Set TLS cert options before calling connect on client, so verify works (#3774)

When connecting using transportTraits, the CA and client certificates are ignored after the initial _client->connect() is called. This is because on connect, WiFiClientSecure will call start_ssl_client with _CA_Cert and other cert options set to null unless setCACert, setCertificate etc. are called before connect. Running _transportTraits->verify after connect therefore does exactly nothing. It's easy to verify that this is the case by passing a CACert to HTTPClient with verbose logging enabled - the logs will say "WARNING: Use certificates for a more secure communication!" which is only present when both PSK and CA are null. This change fixes the issue.
This commit is contained in:
kliment 2020-09-30 13:41:03 +02:00 committed by GitHub
parent 5871ca9ce9
commit 7a92f89d12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1012,7 +1012,13 @@ bool HTTPClient::connect(void)
log_d("HTTPClient::begin was not called or returned error");
return false;
}
#ifdef HTTPCLIENT_1_1_COMPATIBLE
if (_tcpDeprecated && !_transportTraits->verify(*_client, _host.c_str())) {
log_d("transport level verify failed");
_client->stop();
return false;
}
#endif
if(!_client->connect(_host.c_str(), _port, _connectTimeout)) {
log_d("failed connect to %s:%u", _host.c_str(), _port);
return false;
@ -1023,14 +1029,6 @@ bool HTTPClient::connect(void)
log_d(" connected to %s:%u", _host.c_str(), _port);
#ifdef HTTPCLIENT_1_1_COMPATIBLE
if (_tcpDeprecated && !_transportTraits->verify(*_client, _host.c_str())) {
log_d("transport level verify failed");
_client->stop();
return false;
}
#endif
/*
#ifdef ESP8266