Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.1.3 Gremsy Vio camera payload fails to download camera definition due to "unsupported protocol" error #192

Open
rayw-dronesense opened this issue Nov 26, 2024 · 46 comments · Fixed by mavlink/MAVSDK#2453

Comments

@rayw-dronesense
Copy link
Contributor

2024-11-26 12:38:58.851 20122-20563 Mavsdk                  com.dronesense.pilot.blue            I  Download file: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml using cURL...
2024-11-26 12:38:58.852 20122-20563 Mavsdk                  com.dronesense.pilot.blue            I  Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-11-26 12:38:58.853 20122-20563 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: Unsupported protocol
2024-11-26 12:38:58.853 20122-20563 Mavsdk                  com.dronesense.pilot.blue            E  Failed to download camera definition.
2024-11-26 12:38:58.854 20122-20563 Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Error
2024-11-26 12:38:58.854 20122-20563 Mavsdk                  com.dronesense.pilot.blue            D  Failed to fetch camera definition!
@JonasVautherin
Copy link
Collaborator

We build curl without ssl, I think it won't support https: https://github.com/mavlink/MAVSDK/blob/main/third_party/curl/CMakeLists.txt#L12

Would you have a way to use http instead?

A weird thing in your case is that the camera definition is downloaded from the internet. Shouldn't it be served by the drone? Or is it somehow a simulator setup?

@julianoes
Copy link
Contributor

I tried to add openssl with https support in mavlink/MAVSDK#2386 and I gave up trying to get it building for all platforms. If you want to waste a few days staring at CI playing with dependencies, feel free. I find it utterly frustrating.

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Nov 27, 2024

@JonasVautherin

We build curl without ssl, I think it won't support https: https://github.com/mavlink/MAVSDK/blob/main/third_party/curl/CMakeLists.txt#L12

Would you have a way to use http instead?

A weird thing in your case is that the camera definition is downloaded from the internet. Shouldn't it be served by the drone? Or is it somehow a simulator setup?

It's a real drone and payload. Nope, they for some reason decided it was a good idea to have the file fetched from Github every time; here's their documentation: https://docs.gremsy.com/payloads/vio/camera-setting-menu/camera-definition-file-download - pretty sure I have no way of changing this behavior...

For generate the camera setting menu, the QGroundControl app need to download the camera definition file from Gremsy github server. The download path will be sent by the Vio automatically.

@julianoes

I tried to add openssl with https support in mavlink/MAVSDK#2386 and I gave up trying to get it building for all platforms. If you want to waste a few days staring at CI playing with dependencies, feel free. I find it utterly frustrating.

Oh boy...sorry to hear about that. By any chance, were we able to get it to work on Android at least?

@julianoes
Copy link
Contributor

Pretty sure Android was one of the broken ones:
https://github.com/mavlink/MAVSDK/actions/runs/11588668231/job/32262783180#step:6:1416

Is the file available with http though? In that case, you can just intercept (but not in Java) the message containing the URL and change https to http.

Or what we could also try is to just parse https and use http to download. If it works good, otherwise no hard done, I'd think...

@JonasVautherin
Copy link
Collaborator

Whoops it got resolved automatically because I mentioned it in the PR. Let me reopen it.

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Nov 28, 2024

Trying to backport it to v2.12 so that we can maybe release it before v3: mavlink/MAVSDK#2454

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Dec 3, 2024

@julianoes

Pretty sure Android was one of the broken ones:
https://github.com/mavlink/MAVSDK/actions/runs/11588668231/job/32262783180#step:6:1416

That's unfortunate. Thanks for the info!

Is the file available with http though? In that case, you can just intercept (but not in Java) the message containing the URL and change https to http.

Or what we could also try is to just parse https and use http to download. If it works good, otherwise no hard done, I'd think...

Hmm... I don't think Github lets you download using HTTP anymore; here's what happens when I take that URL and do a wget with "HTTP" instead of "HTTPS":

$ wget http://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
--2024-12-03 09:50:55--  http://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml [following]
--2024-12-03 09:50:56--  https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/697574913/7809a88c-be05-4ff3-8f7e-5a72ae3e69ee?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241203T145056Z&X-Amz-Expires=300&X-Amz-Signature=953f4511aeadde975534734960e4d0aeedd6555d6f07228f74fd7e0b997a79d1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dvio_camera_f1_def.xml&response-content-type=application%2Foctet-stream [following]
--2024-12-03 09:50:56--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/697574913/7809a88c-be05-4ff3-8f7e-5a72ae3e69ee?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241203%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241203T145056Z&X-Amz-Expires=300&X-Amz-Signature=953f4511aeadde975534734960e4d0aeedd6555d6f07228f74fd7e0b997a79d1&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dvio_camera_f1_def.xml&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16600 (16K) [application/octet-stream]
Saving to: ‘vio_camera_f1_def.xml’

@JonasVautherin Thanks!

