-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clientcert never initialized (IDFGH-5771) #7479
Comments
Hi @dannybackx, by default the server is used with When the appropriate CA certificate is provided in the server configuration for client authentication. Then internally the client certificate obtained at the time of handshake (peer certificate) is verified against the provided CA certificate. I agree the clientcert field is unused in the entire code-base in case of the server. But it is used in case of client. and since the esp-tls server and client share the same For the code that you have mentioned to work we will have to create a pointer of the type Is there any reason/requirement in you code for inspecting the peer certificate ? |
I want access to the certificate for authentication. |
Hi @dannybackx, I am not sure why you want to access the certificate for authentication when you can just tell mbedtls to do the authentication for you, without having to worry about the peer cert. Anyways, |
Maybe I should have said authorization. As far as I know the builtin mechanism, even with mutual authentication, will only assess that both parties in the communication have valid certificates. I need to go a step further. |
Also my sample code above shows that mbedtls_ssl_get_peer_cert() exposes the peer certificate. So it is available, it just needs to be extracted by the esp_https_server. |
Hi @dannybackx |
This works, thanks. |
You also need
|
@dannybackx Yes, thanks for the suggestion. Yes we plan to merge it the master and then it would a part of the upcoming release. ( It would not be a part of already released branches, considering its a new feature). |
Perfect, thanks |
Pff reported in August. Four months later, still not in the newest release. |
Hi @dannybackx Please check that the respective user callback has already been added in the esp_https_server. |
Environment
git describe --tags
to find it): esp-idf-v4.3xtensa-esp32-elf-gcc --version
to find it): xtensa-esp32-elf-gcc (crosstool-NG esp-2020r3) 8.4.0Problem Description
When establishing a client-server connection via esp-https-server (so esp32 runs a web server), it's not possible to inspect the client certificate of the https connection.
That's because the certificate is never copied to the clientcert field in the esp-tls layer.
//Detailed problem description goes here.
Suggested fix : do this at the end of esp_mbedtls_server_session_create() by calling mbedtls_ssl_get_peer_cert().
I would give a more detailed diff but I don't see exactly how to copy a mbedtls_x509_crt structure. My current proof of concept has this code :
but the last line is obviously wrong as it doesn't get allocation right, and my sample code then crashes on memory allocation code (mbedtls_x509_crt_free is in the panic call stack).
Expected Behavior
For the clientcert field not to be unused in the entire code base
Actual Behavior
The clientcert field only has code that frees it if non-zero.
Code to reproduce this issue
Is rather large, sorry.
https://sourceforge.net/p/emptyesp32/code/HEAD/tree/https/
The text was updated successfully, but these errors were encountered: