SNI support (#592)
Server Name Indication (SNI) support for WiFiClientSecure Fix https://github.com/espressif/arduino-esp32/issues/571 and https://github.com/espressif/arduino-esp32/issues/550
This commit is contained in:
parent
04044e2245
commit
ad179548e4
@ -97,7 +97,12 @@ int WiFiClientSecure::connect(const char *host, uint16_t port)
|
||||
|
||||
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
||||
{
|
||||
int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
|
||||
return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
|
||||
}
|
||||
|
||||
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
||||
{
|
||||
int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
|
||||
if (ret < 0) {
|
||||
log_e("lwip_connect_r: %d", errno);
|
||||
stop();
|
||||
@ -107,18 +112,6 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
|
||||
return 1;
|
||||
}
|
||||
|
||||
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
||||
{
|
||||
struct hostent *server;
|
||||
server = gethostbyname(host);
|
||||
if (server == NULL) {
|
||||
return 0;
|
||||
}
|
||||
IPAddress srv((const uint8_t *)(server->h_addr));
|
||||
return connect(srv, port, _CA_cert, _cert, _private_key);
|
||||
}
|
||||
|
||||
|
||||
size_t WiFiClientSecure::write(uint8_t data)
|
||||
{
|
||||
return write(&data, 1);
|
||||
|
@ -37,7 +37,7 @@ void ssl_init(sslclient_context *ssl_client)
|
||||
}
|
||||
|
||||
|
||||
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
|
||||
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
|
||||
{
|
||||
char buf[512];
|
||||
int ret, flags, len, timeout;
|
||||
@ -53,10 +53,17 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
||||
return ssl_client->socket;
|
||||
}
|
||||
|
||||
struct hostent *server;
|
||||
server = gethostbyname(host);
|
||||
if (server == NULL) {
|
||||
return 0;
|
||||
}
|
||||
IPAddress srv((const uint8_t *)(server->h_addr));
|
||||
|
||||
struct sockaddr_in serv_addr;
|
||||
memset(&serv_addr, 0, sizeof(serv_addr));
|
||||
serv_addr.sin_family = AF_INET;
|
||||
serv_addr.sin_addr.s_addr = ipAddress;
|
||||
serv_addr.sin_addr.s_addr = srv;
|
||||
serv_addr.sin_port = htons(port);
|
||||
|
||||
if (lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == 0) {
|
||||
@ -90,9 +97,9 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
||||
return handle_error(ret);
|
||||
}
|
||||
|
||||
/* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
||||
MBEDTLS_SSL_VERIFY_NONE if not.
|
||||
*/
|
||||
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
||||
// MBEDTLS_SSL_VERIFY_NONE if not.
|
||||
|
||||
if (rootCABuff != NULL) {
|
||||
log_i("Loading CA cert");
|
||||
mbedtls_x509_crt_init(&ssl_client->ca_cert);
|
||||
@ -129,18 +136,12 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
|
||||
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
|
||||
}
|
||||
|
||||
/*
|
||||
// TODO: implement match CN verification
|
||||
|
||||
log_i("Setting hostname for TLS session...");
|
||||
|
||||
// Hostname set here should match CN in server certificate
|
||||
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
|
||||
{
|
||||
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0){
|
||||
return handle_error(ret);
|
||||
|
||||
}
|
||||
*/
|
||||
|
||||
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
|
||||
|
||||
@ -221,7 +222,7 @@ int data_to_read(sslclient_context *ssl_client)
|
||||
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
|
||||
//log_e("RET: %i",ret); //for low level debug
|
||||
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
|
||||
//log_e("RES: %i",res);
|
||||
//log_e("RES: %i",res); //for low level debug
|
||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
|
||||
return handle_error(ret);
|
||||
}
|
||||
|
@ -27,7 +27,7 @@ typedef struct sslclient_context {
|
||||
|
||||
|
||||
void ssl_init(sslclient_context *ssl_client);
|
||||
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||
int data_to_read(sslclient_context *ssl_client);
|
||||
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
|
||||
|
Loading…
Reference in New Issue
Block a user