-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ESP32: Investigation necessarry: is SSL CA/Chain really validated without providing a CA ? #18
Comments
Hi, again! I'm always glad to read your issues, sadly I'm a bit short on time right now. This is definitely a very good question, I believe it is inherited from WiFiClient from the esp32 library. What I think happened, is that espressif changed the implementation recently. But, I haven't tested anything yet by myself, I will do my best to look into it this weekend. Just wanted to let you know the library is still active and that I'm not ignoring the issue by any way. Best regards, |
So, let's see.
With no CA:
Really the only diff in the logs is that when you pass a CACert, this code gets executed, which prints the log:
And when no CACert is present, this code gets executed which led me to this PR Looks like since that PR, the ESP32 libraries support Self-Signed Certificates. I had no idea that was a thing, now I do know. Overall, looks like this behavior is as intended, and yet it is better and safer to provider a certificate. Best wishes, |
So - just to be sure I got it right - if you don't provide a CA, it does secure the communication with the existing public certificates of the host, yet it does not verify if it's a valid one - right ? |
Yes, looks like it does some kind of verification |
Cool! Thanks Gil, another dilemma (and hopefully the last one) solved. (Offtopic, I may have one more though - but it's currently under investigation... I have a situation where ESP disconnects for some (yet - unknown) reason, and doesn't want to Anyway, once again, thanks a lot for your support! Means a lot for me and my project, and hopefully it will pay off (for both of us) someday. Wish you all the best and a great weekend (at least what's left of it), Best, |
@adelin-mcbsoft Interesting. Hopefully you will resolve the rest, and if not - I'm here to help! Have a great weekend, |
Hi Gil,
Me again (and again, and again). :D
I just want to bring to your attention and old discussed issue, regarding the SSL Certificate and Handshaking, on
ESP32
.Situation 1: When not using any sort of certificate but using an WSS (secure) server/URL, the debug messages report that the certificate is verified, though I don't provide any
CA
resource (as browsers do).Situation 2: When I provide a good CA along with the
client.setCAcert()
method, the verification passes as well.(messages for both situation 1 and 2):
Situation 3: However, when I provide a wrong CA resource (e.g. an invalid CA root cert.), the handshaking fails (as it should).
The question is: When not providing a CA resource (Situation 1), does the library verifies indeed the certificate in any way or not? Does it connect remotely to the CA Roots and verifies it? I guess this
ssl_client
is inherited by Espressifs library...I tested the above situations with an LetsEncrypt certificate along its roots ( https://letsencrypt.org/certificates/ ).
Many thanks,
Best,
A.
The text was updated successfully, but these errors were encountered: