Hi Ilias, On 2/28/25 22:26, Ilias Apalodimas wrote: > Hi Jerome > > ++CC Simon for lwIP > > On Thu, 27 Feb 2025 at 18:09, Jerome Forissier > <[email protected]> wrote: >> >> Instead of relying on some build time configuration to determine if >> server certificates need to be checked against CA certificates, do it >> based on the availability of such certificates. If no CA is configured >> then no check can succeed; on the other hand if we have CA certs then >> we should not ignore them. It is always possible to remove the CA certs >> (via 'wget cacert 0 0') to force an HTTPS download that would fail >> certificate validation > > This looks correct, but we should at some point send those to lwIP as > well instead of keeping them locally
I agree, but it seems upstream doesn't care much about contributions, unfortunately. The patches I submitted got zero consideration until now [1][2]. And the list of unacknowledged/unassigne patch is quite large [3]. So I would not bother for now. [1] https://savannah.nongnu.org/patch/?10462 (TFTP blocksize) [2] https://savannah.nongnu.org/patch/?10480 (TFTP port binding) [3] https://savannah.nongnu.org/patch/?group=lwip > > Reviewed-by: Ilias Apalodimas <[email protected]> Thanks! -- Jerome > >> >> Signed-off-by: Jerome Forissier <[email protected]> >> --- >> lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 3 ++- >> .../lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h | 6 ------ >> 2 files changed, 2 insertions(+), 7 deletions(-) >> >> diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c >> b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c >> index 46421588fef..fa3d1d74fed 100644 >> --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c >> +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c >> @@ -786,6 +786,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, >> u8_t pkey_count, int hav >> int ret; >> struct altcp_tls_config *conf; >> mbedtls_x509_crt *mem; >> + int authmode = have_ca ? MBEDTLS_SSL_VERIFY_REQUIRED : >> MBEDTLS_SSL_VERIFY_NONE; >> >> if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < >> MBEDTLS_SSL_OUT_CONTENT_LEN) { >> LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, >> @@ -840,7 +841,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, >> u8_t pkey_count, int hav >> altcp_mbedtls_free_config(conf); >> return NULL; >> } >> - mbedtls_ssl_conf_authmode(&conf->conf, ALTCP_MBEDTLS_AUTHMODE); >> + mbedtls_ssl_conf_authmode(&conf->conf, authmode); >> >> mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, >> &altcp_tls_entropy_rng->ctr_drbg); >> #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF >> diff --git a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h >> b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h >> index e41301c061c..71aa5993935 100644 >> --- a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h >> +++ b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h >> @@ -100,12 +100,6 @@ >> #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24) >> #endif >> >> -/** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE, >> MBEDTLS_SSL_VERIFY_OPTIONAL (default), >> - * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/ >> -#ifndef ALTCP_MBEDTLS_AUTHMODE >> -#define ALTCP_MBEDTLS_AUTHMODE >> MBEDTLS_SSL_VERIFY_OPTIONAL >> -#endif >> - >> #endif /* LWIP_ALTCP */ >> >> #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */ >> -- >> 2.43.0 >>
