Question : MQTT TLS check CN

eclipse-threadx / netxduo

Eclipse ThreadX - NetXDuo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications

https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/netx-duo/index.md

MIT License

230 stars 131 forks source link

Question : MQTT TLS check CN #101

Closed EdouardMALOT closed 2 years ago

EdouardMALOT commented 2 years ago

Hi,

I am using MQTT with TLS v1.2 (netxduo is client and check the server certificate).

Does netxduo check if the "CN" in certificate match with the url ? (It seems not). Does it possible to enable this verification ?

Thanks for all your work.

tstapko commented 2 years ago

Check out the API nx_secure_x509_common_name_dns_check(). It should do what you want.

It's not done by default because the NetX TLS stack isn't always paired with DNS.

Hope that helps!

TiejunMS commented 2 years ago

Here is a reference implementation in azure iot addons.

In tls_setup callback function of MQTT, set the certificate verify callback function here.
In certificate verify function, call nx_secure_x509_common_name_dns_check as mentioned by @tstapko .

EdouardMALOT commented 2 years ago

Perfect, thanks