NetworkClientSecure::setCACertBundle Improperly Implemented #10099
Assignees
Labels
Status: Awaiting triage
Issue is waiting for triage
Comments
mhaberler
pushed a commit
to mhaberler/PsychicMqttClient
that referenced
this issue
Aug 5, 2024
dieser Bug ist beim Firmwareupdate jedenfalls noch präsent, unklar ob das schon alles war: Symptom: E (640) esp-x509-crt-bundle: Invalid certificate bundle ... [434608][E][ssl_client.cpp:213] start_ssl_client(): useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called! [434620][V][ssl_client.cpp:288] start_ssl_client(): Setting hostname for TLS session... [434628][V][ssl_client.cpp:309] ssl_starttls_handshake(): Performing the SSL/TLS handshake... [434670][E][ssl_client.cpp:36] _handle_error(): [ssl_starttls_handshake():313]: (-30336) SSL - No CA Chain is set, but required to operate [434683][E][NetworkClientSecure.cpp:159] connect(): start_ssl_client: connect failed: -30336 [434691][V][ssl_client.cpp:360] stop_ssl_socket(): Cleaning SSL connection. [434699][D][HTTPClient.cpp:1105] connect(): failed connect to objects.githubusercontent.com:443 bug report espressif/arduino-esp32#10099 fix in Arduino master espressif/arduino-esp32@f350d16 mir ist leider unklar warum, der sollte in Arduino 3.0.4 fefixt sein :-/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Board
ESP32 Dev Module
Device Description
DevKitC
Hardware Configuration
Nothing connected, raw dev board.
Version
latest master (checkout manually)
IDE Name
VSCode
Operating System
Linux
Flash frequency
40MHz
PSRAM enabled
no
Upload speed
115200
Description
I think I have found a bug in the implementation of the
NetworkClientSecure::setCACertBundlefunction. The bundle is passed as const uint8_t* and thensizeofis called on that argument inside the function. This will not return the size of the array but the size of the pointer passed into the function. It is then used in a call toesp_crt_bundle_set. When the library gets to the point of validating a certificate the following error is output:This is because the proper bundle size is not being used. If I modify the function to accept a size parameter similar to how
loadCertificateandloadPrivateKeydo and then pass that size to the call toesp_crt_bundle_setfunction I am able to get a proper certificate validation.This should also allow us to get around the stated limitation in the documentation that certificate bundles will not work in the Arduino IDE natively. I believe it would be possible to include a .S cert bundle or even construct one in C++ as a raw uint8_t array.
Sketch
Any sample using NetworkClientSecure will exhibit this issue if you call setCACertBundle
Debug Message
Other Steps to Reproduce
No response
I have checked existing issues, online documentation and the Troubleshooting Guide
The text was updated successfully, but these errors were encountered: