Do Any SSL/WSS Components Perform Expiration Validation?

oklambdago
Posts: 19
Joined: Mon Mar 15, 2021 12:54 pm

Do Any SSL/WSS Components Perform Expiration Validation?

Postby oklambdago » Sun Mar 28, 2021 4:09 pm

Hi There,

I am using encryption in several IDF components:

1. Http Client -- requests to https, for which I supply a certificate
2. OTA -- the firmware downloads from a https url, for which I supply a certificate
3. MQTT -- wss://, for which I DO NOT provide a certificate.

Question 1:
I know 1 and 2 perform CN checking by default, however I am not sure about CN checking for wss://. Is CN checking performed for 3?

Question 2:
DO ANY of the above methods check expiration time? I have read in several places that by default no expiration checking is done. I'm not setting the time on the device so I don't even know how it would be possible. If possible, I'd like to disable all expiration checking.

Thanks!

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: Do Any SSL/WSS Components Perform Expiration Validation?

Postby ESP-Marius » Mon Mar 29, 2021 1:44 am

1. CN checking should be performed by default unless you've disabled it (see skip_cert_common_name_check in the MQTT config struct)

2. Expiration checking is controlled by the MBEDTLS_HAVE_TIME_DATE setting in menuconfig. Which should be disabled by default.

oklambdago
Posts: 19
Joined: Mon Mar 15, 2021 12:54 pm

Re: Do Any SSL/WSS Components Perform Expiration Validation?

Postby oklambdago » Mon Mar 29, 2021 12:23 pm

Thanks for the quick and helpful answer ESP-Marius!

Who is online

Users browsing this forum: Baidu [Spider] and 186 guests