@JonasVautherin
Copy link
Collaborator

Can you try with mavsdk_server:2.1.4? Just pushed it to MavenCentral. It should support HTTPS

@rayw-dronesense
Copy link
Contributor Author

@JonasVautherin - Thanks for the updated release! With 2.1.4 it does get a bit further, but runs into this issue,

2024-12-03 10:55:50.389  2182-4091  Mavsdk                  com.dronesense.pilot.blue            I  Download file: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml using cURL...
2024-12-03 10:55:50.392  2182-4091  Mavsdk                  com.dronesense.pilot.blue            I  Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-03 10:55:50.452  2182-4091  Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: Problem with the SSL CA cert (path? access rights?)
2024-12-03 10:55:50.452  2182-4091  Mavsdk                  com.dronesense.pilot.blue            E  Failed to download camera definition.
2024-12-03 10:55:50.456  2182-4091  Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Error
2024-12-03 10:55:50.456  2182-4091  Mavsdk                  com.dronesense.pilot.blue            D  Failed to fetch camera definition!

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Dec 3, 2024

Oh yeah, that's a good question: in order to properly leverage HTTPS, curl (openssl?) needs to have access to certificates. Usually they are found on the system, but I honestly don't know how we should do that with our static library 🤔.

An easy way would be to disable the verification (see e.g. here). We could justify it by saying that downloading a wrong camera_definition.xml is not a security issue 😅. Ideally we would have a way to feed certificates to mavsdk_server though?

Would you mind looking into libcurl to see if there is a way to give it certificates? Apparently the executable has some options for that (see here), but in our case we use libcurl (not the executable). The next question would be whether we can read system certificates on Android...

I had not realized before, but it isn't as easy as just enabling https in curl 🙈.

EDIT: here I see stuff like this:

    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
    curl_easy_setopt(curl, CURLOPT_CAINFO, "./ca.crt");

So if we had read access to the system certificates on Android, we could maybe just use that? I checked on my device and I have certificates in /system/etc/security/cacerts, for instance.

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Dec 3, 2024

Oh maybe we could just set CURLOPT_CAPATH to /system/etc/security/cacerts on Android (with an ifdef in mavsdk)?

And it seems like this answer does it at build time!

I got this to work on Android by recompiling libcurl and configuring the default search path for certificates. This can be done by passing the option:

--with-ca-path=/system/etc/security/cacerts to ./configure

or

-DCURL_CA_PATH=/system/etc/security/cacerts to cmake

@JonasVautherin
Copy link
Collaborator

@rayw-dronesense: would you be able to try this PR? mavlink/MAVSDK#2459

@rayw-dronesense
Copy link
Contributor Author

@JonasVautherin - Trying now...

@rayw-dronesense
Copy link
Contributor Author

@JonasVautherin - I guess it makes it further now... but,

2024-12-03 11:56:06.591  6622-7070  Mavsdk                  com.dronesense.pilot.blue            I  Download file: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml using cURL...
2024-12-03 11:56:06.591  6622-7070  Mavsdk                  com.dronesense.pilot.blue            I  Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-03 11:56:06.671  6622-7070  Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK
2024-12-03 11:56:06.673  6622-7070  Mavsdk                  com.dronesense.pilot.blue            E  Failed to download camera definition.
2024-12-03 11:56:06.679  6622-7070  Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Error

@rayw-dronesense
Copy link
Contributor Author

Gonna try doing a clean and rebuild for good measure.

@JonasVautherin
Copy link
Collaborator

Does your device have /system/etc/security/cacerts?

@rayw-dronesense
Copy link
Contributor Author

Does your device have /system/etc/security/cacerts?

