Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a possibility to make HTTPClient accept all certificates (without checking fingerprint)? #2989

Closed
Defozo opened this issue Feb 22, 2017 · 6 comments
Closed

Is there a possibility to make HTTPClient accept all certificates (without checking fingerprint)? #2989

Defozo opened this issue Feb 22, 2017 · 6 comments

Comments

@Defozo
Copy link

Defozo commented Feb 22, 2017

Hey, AFAIK as for now in order to make SSL request using HTTPClient you need to provide SSL fingerprint.
I'm wondering how you guys handle it, because the fingerprint can change over time.
Is there a possibility to make HTTPClient accept all certificates (without checking fingerprint)?
@Axlef
Copy link

Axlef commented Feb 23, 2017

I look into HTTPClient code (commit 04df3ad) and it seems to be impossible, at least in this state. A WiFiSecureClient instance is only created when fingerprint is provided and then the certificate is checked in the connect() method.

The only secure solution based on fingerprint is to recompile your code and reflash your esp8266 with the new fingerprint string each time the fingerprint is updated (certificate has changed).

Otherwise if your issue is browsing the same site that regularly updates its certificate, WiFiClientSecure now supports checking against root ca certificate (only one for now I think), you can look this way.

@Defozo
Copy link
Author

Defozo commented Feb 24, 2017

My ESP8266s are connecting to my server which updates the fingerprint once a year.
However, I'd like to save myself a problem to update the whole firmware every year.

Perhaps I could connect to another website via HTTP and get fingerprint for my server and then connect to my server via HTTPS using this fingerprint?

Could you point me in the direction where should I look for information about that WiFiClientSecure supporting root ca certificate? I can't find it in the documentation.

@salqadri
Copy link

salqadri commented May 3, 2017

I have a solution to this in the following PR: #3176. But it does not accept 'all' certificates; you have to load the root certificate of every different service you wish to access, but the great thing is that you no longer need to use fingerprints.

@Defozo
Copy link
Author

Defozo commented May 4, 2017

Thank you very much @salqadri for your input.

However, I started to wonder if this approach is safe? Can a root certificate become invalid without notice? If the solution needs SNTP enabled, what if that would be compromised (the connection to sntp - how does it work)?

@salqadri
Copy link

@Defozo Yea you have to be careful about that. Most Root CAs will last a while (e.g., I have one on my machine expiring as late as 2046) but I've noticed that some root CAs on my machine expire as early as 2018! Depending on your application and the expiry of the root certs of the services you want to use, you may want to consider developing an upgrade mechanism that can deliver a new cert to your device.

@devyte
Copy link
Collaborator

devyte commented May 29, 2018

BearSSL is merged in #4273 , with alternate BearSSL::WiFi* classes. Although axtls-based classes are still available and even the default, they are planned for deprecation and then retirement, hence won't be fixed. Any issues with BearSSL-based classes should be reported in new issues.
Closing.

@devyte devyte closed this as completed May 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@salqadri @Defozo @devyte @Axlef