alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'fix/esp_tls_add_warning_if_ca_chain_has_invalid_cert_v4.1' into 'release/v4.1'

Browse Source 
esp_tls: Add warning if the CA chain provided contains invalid cert (v4.1)

See merge request espressif/esp-idf!11940
This commit is contained in:
Mahavir Jain 2021-02-01 13:27:31 +08:00
commit 8b53ac9056
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
components/esp-tls/esp_tls_mbedtls.c
View File

@ -240,6 +240,11 @@ static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
}
if (ret > 0) {
/* This will happen if the CA chain contains one or more invalid certs, going ahead as the hadshake
* may still succeed if the other certificates in the CA chain are enough for the authentication */
ESP_LOGW(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
}
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
return ESP_OK;