how to disable server validation (CA)

jakarman12
Posts: 8
Joined: Fri Oct 30, 2020 6:46 pm

how to disable server validation (CA)

Postby jakarman12 » Tue Jan 26, 2021 9:37 pm

Hello guys,

I'm testing the HTTPs module with esp_http_client but I've gotten a bit stuck.

I want to make a request using HTTPS and without validating the server's CA, using the CA's validation works fine, but when I want it not to check the CA (using .skip_cert_common_name_check = true), the program returns the following error. (It seems that it continues to validate the ca :shock: ).

esp-idf: v4.3-dev-2586-g526f68239

=================== ERROR ===========================
E (5001) esp-tls-mbedtls: No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference
E (5001) esp-tls-mbedtls: Failed to set client configurations
E (5011) esp-tls: create_ssl_handle failed
E (5021) esp-tls: Failed to open new connection
E (5021) TRANS_SSL: Failed to open a new connection
E (5031) HTTP_CLIENT: Connection failed, sock < 0
E (5031) HTTP_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
=================================================================

The configuration of the request that I am making is the following. Could you please help me? :)
  1. static void https_with_hostname_path(void)
  2. {
  3.     ESP_LOGI(TAG, "Test HTTPs skip CA");
  4.     esp_http_client_config_t config = {
  5.         .host = "www.howsmyssl.com",
  6.         .path = "/",
  7.         .transport_type = HTTP_TRANSPORT_OVER_SSL,
  8.         .event_handler = _http_event_handler,
  9.         .skip_cert_common_name_check = true
  10.     };
  11.     esp_http_client_handle_t client = esp_http_client_init(&config);
  12.     esp_err_t err = esp_http_client_perform(client);
  13.  
  14.     if (err == ESP_OK) {
  15.         ESP_LOGI(TAG, "HTTPS Status = %d, content_length = %d",
  16.                 esp_http_client_get_status_code(client),
  17.                 esp_http_client_get_content_length(client));
  18.     } else {
  19.         ESP_LOGE(TAG, "Error perform http request %s", esp_err_to_name(err));
  20.     }
  21.     esp_http_client_cleanup(client);
  22. }
Last edited by jakarman12 on Wed Jan 27, 2021 1:25 am, edited 1 time in total.

boarchuz
Posts: 606
Joined: Tue Aug 21, 2018 5:28 am

Re: skip server validation seems not to work

Postby boarchuz » Tue Jan 26, 2021 11:26 pm

skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)

jakarman12
Posts: 8
Joined: Fri Oct 30, 2020 6:46 pm

Re: skip server validation seems not to work

Postby jakarman12 » Wed Jan 27, 2021 1:24 am

boarchuz wrote:
Tue Jan 26, 2021 11:26 pm
skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)
Hi @boarchuz,

Thanks for the answer, you are right there I was making a mistake due to a confusion that I was having between the CN and the CA.

I'm going to change the name of this post to serve as a tutorial for some clueless like me.

Again thank you very much. :D

prutek
Posts: 1
Joined: Sun Jul 11, 2021 9:27 pm

Re: skip server validation seems not to work

Postby prutek » Sun Jul 11, 2021 9:39 pm

boarchuz wrote:
Tue Jan 26, 2021 11:26 pm
skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)
And you need to make changes in file "sdkconfig" in root directory of your project
it was really useful information for me because I spent an hour to find this file*
new in engineering, but really like it!

Who is online

Users browsing this forum: Majestic-12 [Bot] and 108 guests