Azure / azure-iot-middleware-freertos

Azure IoT Middleware for FreeRTOS
https://azure.github.io/azure-iot-middleware-freertos/
MIT License
82 stars 24 forks source link

TLS connection: No server cert check on ESP32 #235

Closed SeriousD closed 2 years ago

SeriousD commented 2 years ago

Hello, I try to integrate the azure iot middleware into my existing project. The software compiles and can be flashed. After a wifi connection is established the ESP32 tries to connect to the azure IoT hub and fails: Error: Time:Tue Jun 7 14:09:22 2022 File:../components/esp-azure/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:InitializeConnection Line:2355 mqtt_client timed out waiting for CONNACK Error: Time:Tue Jun 7 14:09:22 2022 File:../components/esp-azure/port/src/tlsio_esp_tls.c Func:tlsio_esp_tls_destroy Line:152 tlsio_esp_tls_destroy called while not in TLSIO_STATE_CLOSED. Error: Time:Tue Jun 7 14:43:17 2022 File:../components/esp-azure/port/src/tlsio_esp_tls.c Func:tlsio_esp_tls_open_async Line:323 TLS INIT E (4289772) esp-tls-mbedtls: No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference E (4289772) esp-tls-mbedtls: Failed to set client configurations, returned [0x8017] (ESP_ERR_MBEDTLS_SSL_SETUP_FAILED) E (4289782) esp-tls: create_ssl_handle failed The c SDK has some root certs in it and also the port. In the port folder the comment states that the root cert is used for the ESP8266.

How do I tell the ESP32 implementation to either use the shipped certificate(s) or to use the cert bundle?

danewalton commented 2 years ago

Hi @SeriousD The integration point for adding the server certificates is here: https://github.com/Azure-Samples/iot-middleware-freertos-samples/blob/154ba9fbd280b855c6e49e6e9c9ee34c35705c0f/demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/transport_tls_esp32.c#L89-L92 Are you asking how to put the same certs in your project?

SeriousD commented 2 years ago

Yes. As far as I see the MQTT connection fails because the MBEDTLS Stack doesnt use server cert validation for the ESP32. See ´Line:323 TLS INIT E (4289772) esp-tls-mbedtls: No server verification option set in esp_tls_cfg_t structure´

danewalton commented 2 years ago

Gotcha. I would recommend using that link I sent as a guide if you are applying this to your own project. Otherwise, our samples should already do that.

danewalton commented 2 years ago

Going to close for now but please let us know if you would like it reopened.