Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added USE_MQTT_TLS_DROP_OLD_FINGERPRINT compile time option to drop old (less secure) TLS fingerprint #10584

Merged
merged 2 commits into from
Jan 16, 2021
+8 −0
Merged

Added USE_MQTT_TLS_DROP_OLD_FINGERPRINT compile time option to drop old (less secure) TLS fingerprint #10584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d92fbe2
Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to dr…
s-hadinger Jan 16, 2021
96b5526
Fix Readme
s-hadinger Jan 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
- ESP8266 Support for 2MB and up linker files with 1MB and up LittleFS
- ESP32 support for TLS MQTT using BearSSL (same as ESP8266)
- Support for 24/26/32/34 bit RFID Wiegand interface (D0/D1) by Sigurd Leuther (#3647)
- Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint

### Breaking Changed
- ESP32 switch from default SPIFFS to default LittleFS file system loosing current (zigbee) files
Expand Down
4 changes: 4 additions & 0 deletions tasmota/WiFiClientSecureLightBearSSL.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -804,6 +804,7 @@ extern "C" {
return 0;
}

#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT
// No match under new algorithm, do some basic checking on the key.
//
// RSA keys normally have an e value of 65537, which is three bytes long.
Expand Down Expand Up @@ -838,6 +839,9 @@ extern "C" {
pubkeyfingerprint_pubkey_fingerprint(xc, false);

return 0;
#else // USE_TLS_OLD_FINGERPRINT_COMPAT
return 1; // no match, error
#endif // USE_TLS_OLD_FINGERPRINT_COMPAT
} else {
// Default (no validation at all) or no errors in prior checks = success.
return 0;
Expand Down
3 changes: 3 additions & 0 deletions tasmota/my_user_config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,9 @@
// #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem)
// Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp'
// Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT
// #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one.
// Any valid fingerprint with the old algo will be automatically updated to the new algo.
// Enable this if you want to disable the old algo check, which should be more secure
// for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini`

// -- Telegram Protocol ---------------------------
Expand Down