Skip to content

Add a function for insecure HTTPS connections with HTTPClient #5277

New issue
New issue
Closed
Closed
Add a function for insecure HTTPS connections with HTTPClient#5277
@N-Storm

Description

@N-Storm
N-Storm
opened on Oct 25, 2018

Basic Infos

  • This issue complies with the issue POLICY doc.
  • I have read the documentation at readthedocs and the issue is not addressed there.
  • I have tested that the issue is present in current master branch (aka latest git).
  • I have searched the issue tracker for a similar issue.
  • If there is a stack dump, I have decoded it.
  • I have filled out all fields below.

Platform

  • Hardware: Any ESP
  • Core Version: latest git
  • Development Env: Arduino IDE
  • Operating System: GNU/Linux (Ubuntu variant)

Settings in IDE

  • Module: Wemos D1 mini r2
  • Flash Mode: qio
  • Flash Size: 4MB
  • lwip Variant: v2 Lower Memory
  • Reset Method: board
  • Flash Frequency: 40Mhz
  • CPU Frequency: 80Mhz
  • Upload Using: SERIAL
  • Upload Speed: 921600

Problem Description

BearSSL allows for 'insecure' TLS connections by calling WiFiClientSecure::setInsecure() function. It turns off certificate and/or fingerprint checking which is useful in some cases.
Currently HTTPClient doesn't allows such connections because it lacks methods to set 'insecure' connection. While there was some argumentation against insecure connections through (#3157 for example) issues they were based on axTLS lib and also I think this aren't practical not to include this for the following reason.
Sometimes you want to have a connection initiated with some sort of public HTTPS server which you don't have control over. And which can change it's TLS cert any time or even on regular basis. It's not feasible to include every trusted CA root certificate like programs on bigger devices do to handle this. But sometimes you don't care about possible MITM attack. All you need is just to grab some data over HTTPS from 3rd party source if it's not available over plain HTTP.
It's very simply to add additional overloaded function HTTPClient::begin(), where 2nd argument could be of bool value for example and take false to initiate insecure connection.
I've did a workaround for me as a class extension. It works but I'm not familiar with C++ well enough, a link are just for a reference here.
Probably a more convenient feature would be to parse protocol on HTTPClient::begin() when only 1 argument are supplied and initiate a insecure HTTPS connection if the url begins with https://.

MCVE Sketch

#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <ESP8266WiFiMulti.h>
#include <ESP8266HTTPClient.h>

ESP8266WiFiMulti WiFiMulti;

void setup() {
  Serial.begin(115200);

  WiFi.mode(WIFI_STA);
  WiFiMulti.addAP("SSID", "PASSWORD");

  while ((WiFiMulti.run() != WL_CONNECTED)) {
    delay(500);
  }

  HTTPClient http;

  http.begin("https://github.com", false);
  int httpCode = http.GET();
  Serial.print("[HTTP] Resonpose code: ");
  Serial.println(httpCode, DEC);
  http.end();
}

void loop() {
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions