Hi Jerome
++CC Simon for lwIP
On Thu, 27 Feb 2025 at 18:09, Jerome Forissier
<jerome.foriss...@linaro.org> wrote:
>
> Instead of relying on some build time configuration to determine if
> server certificates need to be checked against CA certificates, do it
> based on the availability of such certificates. If no CA is configured
> then no check can succeed; on the other hand if we have CA certs then
> we should not ignore them. It is always possible to remove the CA certs
> (via 'wget cacert 0 0') to force an HTTPS download that would fail
> certificate validation
This looks correct, but we should at some point send those to lwIP as
well instead of keeping them locally
Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
>
> Signed-off-by: Jerome Forissier <jerome.foriss...@linaro.org>
> ---
> lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 3 ++-
> .../lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h | 6 ------
> 2 files changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> index 46421588fef..fa3d1d74fed 100644
> --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> @@ -786,6 +786,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count,
> u8_t pkey_count, int hav
> int ret;
> struct altcp_tls_config *conf;
> mbedtls_x509_crt *mem;
> + int authmode = have_ca ? MBEDTLS_SSL_VERIFY_REQUIRED :
> MBEDTLS_SSL_VERIFY_NONE;
>
> if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND <
> MBEDTLS_SSL_OUT_CONTENT_LEN) {
> LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS,
> @@ -840,7 +841,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count,
> u8_t pkey_count, int hav
> altcp_mbedtls_free_config(conf);
> return NULL;
> }
> - mbedtls_ssl_conf_authmode(&conf->conf, ALTCP_MBEDTLS_AUTHMODE);
> + mbedtls_ssl_conf_authmode(&conf->conf, authmode);
>
> mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random,
> &altcp_tls_entropy_rng->ctr_drbg);
> #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
> diff --git a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
> b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
> index e41301c061c..71aa5993935 100644
> --- a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
> +++ b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h
> @@ -100,12 +100,6 @@
> #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24)
> #endif
>
> -/** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE,
> MBEDTLS_SSL_VERIFY_OPTIONAL (default),
> - * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/
> -#ifndef ALTCP_MBEDTLS_AUTHMODE
> -#define ALTCP_MBEDTLS_AUTHMODE
> MBEDTLS_SSL_VERIFY_OPTIONAL
> -#endif
> -
> #endif /* LWIP_ALTCP */
>
> #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */
> --
> 2.43.0
>
