| Message ID | 13cea41b33f62ddbd606a926bd1f79ddff8569fb.1740672437.git.jerome.forissier@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | net: lwip: root certificates | expand |
+CC Simon again Same comments. The patch is nice we should somehow get it in lwIP On Thu, 27 Feb 2025 at 18:09, Jerome Forissier <jerome.forissier@linaro.org> wrote: > > Using HTTPS without root (CA) certificates is a security issue. Print a > warning in this case. Also, when certificate verification fail, print > an additional message because "HTTP client error 4" is not very > informative (4 is HTTPC_RESULT_ERR_CLOSED). > > Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > --- > lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c > index fa3d1d74fed..ef51a5ac168 100644 > --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c > +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c > @@ -298,6 +298,9 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t * > if (ret != 0) { > LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret)); > /* handshake failed, connection has to be closed */ > + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { > + printf("Certificate verification failed\n"); > + } > if (conn->err) { > conn->err(conn->arg, ERR_CLSD); > } > @@ -841,6 +844,9 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav > altcp_mbedtls_free_config(conf); > return NULL; > } > + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { > + printf("WARNING: no CA certificates, HTTPS connections not authenticated\n"); > + } > mbedtls_ssl_conf_authmode(&conf->conf, authmode); > > mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); > -- > 2.43.0 >
diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index fa3d1d74fed..ef51a5ac168 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -298,6 +298,9 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t * if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret)); /* handshake failed, connection has to be closed */ + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + printf("Certificate verification failed\n"); + } if (conn->err) { conn->err(conn->arg, ERR_CLSD); } @@ -841,6 +844,9 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + printf("WARNING: no CA certificates, HTTPS connections not authenticated\n"); + } mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
Using HTTPS without root (CA) certificates is a security issue. Print a warning in this case. Also, when certificate verification fail, print an additional message because "HTTP client error 4" is not very informative (4 is HTTPC_RESULT_ERR_CLOSED). Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 6 ++++++ 1 file changed, 6 insertions(+)