Do Any SSL/WSS Components Perform Expiration Validation?

oklambdago · Postby **oklambdago** » Sun Mar 28, 2021 4:09 pm

Hi There,

I am using encryption in several IDF components:

1. Http Client -- requests to https, for which I supply a certificate
2. OTA -- the firmware downloads from a https url, for which I supply a certificate
3. MQTT -- wss://, for which I DO NOT provide a certificate.

Question 1:
I know 1 and 2 perform CN checking by default, however I am not sure about CN checking for wss://. Is CN checking performed for 3?

Question 2:
DO ANY of the above methods check expiration time? I have read in several places that by default no expiration checking is done. I'm not setting the time on the device so I don't even know how it would be possible. If possible, I'd like to disable all expiration checking.

Thanks!

ESP-Marius · Postby **ESP-Marius** » Mon Mar 29, 2021 1:44 am

1. CN checking should be performed by default unless you've disabled it (see skip_cert_common_name_check in the MQTT config struct)

2. Expiration checking is controlled by the MBEDTLS_HAVE_TIME_DATE setting in menuconfig. Which should be disabled by default.

oklambdago · Postby **oklambdago** » Mon Mar 29, 2021 12:23 pm

Thanks for the quick and helpful answer ESP-Marius!

Do Any SSL/WSS Components Perform Expiration Validation?

Do Any SSL/WSS Components Perform Expiration Validation?

Re: Do Any SSL/WSS Components Perform Expiration Validation?

Re: Do Any SSL/WSS Components Perform Expiration Validation?

Who is online

About Us

Extra

Information