Experimental support of HTTPUpdate for OTA #1751
Conversation
- support bearssl & axtls through wificlientsecure - configurable at build time ota impelementations - allow to disable arduinoota
|
For example, X1 root from LE is ~1.4KB when stored as .der |
|
Very nice, great work @mcspr! I will be leaving some comments on the code, but this looks much nicer split up this my PR - I'll be closing that one now in favor of this. |
code/espurna/config/general.h
Outdated
| // ----------------------------------------------------------------------------- | ||
|
|
||
| #ifndef SSL_CLIENT | ||
| #define SSL_CLIENT SSL_CLIENT_NONE // What variant of WiFiClient to use (no SSL support by default) |
There was a problem hiding this comment.
I think it would be good to mention the option here, so: SSL_CLIENT_NONE, SSL_CLIENT_AXTLS and SSL_CLIENT_BEARSSL. Also maybe do some auto detection based on the core version?
There was a problem hiding this comment.
Autodetection? One interesting problem with version detection:
Ciphers blow up stack (fixed by stack thunk size increase in git) but can be mitigated locally by using hand-made cipher list. And that affects 2.5.0-2.5.2. It kind of tricky to define what works, so maybe it is better to leave this to the user.
I will have updated comments with possible clients options + Core from which they work / become deprecated
| // TODO: add DigiCert CA for github? | ||
| #if SSL_CLIENT_BEARSSL && OTA_SSL_CLIENT_INCLUDE_CA | ||
| #include "static/ota_ssl_client_ca.h" | ||
| #else |
There was a problem hiding this comment.
I think I wanted to add something here using .cpp files and weaken the progmem char symbol, but that did not quite work. This probably can even be just a check for include_ca flag, progmem'ed array will be discarded anyways as unused variable.
|
Are you planning to merge this soon @mcspr? I will base the MQTT changes I'm working on on this PR (e.g. |
|
I thought to clean up 1.13.6 first. @xoseperez did specify that we use semantic versioning, but I think we need to release more versions for that to apply. However, since we don't break existing functionality and only add optional features, maybe it still works for this PR. |
|
Maybe it's an idea to make a "SSL improvements" branch? That makes it at least a bit easier to base other PRs on. |
|
It can. I'd sleep on it, but I think just adding it to dev marked as experimental would be less of a hassle. There could be a separate module/feature line in And some minor things:
|
mcspr
changed the title
|
Can merge this finally. So the one thing I have forgot is to support basic urls when ssl client is built. Turns out esp8266/Arduino#4980 marked all but update(WiFiClient, ...) methods as deprecated. Both HTTPCLIENT_1_1_COMPATIBLE and HTTPUPDATE_1_2_COMPATIBLE look more suitable for internal Core dependency, not something supporting both sides of deprecation (when there were none of those methods present). That and different update() signatures per fingerprinting, it is kind of a pain to support all of the methods. Hence combining deprecated axTLS and update(url, fp) methods together |
|
Looks good! Once it's merged I will change the MQTT code to look at the |
* MQTT rewrite with SSL fixes - Added Arduino MQTT library support (actively maintained) - Added support for BearSSL (core >= 2.5) - BearSSL validation: insecure, fingerprinting and CA validation - AxTLS validation: insecure and fingerprinting - Support MFLN in order to reduce heap usage * Better header incl, fix building w/ no NTP_SUPPORT * Clean up code, use DEBUG_MSG_P * Fix compile error
Configuration might need to be OTA specific though,
otaSslCheck?@Niek This is what I meant by separate implementations. I think this builds 🌊
ArduinoOTA and OTA client are split into separate modules, Core HTTP updater added in a similar manner. Both axtls and bearssl should be supported. Only fingerprint support with 2.4.2, because travis envs do not use 2.5.. yet (and at this point, idk what to do with it. Core git broke spiffs symbols.... agrh)
CA support is trickier. The most robust way is to allow multiple of them (as common CA storage works on general-purpose oses), but rn it is only a single one. Either some personal CA entity and that surely will work, or we hope that LE cert is properly signed (because I do see that some of my certs are signed with DST root instead).
edit: This is more of a reference implementation and a dumping ground for some nice things found on the way, which will be merged asap (URL class, ArduinoOTA support flag...) before this