Attach trusted CAs to ssl_client object

kinafu · kinafu · commit c87b58b13081 · 2020-09-22T13:43:53.000+02:00
Credits @meltdown03 espressif#3646 (comment)
diff --git a/libraries/WiFiClientSecure/src/ssl_client.cpp b/libraries/WiFiClientSecure/src/ssl_client.cpp
@@ -103,7 +103,12 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
     }
 
     log_v("Setting up the SSL/TLS structure...");
-
+    ret = esp_crt_bundle_attach(&ssl_client->ssl_conf);
+    
+    if (ret < 0) {
+        return handle_error(ret);
+    }
+    
     if ((ret = mbedtls_ssl_config_defaults(&ssl_client->ssl_conf,
                                            MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_STREAM,
@@ -155,8 +160,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
             return handle_error(ret);
         }
     } else {
-        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
-        log_i("WARNING: Use certificates for a more secure communication!");
+        log_d("Loading trusted CA certs");
+        mbedtls_x509_crt_init(&ssl_client->ca_cert);
+        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+        mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
     }
 
     if (cli_cert != NULL && cli_key != NULL) {
diff --git a/libraries/WiFiClientSecure/src/ssl_client.h b/libraries/WiFiClientSecure/src/ssl_client.h
@@ -11,6 +11,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/error.h"
+#include "esp_crt_bundle.h"
 
 typedef struct sslclient_context {
     int socket;
