…s in the SSLClientESP32 class, improve the security of the code
Description
All the private/protected variables need to be initialized to default values as following:
(in the SSLClientESP32.h file)
class SSLClientESP32 : public Client
{
protected:
SSLClientLib::sslclient_context *sslclient;
int _lastError = 0;
int _peek = -1;
int _timeout = 0;
bool _use_insecure = false;
const char *_CA_cert = nullptr;
const char *_cert = nullptr;
const char *_private_key = nullptr;
const char *_pskIdent = nullptr; // identity for PSK cipher suites
const char *_psKey = nullptr; // key in hex for PSK cipher suites
const char **_alpn_protos = nullptr;
bool _use_ca_bundle = false;
Also, insert _use_insecure = false; to the SSLClientESP32::SSLClientESP32(Client* client) constructor in the SSLClientESP32.cpp in order to prevent an accidently insecure behavior (skip certificate validation without users notice) when initialize the object at run time (for example, the users declare and initialize an SSLClientESP32 object inside a local function).
Motivation and context
The following usage will lead to unexpected insecure behavior:
The above code will successfully connect and perform a GET request even with the invalid/wrong root_ca, without the users' notice.
How this has been tested?
This library will do correctly as expected if users declare and initiallize a SSLClientESP32 sslClient(&baseClient); at the global scope. But it fail to verify the root_ca if you initiallize the object in a local scope (so it will initiallize at runtime).
After do some small modifications as decribed in the first section, I've tested the above code with a valid root_ca --> it will perform verification successfully. If the root_ca is invalid it will reject the connection.
I've also tested other usual use-cases as indicated in the documentation, it still works. That means my modification does not break any previous code.
Formally, the library will wrongly fallback to insecure mode, and the setCACert(root_ca) never takes effect when initiallizing the object locally.
Tested with:
Hardware: ESP32 Dev Module
SSLClient version: v2.0.0
I would like to thank the author of this library for his time and contribution!
alkonosst
commented
1 year ago
…s in the SSLClientESP32 class, improve the security of the code
Description
All the private/protected variables need to be initialized to default values as following: (in the SSLClientESP32.h file)
Also, insert
_use_insecure = false;to theSSLClientESP32::SSLClientESP32(Client* client)constructor in theSSLClientESP32.cppin order to prevent an accidently insecure behavior (skip certificate validation without users notice) when initialize the object at run time (for example, the users declare and initialize an SSLClientESP32 object inside a local function).Motivation and context
The following usage will lead to unexpected insecure behavior:
The above code will successfully connect and perform a GET request even with the invalid/wrong
root_ca, without the users' notice.How this has been tested?
This library will do correctly as expected if users declare and initiallize a
SSLClientESP32 sslClient(&baseClient);at the global scope. But it fail to verify theroot_caif you initiallize the object in a local scope (so it will initiallize at runtime).After do some small modifications as decribed in the first section, I've tested the above code with a valid root_ca --> it will perform verification successfully. If the
root_cais invalid it will reject the connection.I've also tested other usual use-cases as indicated in the documentation, it still works. That means my modification does not break any previous code.
Formally, the library will wrongly fallback to
insecuremode, and thesetCACert(root_ca)never takes effect when initiallizing the object locally.Tested with:
I would like to thank the author of this library for his time and contribution!