Yes it does,

~ % adb shell ls /system/etc/security/cacerts
00673b5b.0
02756ea4.0
02b73561.0
03f2b8cf.0
04f60c28.0
052e396b.0
08aef7bb.0
0d5a4e1c.0
0d69c7e1.0
10531352.0
111e6273.0
119afc2e.0
124bbd54.0
12d55845.0
1676090a.0
17b51fe6.0
1dac3003.0
1dcd6f4c.0
1df5a75f.0
1e1eab7c.0
1e8e7201.0
1eb37bdf.0
1f58a078.0
21855f49.0
219d9499.0
23f4c490.0
262ba90f.0
27af790d.0
2add47b6.0
2d9dafe4.0
2fa87019.0
33815e15.0
33815e15.1
343eb6cb.0
35105088.0
3929ec9f.0
399e7759.0
3a3b02ce.0
3ad48a91.0
3c58f906.0
3c6676aa.0
3c860d51.0
3c9a4d3b.0
3d441de8.0
3e7271e8.0
40dc992e.0
418595b9.0
450c6e38.0
455f1b52.0
48a195d8.0
4be590e0.0
4e18c148.0
5046c355.0
524d9b43.0
52b525c7.0
559f7c71.0
57692373.0
58a44af1.0
5a250ea7.0
5a3f0ff8.0
5cf9d536.0
5e4e69e7.0
5f47b495.0
60afe812.0
6187b673.0
63a2c897.0
6645de82.0
67495436.0
69105f4f.0
6e8bf996.0
6fcc125d.0
72f369af.0
75680d2e.0
76579174.0
7672ac4b.0
7999be0d.0
7a819ef2.0
7d453d8f.0
81b9768f.0
82223c44.0
8470719d.0
85cde254.0
86212b19.0
87753b0d.0
882de061.0
89c02a45.0
8d6437c3.0
91739615.0
9282e51c.0
9339512a.0
9479c8c3.0
9576d26b.0
95aff9e3.0
961f5451.0
9685a493.0
9772ca32.0
9ab62355.0
9c3323d4.0
9d6523ce.0
9dbefe7b.0
9f533518.0
a0bc6fbb.0
a2c66da8.0
a2df7ad7.0
a3896b44.0
a7605362.0
a7d2cf64.0
a81e292b.0
ab5346f4.0
aeb67534.0
b0ed035a.0
b0f3e76e.0
b3fb433b.0
b7db1890.0
b872f2b4.0
bc3f2570.0
bdacca6f.0
bf64f35b.0
c491639e.0
c51c224c.0
c7e2a638.0
c90bc37d.0
cb156124.0
cb1c3204.0
ccc52f49.0
cf701eeb.0
d06393bb.0
d16a5865.0
d18e9066.0
d4c339cb.0
d5727d6a.0
d59297b8.0
d66b55d9.0
d6e6eab9.0
d7746a63.0
d8317ada.0
dbc54cab.0
dc99f41e.0
dfc0fe80.0
e268a4c5.0
e442e424.0
e48193cf.0
e60bf0c0.0
e775ed2d.0
e8651083.0
ea169617.0
ed39abd0.0
ee7cd6fb.0
ee90b008.0
f61bff45.0
f80cc7f6.0
fac084d7.0
facacbc6.0
fb126c6d.0
fde84897.0
ff783690.0

@rayw-dronesense
Copy link
Contributor Author

Update: clean and rebuild didn't change anything. Still got Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK

@rayw-dronesense
Copy link
Contributor Author

Just for fun I tried disabling SSL verification per the above post...and that got it past the download definition no problem. But getPossibleSettings... errors out,

2024-12-03 12:41:55.354 21290-21576 Mavsdk                  com.dronesense.pilot.blue            I  Download file: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml using cURL...
2024-12-03 12:41:55.357 21290-21576 Mavsdk                  com.dronesense.pilot.blue            I  Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-03 12:41:55.514 21290-21576 Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Success
2024-12-03 12:41:55.514 21290-21576 Mavsdk                  com.dronesense.pilot.blue            D  Successfully loaded camera definition
2024-12-03 12:41:55.514 21290-21576 Mavsdk                  com.dronesense.pilot.blue            E  tinyxml2::Parse failed: Error=XML_ERROR_EMPTY_DOCUMENT ErrorID=13 (0xd) Line number=0
2024-12-03 12:41:55.601 21290-21408 Mavsdk                  com.dronesense.pilot.blue            E  Unknown setting to get: CAM_MODE
2024-12-03 12:41:55.601 21290-21408 Mavsdk                  com.dronesense.pilot.blue            E  Unknown setting to set: CAM_MODE

@rayw-dronesense
Copy link
Contributor Author

Yeah okay, looks like the error is correct - it's getting an empty string for some reason.

