diff --git a/examples/system/ota/README.md b/examples/system/ota/README.md index 9354b5cd0b..9704c8558f 100644 --- a/examples/system/ota/README.md +++ b/examples/system/ota/README.md @@ -158,4 +158,17 @@ $ python example_test.py build 8070 Starting HTTPS server at "https://:8070" 192.168.10.106 - - [02/Mar/2021 14:32:26] "GET /simple_ota.bin HTTP/1.1" 200 - ``` -* Publish the firmware image on a public server (e.g. github.com) and copy its root certificate to the `server_certs` directory as `ca_cert.pem`. (The certificate can be downloaded using the `s_client` openssl command if the host includes the root certificate in the chain, e.g. `openssl s_client -showcerts -connect github.com:443 ca_cert.pem +``` + +Please note that URL used here is `raw.githubusercontent.com`. This URL allows raw access to files hosted on github.com repository. Additionally, command above copies last certificate from chain of certs as the CA root cert of server. + +--- +**NOTE** + +For examples using certificate bundle approach (e.g., `simple_ota_example`), it already has most common root certificates and hence there is no need to add any additional certs. + +--- diff --git a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild index 473a1399c6..b0a30bd2b0 100644 --- a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild +++ b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild @@ -7,6 +7,14 @@ menu "Example Configuration" URL of server which hosts the firmware image. + config EXAMPLE_USE_CERT_BUNDLE + bool "Enable certificate bundle" + default y + help + Enable trusted root certificate bundle. This approach allows to have + OTA updates functional with any public server without requirement + to explicitly add its server certificate. + config EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN bool default y if EXAMPLE_FIRMWARE_UPGRADE_URL = "FROM_STDIN" diff --git a/examples/system/ota/simple_ota_example/main/simple_ota_example.c b/examples/system/ota/simple_ota_example/main/simple_ota_example.c index b6e21605b8..33679ece75 100644 --- a/examples/system/ota/simple_ota_example/main/simple_ota_example.c +++ b/examples/system/ota/simple_ota_example/main/simple_ota_example.c @@ -16,6 +16,9 @@ #include "esp_https_ota.h" #include "protocol_examples_common.h" #include "string.h" +#ifdef CONFIG_EXAMPLE_USE_CERT_BUNDLE +#include "esp_crt_bundle.h" +#endif #include "nvs.h" #include "nvs_flash.h" @@ -88,7 +91,11 @@ void simple_ota_example_task(void *pvParameter) #endif esp_http_client_config_t config = { .url = CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL, +#ifdef CONFIG_EXAMPLE_USE_CERT_BUNDLE + .crt_bundle_attach = esp_crt_bundle_attach, +#else .cert_pem = (char *)server_cert_pem_start, +#endif /* CONFIG_EXAMPLE_USE_CERT_BUNDLE */ .event_handler = _http_event_handler, .keep_alive_enable = true, #ifdef CONFIG_EXAMPLE_FIRMWARE_UPGRADE_BIND_IF diff --git a/examples/system/ota/simple_ota_example/sdkconfig.defaults b/examples/system/ota/simple_ota_example/sdkconfig.defaults index 2289a82300..748f1e2f65 100644 --- a/examples/system/ota/simple_ota_example/sdkconfig.defaults +++ b/examples/system/ota/simple_ota_example/sdkconfig.defaults @@ -2,3 +2,8 @@ # partition table layout, with a 4MB flash size CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y CONFIG_PARTITION_TABLE_TWO_OTA=y + +# Certificate bundle configuration +CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y +CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE=y +CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH="server_certs/ca_cert.pem"