Enable/Disable in secure

[LM-HieuNM]

I am building an MQTT program over TLS. But there is a problem that this library does not support enabling or disabling In secure (Terminology of a feature on MQTTx). Our MQTT certificate does not require domain validation so I get error -9984 right from the tls connection. To solve the problem, I have to do it manually by clearing the result of the domain validation process:

pub unsafe extern "C" fn verify_callback(
  ctx: *mut c_void,
  cert: *mut mbedtls_x509_crt,
  depth: i32,
  flags: *mut u32,
) -> i32 {
    if *flags ==  MBEDTLS_X509_BADCERT_CN_MISMATCH {
        *flags = 0;
        return 0; 
    }
    *flags as i32
}

Is this correct for bypassing domain validation and is there another way?

[bjoernQ]

Is the server using a self-signed certificate?

You could probably also get away with using a correct ca_chain to make validation work.

Not verifying the certificate puts you at risk of someone possibly redirecting the traffic to a malicious server so it pretty much depends if you are willing to take that risk (e.g. probably fine for a personal project or operating in a private network) or not

[AnthonyGrondin]

We don't really expose the mbedtls_ssl_conf_authmode() parameter to the user, as it is determined here, on a best guest try that covers every usage (client and server).

https://github.com/esp-rs/esp-mbedtls/blob/f2924572acb288d28bc9d76294d9ef488613d4a1/esp-mbedtls/src/lib.rs#L363-L372

If you provide any ca_chain, your servername must match the name provided in the certificate, for which the connection is made. The X509 struct currently doesn't allow fetching the name in certificates, because this would require adding a parser, which would add more weight and dependencies. You can use external crates for such purpose, if you want to dynamically set the CN at runtime.