I recently bought the 2.9″ ESPaper Plus Kit, WiFi ePaper display from ThingPulse.
To get this device working with my ansible configured SSL webproxy I had to get some additional debugging skills...
Out of the box the ESPaper Plus Kit is provided with two nice Arduino projects: the weather station and the espaper-client.
To show weather data combined with date from our houses photovoltaic system I wrote a simple Grails 3 proxy application. This application provides the required information in the JSON format required by the espaper-client.
Modifing the client to work with my unsecured developmentserver on my notebook has been very easy editing settings.h ( define DEV_ENV and set SERVER_URL ).
The production setup was done quickly using Ansible to configure my gateway Apache who is responsible for the ssl encryption with Let's Encrypt certificates and the proxing to the application server instances running in different containers. A test using Firefox has been successful on the first try.
But the espaper-client refused to connect with the cryptic error code -1 / connection refused. Even the serial console did not provide additional information.
A first research in the HTTPClient's source did not reaveal additional informations.
How to get the debug output of the HTTPClient did not work as expected. Initially I tried to use some #define in the project source without success.
Later I found the informative Arduino-ESP8266 documentation which provides the required simple steps to enable the log output.
These additional log informations in the serial gave me the next piece of the puzzle: SSL error 40.
The reason of the failure is a handshake problem according to the GitHub Issue SSL error 40, SSL handshake failure #2771.
In the comments I could find the hint of a reduced set of supported cipher suites.
Therefore I reconfigured apache to support the default set of cipher suites instead of the reduced ones of the ansible role geerlingguy.apache
To fingure out the required cipher suite I configured apache to log the used suite:
CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
With the information from the log I changed the cipher suites in ansible adding AES256-SHA256:
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH:AES256-SHA256"
And finally the espaper-client is now able to connect to my backend!
To ensure the added cipher suite is no mayor security issue I verified the configuration using www.ssllabs.com