-
Notifications
You must be signed in to change notification settings - Fork 423
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PKI: Make (D)TLS operation consistent across all TLS libraries
The use of the verify_peer_cert and require_peer_cert variables in the coap_dtls_pki_t structure was giving inconsistent results across all the TLS libraries. This primarily was down to the large numbers of options available to control the TLS handshakes in OpenSSL compared to the limited control available to MbedTLS port which followed later. require_peer_cert is not easy to control in MbedTLS as it is an implicit configuration based on how other, not always related, items were configured. require_peer_cert was used by the server to control whether the client could use anonymous certificates or not. This is now controlled by verify_peer_cert. require_peer_cert variable has been replaced with check_common_ca, so that the OpenSSL functionality can continue, but enable GnuTLS / MbedTLS to produce the same results. This allows peers to mutually authenticate (because the peer certs are signed by the same common CA) or not which was in effect controlled by verify_peer_cert previously. examples/client.c: examples/coap-rd.c: examples/coap-server.c: Add in -n (unset verify_peer_cert) and -z (unset check_common_ca) options. In the case of coap-server, make -n refer to verify_peer_cert. include/coap2/coap_dtls.h: include/coap2/net.h: Update with variable changes, and make the coap_dtls_pki_t parameter const for the *_context_set_pki() functions. man/coap-client.txt.in: man/coap-rd.txt.in: man/coap-server.txt.in: Update documentation to reflect the examples option usage. man/coap_context.txt.in: man/coap_encryption.txt.in: man/coap_session.txt.in: Update with the new variable name and document as appropriate. src/coap_gnutls.c src/coap_mbedtls.c src/coap_notls.c src/coap_openssl.c coap_tinydtls.c Update to make variable usage consistent. Update logging from LOG_WARNING to LOG_INFO where there is an override of a PKI check failure by one of the coap_dtls_pki_t variables. src/coap_io.c: Update logging from LOG_WARNING to LOG_INFO for EPIPE or ECONNRESET errors in coap_socket_write(). src/net.c: Handle the const coap_dtls_pki_t parameter in coap_context_set_pki() function.
- Loading branch information
Showing
18 changed files
with
303 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.