From 7a92f89d12f5acbd977d09be9f1a3910267d1f7e Mon Sep 17 00:00:00 2001 From: kliment Date: Wed, 30 Sep 2020 13:41:03 +0200 Subject: [PATCH] Set TLS cert options before calling connect on client, so verify works (#3774) When connecting using transportTraits, the CA and client certificates are ignored after the initial _client->connect() is called. This is because on connect, WiFiClientSecure will call start_ssl_client with _CA_Cert and other cert options set to null unless setCACert, setCertificate etc. are called before connect. Running _transportTraits->verify after connect therefore does exactly nothing. It's easy to verify that this is the case by passing a CACert to HTTPClient with verbose logging enabled - the logs will say "WARNING: Use certificates for a more secure communication!" which is only present when both PSK and CA are null. This change fixes the issue. --- libraries/HTTPClient/src/HTTPClient.cpp | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/libraries/HTTPClient/src/HTTPClient.cpp b/libraries/HTTPClient/src/HTTPClient.cpp index 187cd6a6..dfd74ce3 100644 --- a/libraries/HTTPClient/src/HTTPClient.cpp +++ b/libraries/HTTPClient/src/HTTPClient.cpp @@ -1012,7 +1012,13 @@ bool HTTPClient::connect(void) log_d("HTTPClient::begin was not called or returned error"); return false; } - +#ifdef HTTPCLIENT_1_1_COMPATIBLE + if (_tcpDeprecated && !_transportTraits->verify(*_client, _host.c_str())) { + log_d("transport level verify failed"); + _client->stop(); + return false; + } +#endif if(!_client->connect(_host.c_str(), _port, _connectTimeout)) { log_d("failed connect to %s:%u", _host.c_str(), _port); return false; @@ -1023,14 +1029,6 @@ bool HTTPClient::connect(void) log_d(" connected to %s:%u", _host.c_str(), _port); -#ifdef HTTPCLIENT_1_1_COMPATIBLE - if (_tcpDeprecated && !_transportTraits->verify(*_client, _host.c_str())) { - log_d("transport level verify failed"); - _client->stop(); - return false; - } -#endif - /* #ifdef ESP8266