"Status":{"Module":0,"DeviceName":"Tasmota_buanderie","FriendlyName":["Tasmota buanderie"],"Topic":"tasmotabuand","ButtonTopic":"","Power":"0","PowerLock":"0","PowerOnState":3,"LedState":1,"LedMask":"FFFF","SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0,"InfoRetain":0,"StateRetain":0,"StatusRetain":0}}
15:28:03.217 MQT: stat/tasmotabuand/STATUS1 = {"StatusPRM":{"Baudrate":115200,"SerialConfig":"8N1","GroupTopic":"tasmotas","OtaUrl":"http://ota.tasmota.com/tasmota32/release/tasmota32c3.bin","RestartReason":"Software reset CPU","Uptime":"1T19:42:28","StartupUTC":"2024-12-03T18:45:35","Sleep":5,"CfgHolder":4617,"BootCount":48,"BCResetTime":"2024-11-12T19:46:04","SaveCount":187}}
15:28:03.229 MQT: stat/tasmotabuand/STATUS2 = {"StatusFWR":{"Version":"14.3.0(release-tasmota32)","BuildDateTime":"2024-10-15T08:21:39","Core":"3_1_0","SDK":"5.3.1.240924","CpuFrequency":160,"Hardware":"ESP8685 v0.4","CR":"469/699"}}
15:28:03.242 MQT: stat/tasmotabuand/STATUS3 = {"StatusLOG":{"SerialLog":4,"WebLog":2,"MqttLog":0,"SysLog":4,"LogHost":"","LogPort":514,"SSId":["ZT3A","ZT3AR"],"TelePeriod":300,"Resolution":"568180C0","SetOption":["00208009","1E05C80001000600005A5A0A192800000000","008000C0","00206000","00046000","00000001"]}}
15:28:03.262 MQT: stat/tasmotabuand/STATUS4 = {"StatusMEM":{"ProgramSize":1997,"Free":882,"Heap":161,"StackLowMark":2,"PsrMax":0,"PsrFree":0,"ProgramFlashSize":4096,"FlashSize":4096,"FlashChipId":"164020","FlashFrequency":80,"FlashMode":"DIO","Features":["0809","9F9AD7DF","0015A001","B7F7BFCF","05DA9BC4","E0360DC7","480840D2","20200000","D4BC482D","810A80B1","00000015"],"Drivers":"1,2,3,!4,!5,7,!8,9,10,11,12,!14,!16,!17,!20,!21,!24,26,!27,29,!34,!35,38,50,52,!59,!60,62,!63,!66,!67,!68,!71,!73,82,!86,!87,!88,!121","Sensors":"1,2,3,5,6,7,8,9,10,11,12,13,14,15,17,18,19,20,21,22,26,31,34,37,39,40,42,43,45,51,52,55,56,58,59,64,66,67,74,85,92,95,98,103,105,109,127","I2CDriver":"7,8,9,10,11,12,13,14,15,17,18,20,24,29,31,36,41,42,44,46,48,58,62,65,69,76,77,82,89"}}
15:28:03.284 MQT: stat/tasmotabuand/STATUS5 = {"StatusNET":{"Hostname":"tasmotabuand-7212","IPAddress":"192.168.0.83","Gateway":"192.168.0.1","Subnetmask":"255.255.255.0","DNSServer1":"89.2.0.1","DNSServer2":"89.2.0.2","Mac":"54:32:04:EB:1C:2C","IP6Global":"","IP6Local":"fe80::5632:4ff:feeb:1c2c%st6","Ethernet":{"Hostname":"","IPAddress":"0.0.0.0","Gateway":"0.0.0.0","Subnetmask":"0.0.0.0","DNSServer1":"89.2.0.1","DNSServer2":"89.2.0.2","Mac":"00:00:00:00:00:00","IP6Global":"","IP6Local":""},"Webserver":2,"HTTP_API":1,"WifiConfig":4,"WifiPower":17.0}}
15:28:03.295 MQT: stat/tasmotabuand/STATUS6 = {"StatusMQT":{"MqttHost":"b8b2e7648bcc40e19169a25c988f0bcf.s2.eu.hivemq.cloud","MqttPort":8883,"MqttClientMask":"Tasmotabuand","MqttClient":"Tasmotabuand","MqttUser":"Tasmotarouter","MqttCount":5,"MAX_PACKET_SIZE":1200,"KEEPALIVE":30,"SOCKET_TIMEOUT":4}}
15:28:03.305 MQT: stat/tasmotabuand/STATUS7 = {"StatusTIM":{"UTC":"2024-12-05T14:28:03Z","Local":"2024-12-05T15:28:03","StartDST":"2024-03-31T02:00:00","EndDST":"2024-10-27T03:00:00","Timezone":"+01:00","Sunrise":"08:27","Sunset":"16:53"}}
15:28:03.319 MQT: stat/tasmotabuand/STATUS9 = {"StatusPTH":{"PowerDelta":0,"PowerLow":0,"PowerHigh":0,"VoltageLow":0,"VoltageHigh":0,"CurrentLow":0,"CurrentHigh":0,"MaxPower":0,"MaxPowerHold":10,"MaxPowerWindow":30,"MaxEnergy":0,"MaxEnergyStart":0}}
15:28:03.337 MQT: stat/tasmotabuand/STATUS10 = {"StatusSNS":{"Time":"2024-12-05T15:28:03","ENERGY":{"TotalStartTime":"2024-11-12T19:51:33","Total":5.07771,"Yesterday":0.00014,"Today":0.00000,"Period":0,"Power":0,"ApparentPower":0,"ReactivePower":0,"Factor":0.00,"Voltage":234,"Current":0.000},"ESP32":{"Temperature":49.5},"TempUnit":"C"}}
15:28:03.355 MQT: stat/tasmotabuand/STATUS11 = {"StatusSTS":{"Time":"2024-12-05T15:28:03","Uptime":"1T19:42:28","UptimeSec":157348,"Heap":160,"SleepMode":"Dynamic","Sleep":5,"LoadAvg":199,"MqttCount":5,"Berry":{"HeapUsed":4,"Objects":46},"POWER":"OFF","Wifi":{"AP":2,"SSId":"ZT3AR","BSSId":"30:B5:C2:21:5E:8F","Channel":1,"Mode":"HE20","RSSI":36,"Signal":-82,"LinkCount":5,"Downtime":"0T00:02:05"}}}

• [x ] Set weblog to 4 and then, when you experience your issue, provide the output of the Console log:

  Console output here:
15:29:58.372 CMD: Weblog 4
15:29:58.374 SRC: WebConsole from 192.168.0.35
15:29:58.375 CMD: Grp 0, Cmd 'WEBLOG', Idx 1, Len 1, Pld 4, Data '4'
15:29:58.381 MQT: stat/tasmotabuand/RESULT = {"WebLog":4}
15:29:58.774 CFG: Saved, Count 188, Bytes 4096
15:30:00.803 HTP: Tools
15:30:02.846 HTP: Berry Console
15:30:06.969 BRY: GC from 10571 to 5244 bytes, objects freed 25/46 (in 0 ms) - slots from 49/91 to 45/91
15:30:12.326 HTP: TLS connection error 296 after 300 ms
15:30:12.328 Result code:  -1296

TO REPRODUCE

Steps to reproduce the behavior:
https webclient request against server using self-signed certificate

EXPECTED BEHAVIOUR

A clear and concise description of what you expected to happen.
Bypass authentication and have the request working

SCREENSHOTS

If applicable, add screenshots to help explain your problem.

ADDITIONAL CONTEXT

Add any other context about the problem here.

(Please, remember to close the issue when the problem has been addressed)

[s-hadinger]

Can you give access to the endpoint over the internet for testing?

[MG695]

No, sorry, not possible. The gateway is reachable on the LAN only (hence no real security issue to allow the self-signed certificate).
Just to add, I have no issue reaching other web sites over https using Berry webclient. Have only issue with this self-signed certificate. When accessing it with my browser (Firefox) I get a big warning this is unsecured/not trusted but I can force the exception. With curl as well I can force the access using the -k parameter. I would need something equivalent with Berry webclient

[sfromis]

As mentioned on Discord, here's an example of webclient failing with -1296, same site works in a browser, and with curl, both with and without --insecure / -k

wc = webclient()
print(wc.begin('https://sasac.co.uk/'))
print(wc.GET())
print(wc.get_string())
print(wc.close())

[s-hadinger]

I looked deeper and error 1296 is actually error 40 sent by the peer: SSL3_ALERT_HANDSHAKE_FAILURE

This error is not generated by Tasmota, the error is sent by the server. It seems that the TLS Version (1.2) and cipher (ECDHE_RSA_WITH_AES_128_GCM_SHA256) are not supported by the server

[s-hadinger]

Could you please try with the latest version. I enabled ECDSA for some web sites, it might help.

#22649

[MG695]

Just upgraded to 14.4.0.1 and unfortunately no improvement on my side (self-signed certificate), still error -1296