        std::thread([this, camera_information]() {
            std::string content{};
            const auto result = fetch_camera_definition(camera_information, content);

            if (result == Camera::Result::Success) {
                LogDebug() << "Successfully loaded camera definition";
                LogDebug() << "RAWR: THE CONTENT IS " << content;

The output is empty,

2024-12-03 12:49:40.988  8277-8568  Mavsdk                  com.dronesense.pilot.blue            D  RAWR: THE CONTENT IS 
2024-12-03 12:49:40.988  8277-8568  Mavsdk                  com.dronesense.pilot.blue            E  tinyxml2::Parse failed: Error=XML_ERROR_EMPTY_DOCUMENT ErrorID=13 (0xd) Line number=0

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Dec 3, 2024

Got it. Also had to enable "Follow Location" to allow it to handle redirects,

        curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0L);
        curl_easy_setopt(curl.get(), CURLOPT_FOLLOWLOCATION, 1L);

Then it started to work,

2024-12-03 13:29:47.293  2230-4159  Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Success
2024-12-03 13:29:47.293  2230-4159  Mavsdk                  com.dronesense.pilot.blue            D  Successfully loaded camera definition
2024-12-03 13:29:47.293  2230-4159  Mavsdk                  com.dronesense.pilot.blue            D  RAWR: THE CONTENT IS <?xml version="1.0" encoding="UTF-8" ?>
                                                                                                    <mavlinkcamera>
                                                                                                        <definition version="5">
                                                                                                            <model>Vio Payload</model>
                                                                                                            <vendor>Gremsy</vendor>
                                                                                                        </definition>
                                                                                                        <parameters>
                                                                                                            <!-- control = 0 tells us this should not create an automatic UI control -->
                                                                                                            <parameter name="CAM_MODE" type="uint32" default="1" control="0">
                                                                                                                <description>Camera Mode</description>

So now it's just a matter of having the certs validate the proper way I guess

@JonasVautherin
Copy link
Collaborator

Did you try with CURLOPT_SSL_VERIFYPEER=1 and CURLOPT_FOLLOWLOCATION=1? Maybe the error "SSL peer certificate or SSH remote key was not OK" happens on the empty string because the redirection was not followed?

@rayw-dronesense
Copy link
Contributor Author

Did you try with CURLOPT_SSL_VERIFYPEER=1 and CURLOPT_FOLLOWLOCATION=1? Maybe the error "SSL peer certificate or SSH remote key was not OK" happens on the empty string because the redirection was not followed?

Just tried it. Same Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK error

@JonasVautherin
Copy link
Collaborator

Just to be sure: are you sure that your Android device has up-to-date certificates? I.e. it's not an Android system from 6 years ago that never received updates? 😅

@rayw-dronesense
Copy link
Contributor Author

Just to be sure: are you sure that your Android device has up-to-date certificates? I.e. it's not an Android system from 6 years ago that never received updates? 😅

Actually, it is an Android system from 6 years ago - it's a Herelink controller running Android 7.1.2. Just to verify however, I did try loading up Chrome.apk on there and tried the Github page and it loaded fine there.

@JonasVautherin
Copy link
Collaborator

Actually, it is an Android system from 6 years ago - it's a Herelink controller running Android 7.1.2.

Haha, yeah I was a bit suspicious of that 🙈😅

Just to verify however, I did try loading up Chrome.apk on there and tried the Github page and it loaded fine there.

The problem here is that Chrome does not necessarily use the system certificates; I could imagine that they embed their own (which is good in your case because otherwise Chrome wouldn't work properly on the Herelink, I think).

Would you be able to run the test on a more up-to-date Android system? It would be interesting to see if we have a bug in our solution or if the problem is Herelink's outdated certificates 🤔.

Thanks a lot for all the testing, by the way!

@rayw-dronesense
Copy link
Contributor Author

Would you be able to run the test on a more up-to-date Android system? It would be interesting to see if we have a bug in our solution or if the problem is Herelink's outdated certificates 🤔.

Unfortunately, I don't have a way to connect the drone to anything else 😢

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Dec 4, 2024

I had initially posted earlier that running the logic on S23 independent of drone worked. However, that was too early to call, because I had forgotten to remove the "disable SSL verification" flag before running the test. Will re-test it with flag removed. Apologies for the confusion.

