espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-03 12:44:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

esp_tls: Add warning if the CA chain provided contains one/more invalid cert

Browse Source
This commit is contained in:
Aditya Patwardhan
2021-01-11 12:23:30 +05:30
committed by bot
parent 85c43024cb
commit 832128faf0
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
components/esp-tls/esp_tls.c
View File

@@ -292,6 +292,11 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
goto exit; goto exit;
} }
if (ret > 0) {
/* This will happen if the CA chain contains one or more invalid certs, going ahead as the hadshake
* may still succeed if the other certificates in the CA chain are enough for the authentication */
ESP_LOGW(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
}
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL); mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
} else { } else {