Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable/Disable in secure #54

Open
LM-HieuNM opened this issue Oct 21, 2024 · 2 comments
Open

Enable/Disable in secure #54

LM-HieuNM opened this issue Oct 21, 2024 · 2 comments

Comments

@LM-HieuNM
Copy link

I am building an MQTT program over TLS. But there is a problem that this library does not support enabling or disabling In secure (Terminology of a feature on MQTTx). Our MQTT certificate does not require domain validation so I get error -9984 right from the tls connection.
To solve the problem, I have to do it manually by clearing the result of the domain validation process:

pub unsafe extern "C" fn verify_callback(
  ctx: *mut c_void,
  cert: *mut mbedtls_x509_crt,
  depth: i32,
  flags: *mut u32,
) -> i32 {
    if *flags ==  MBEDTLS_X509_BADCERT_CN_MISMATCH {
        *flags = 0;
        return 0; 
    }
    *flags as i32
}

Is this correct for bypassing domain validation and is there another way?
@bjoernQ
Copy link
Collaborator

bjoernQ commented Oct 21, 2024

Is the server using a self-signed certificate?

You could probably also get away with using a correct ca_chain to make validation work.

Not verifying the certificate puts you at risk of someone possibly redirecting the traffic to a malicious server so it pretty much depends if you are willing to take that risk (e.g. probably fine for a personal project or operating in a private network) or not

@AnthonyGrondin
Copy link
Collaborator

We don't really expose the mbedtls_ssl_conf_authmode() parameter to the user, as it is determined here, on a best guest try that covers every usage (client and server).

esp-mbedtls/esp-mbedtls/src/lib.rs

Lines 363 to 372 in f292457

mbedtls_ssl_conf_authmode(
ssl_config,
if self.ca_chain.is_some() {
MBEDTLS_SSL_VERIFY_REQUIRED as i32
} else {
// Use this config when in server mode
// Ref: https://os.mbed.com/users/markrad/code/mbedtls/docs/tip/ssl_8h.html#a5695285c9dbfefec295012b566290f37
MBEDTLS_SSL_VERIFY_NONE as i32
},
);

If you provide any ca_chain, your servername must match the name provided in the certificate, for which the connection is made. The X509 struct currently doesn't allow fetching the name in certificates, because this would require adding a parser, which would add more weight and dependencies. You can use external crates for such purpose, if you want to dynamically set the CN at runtime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bjoernQ @AnthonyGrondin @LM-HieuNM