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Dec 4, 2024

Yeah, after removing the "disable verification" flag, running on S23 results in the same error as before,

2024-12-04 14:10:53.421 17866-17939 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-04 14:10:53.485 17866-17956 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK
2024-12-04 14:10:53.485 17866-17956 Mavsdk                  com.dronesense.pilot.blue            E  RAWR Failed to download camera definition.

Some contents from my original post:

I was able to test this logic on an S23 phone independent of a drone.

HttpLoader http_loader;
    std::string uri = "https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml";
    LogInfo() << "RAWR Downloading camera definition from: " << uri;
    std::string camera_definition_out = "";
    if (!http_loader.download_text_sync(uri, camera_definition_out)) {
        LogErr() << "RAWR Failed to download camera definition.";
    } else {
        LogInfo() << "RAWR SUCCESS " << camera_definition_out;
    }

I put this inside mavsdk_impl.cpp.

I guess that means, this use case could be instrumentally tested.... 😉

@julianoes
Copy link
Contributor

@rayw-dronesense sorry, I'm not quite following. Are you saying we have the same problem on the S23, so this is not a Herelink problem as such?

@rayw-dronesense
Copy link
Contributor Author

@rayw-dronesense sorry, I'm not quite following. Are you saying we have the same problem on the S23, so this is not a Herelink problem as such?

I was able to test the download logic specifically on the S23 without needing a drone and the same certificate related error occurs there.

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Dec 4, 2024

Just to be sure again: you tested on the S23 with both CURLOPT_SSL_VERIFYPEER=1 and CURLOPT_FOLLOWLOCATION=1, right?

Since you have a testable setup, may I still ask you to try with an invalid path (say "/system/etc/security/cace") and a valid path to something that doesn't contain certificates (say "/system/etc/security/")? Just to see if we get a different error message.

The error comes from https://github.com/curl/curl/blob/c948971e83f8673342de28691b4e7b6fd9bd670d/lib/strerror.c#L212 and is defined here:

## CURLE_PEER_FAILED_VERIFICATION (60)

The remote server's SSL certificate or SSH fingerprint was deemed not OK.
This error code has been unified with CURLE_SSL_CACERT since 7.62.0. Its
previous value was 51.

@rayw-dronesense
Copy link
Contributor Author

rayw-dronesense commented Dec 4, 2024

Just to be sure again: you tested on the S23 with both CURLOPT_SSL_VERIFYPEER=1 and CURLOPT_FOLLOWLOCATION=1, right?

Yes

Since you have a testable setup, may I still ask you to try with an invalid path (say "/system/etc/security/cace") and a valid path to something that doesn't contain certificates (say "/system/etc/security/")? Just to see if we get a different error message.

The error comes from https://github.com/curl/curl/blob/c948971e83f8673342de28691b4e7b6fd9bd670d/lib/strerror.c#L212 and is defined here:

## CURLE_PEER_FAILED_VERIFICATION (60)

The remote server's SSL certificate or SSH fingerprint was deemed not OK.
This error code has been unified with CURLE_SSL_CACERT since 7.62.0. Its
previous value was 51.

Here's what happens with the "invalid path" case:

2024-12-04 16:24:25.507 19773-19928 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-04 16:24:25.668 19773-19850 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK
2024-12-04 16:24:25.668 19773-19850 Mavsdk                  com.dronesense.pilot.blue            E  RAWR Failed to download camera definition.

Here's what happens with the "doesn't contain certificates" case:

2024-12-04 16:19:11.368 18861-18959 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-04 16:19:11.436 18861-18959 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK
2024-12-04 16:19:11.436 18861-18959 Mavsdk                  com.dronesense.pilot.blue            E  RAWR Failed to download camera definition.

@rayw-dronesense
Copy link
Contributor Author

For science, tried changing the URL to "google.com" and here's what happened with that,

2024-12-04 16:31:35.885 20770-20938 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://www.google.com/
2024-12-04 16:31:35.951 20770-20938 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: SSL peer certificate or SSH remote key was not OK
2024-12-04 16:31:35.951 20770-20938 Mavsdk                  com.dronesense.pilot.blue            E  RAWR Failed to download camera definition.

@JonasVautherin
Copy link
Collaborator

Hmm... so it's just not enough to build with "-DCURL_CA_PATH=/system/etc/security/cacerts"...

@JonasVautherin
Copy link
Collaborator

Feels similar to this, but I don't know the situation with openssl 3 now... 😕

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Dec 4, 2024

@rayw-dronesense: it feels like maybe using boringssl instead of openssl may help... I'm trying to build here: mavlink/MAVSDK#2460. Feel free to try it (assuming that the android build passes in the CI) 👍.

EDIT: it does build for Android! Would you mind trying that? 🤞

@rayw-dronesense
Copy link
Contributor Author

@JonasVautherin - I pulled down the branch with the boringssl changes and did a clean build. Unfortunately, same error,

2024-12-05 11:49:04.531 17744-17904 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-05 11:49:04.576 17744-17904 Mavsdk                  com.dronesense.pilot.blue            E  Error while downloading text, curl error code: Problem with the SSL CA cert (path? access rights?)
2024-12-05 11:49:04.576 17744-17904 Mavsdk                  com.dronesense.pilot.blue            E  RAWR Failed to download camera definition.

Using S23.

@rayw-dronesense
Copy link
Contributor Author

I pushed up the test changes as well in case you guys wanted to try it on your end too: mavlink/MAVSDK#2462

It can be tested on any Android device the way it is hardcoded.

@JonasVautherin
Copy link
Collaborator

JonasVautherin commented Dec 5, 2024

Problem with the SSL CA cert (path? access rights?)

Wait, that was with boringssl and with the curl path? I think we may need both mavlink/MAVSDK#2460 and mavlink/MAVSDK#2459? 🤔

Because it feels like "Problem with the SSL CA cert (path? access rights?)" was solved by 2459 (by building curl with the path to cacerts)

@rayw-dronesense
Copy link
Contributor Author

I'm merging in the changes from mavlink/MAVSDK#2459 and trying again

@rayw-dronesense
Copy link
Contributor Author

@JonasVautherin Great news! That worked on both the S23 and the Herelink controller

2024-12-05 12:55:18.971 27916-28003 Mavsdk                  com.dronesense.pilot.blue            I  RAWR Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-05 12:55:19.318 27916-27964 Mavsdk                  com.dronesense.pilot.blue            I  RAWR SUCCESS <?xml version="1.0" encoding="UTF-8" ?>
                                                                                                    <mavlinkcamera>
                                                                                                        <definition version="5">
                                                                                                            <model>Vio Payload</model>

And also the logic when it kicks in during camera loading,

2024-12-05 12:58:06.174  2318-3847  Mavsdk                  com.dronesense.pilot.blue            I  Download file: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml using cURL...
2024-12-05 12:58:06.175  2318-3847  Mavsdk                  com.dronesense.pilot.blue            I  Downloading camera definition from: https://github.com/Gremsy/Vio-Camera-Definition/releases/download/v2.0.3/vio_camera_f1_def.xml
2024-12-05 12:58:06.203  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 521! Ignoring...
2024-12-05 12:58:06.250  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 521! Ignoring...
2024-12-05 12:58:06.314  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 527! Ignoring...
2024-12-05 12:58:06.323  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 525! Ignoring...
2024-12-05 12:58:06.370  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 525! Ignoring...
2024-12-05 12:58:06.383  2318-2469  Mavsdk                  com.dronesense.pilot.blue            W  Received ack for not-existing command: 521! Ignoring...
2024-12-05 12:58:06.386  2318-3847  Mavsdk                  com.dronesense.pilot.blue            I  Downloaded file, result Success
2024-12-05 12:58:06.386  2318-3847  Mavsdk                  com.dronesense.pilot.blue            D  Successfully loaded camera definition
2024-12-05 12:58:06.386  2318-3847  Mavsdk                  com.dronesense.pilot.blue            D  RAWR: THE CONTENT IS <?xml version="1.0" encoding="UTF-8" ?>

@rayw-dronesense
Copy link
Contributor Author

Exact diff can be found in the PR: https://github.com/mavlink/MAVSDK/pull/2462/files

@JonasVautherin
Copy link
Collaborator

Oh that's great! Thanks a lot for testing all that 😁

@julianoes
Copy link
Contributor

julianoes commented Dec 12, 2024

For v3, I think it makes sense to update the dependencies, get https working properly, etc.

For v2, I'm tempted to just release this hack: mavlink/MAVSDK#2471.

Any chance you could test that PR @rayw-dronesense?

@julianoes
Copy link
Contributor

@rayw-dronesense given my hack attempts didn't work, I'm going to give up on https for v2, and move on to v3 where we have Openssl/Boringssl working.
And as I understand it, you have a manual build for now to unblock you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants