mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
https_server: Add config option to min. cert. auth mode
- Added a config option to set the minimum Certificate Verification mode to Optional - When this option is enabled, the peer (the client) certificate is checked by the server, however the handshake continues even if verification failed. - By default, the peer certificate is not checked and ignored by the server. Closes https://github.com/espressif/esp-idf/issues/8664
This commit is contained in:
parent
9b75e5664e
commit
c1bb9032c2
@ -19,7 +19,6 @@ menu "ESP-TLS"
|
||||
select ATCA_MBEDTLS_ECDSA
|
||||
select ATCA_MBEDTLS_ECDSA_SIGN
|
||||
select ATCA_MBEDTLS_ECDSA_VERIFY
|
||||
default n
|
||||
help
|
||||
Enable use of Secure Element for ESP-TLS, this enables internal support for
|
||||
ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
|
||||
@ -34,24 +33,21 @@ menu "ESP-TLS"
|
||||
can only be used when it is appropriately configured for TLS.
|
||||
Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
|
||||
|
||||
config ESP_TLS_CLIENT_SESSION_TICKETS
|
||||
bool "Enable client session tickets"
|
||||
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
help
|
||||
Enable session ticket support as specified in RFC5077.
|
||||
|
||||
config ESP_TLS_SERVER
|
||||
bool "Enable ESP-TLS Server"
|
||||
default n
|
||||
help
|
||||
Enable support for creating server side SSL/TLS session, available for mbedTLS
|
||||
as well as wolfSSL TLS library.
|
||||
|
||||
config ESP_TLS_CLIENT_SESSION_TICKETS
|
||||
bool "Enable client session tickets"
|
||||
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
default n
|
||||
help
|
||||
Enable session ticket support as specified in RFC5077.
|
||||
|
||||
config ESP_TLS_SERVER_SESSION_TICKETS
|
||||
bool "Enable server session tickets"
|
||||
depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
|
||||
default n
|
||||
help
|
||||
Enable session ticket support as specified in RFC5077
|
||||
|
||||
@ -62,6 +58,17 @@ menu "ESP-TLS"
|
||||
help
|
||||
Sets the session ticket timeout used in the tls server.
|
||||
|
||||
config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
|
||||
bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
|
||||
depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
|
||||
help
|
||||
When this option is enabled, the peer (here, the client) certificate is checked by the server,
|
||||
however the handshake continues even if verification failed. By default, the
|
||||
peer certificate is not checked and ignored by the server.
|
||||
|
||||
mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
|
||||
retrieve status of verification.
|
||||
|
||||
config ESP_TLS_PSK_VERIFICATION
|
||||
bool "Enable PSK verification"
|
||||
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
|
||||
@ -69,7 +76,6 @@ menu "ESP-TLS"
|
||||
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
|
||||
default n
|
||||
help
|
||||
Enable support for pre shared key ciphers, supported for both mbedTLS as well as
|
||||
wolfSSL TLS library.
|
||||
@ -105,7 +111,6 @@ menu "ESP-TLS"
|
||||
config ESP_DEBUG_WOLFSSL
|
||||
bool "Enable debug logs for wolfSSL"
|
||||
depends on ESP_TLS_USING_WOLFSSL
|
||||
default n
|
||||
help
|
||||
Enable detailed debug prints for wolfSSL SSL library.
|
||||
|
||||
|
@ -500,7 +500,11 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
|
||||
return esp_ret;
|
||||
}
|
||||
} else {
|
||||
#ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
|
||||
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||
#else
|
||||
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
||||
#endif
|
||||
}
|
||||
|
||||
if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {
|
||||
|
@ -2,7 +2,7 @@ menu "Example Configuration"
|
||||
|
||||
config EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
|
||||
bool "Enable user callback with HTTPS Server"
|
||||
default false
|
||||
select ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
|
||||
help
|
||||
Enable user callback for esp_https_server which can be used to get SSL context (connection information)
|
||||
E.g. Certificate of the connected client
|
||||
|
@ -41,12 +41,20 @@ static esp_err_t root_get_handler(httpd_req_t *req)
|
||||
* whenever a new SSL connection is created
|
||||
*
|
||||
* Can also be used to other information like Socket FD, Connection state, etc.
|
||||
*
|
||||
* NOTE: This callback will not be able to obtain the client certificate if the
|
||||
* following config `Set minimum Certificate Verification mode to Optional` is
|
||||
* not enabled (enabled by default in this example).
|
||||
*
|
||||
* The config option is found here - Component config → ESP-TLS
|
||||
*
|
||||
*/
|
||||
void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
|
||||
{
|
||||
ESP_LOGI(TAG, "Session Created!");
|
||||
const mbedtls_x509_crt *cert;
|
||||
ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
|
||||
|
||||
const mbedtls_x509_crt *cert;
|
||||
const size_t buf_size = 1024;
|
||||
char *buf = calloc(buf_size, sizeof(char));
|
||||
if (buf == NULL) {
|
||||
@ -54,9 +62,13 @@ void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", &user_cb->tls->servercert);
|
||||
ESP_LOGI(TAG, "Server certificate info:\n%s", buf);
|
||||
memset(buf, 0x00, buf_size);
|
||||
|
||||
cert = mbedtls_ssl_get_peer_cert(&user_cb->tls->ssl);
|
||||
if (cert != NULL) {
|
||||
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", cert);
|
||||
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", cert);
|
||||
ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);
|
||||
} else {
|
||||
ESP_LOGW(TAG, "Could not obtain the peer certificate!");
|
||||
@ -91,9 +103,9 @@ static httpd_handle_t start_webserver(void)
|
||||
conf.prvtkey_pem = prvtkey_pem_start;
|
||||
conf.prvtkey_len = prvtkey_pem_end - prvtkey_pem_start;
|
||||
|
||||
#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
|
||||
#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
|
||||
conf.user_cb = https_server_user_callback;
|
||||
#endif
|
||||
#endif
|
||||
esp_err_t ret = httpd_ssl_start(&server, &conf);
|
||||
if (ESP_OK != ret) {
|
||||
ESP_LOGI(TAG, "Error starting server!");
|
||||
|
Loading…
x
Reference in New Issue
Block a user