[lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls

lwip-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls_mbedtls

From:	Cesare Garlati
Subject:	[lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls_mbedtls
Date:	Mon, 22 Jun 2020 11:13:50 -0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0

LWIP builds by default with TLS ca certificate verification optional
(MBEDTLS_SSL_VERIFY_OPTIONAL), which is unsuitable for production as it
bypasses TLS authentication.

Question: is there a way to change the mbedTLS setting into 
MBEDTLS_SSL_VERIFY_REQUIRED without hacking the lwip code?

Would it make sense to add a new lwip config macro
ALTCP_MBEDTLS_SSL_VERIFY with the 4 mbedTLS options below?

#define MBEDTLS_SSL_VERIFY_NONE           0
#define MBEDTLS_SSL_VERIFY_OPTIONAL     1
#define MBEDTLS_SSL_VERIFY_REQUIRED    2
#define MBEDTLS_SSL_VERIFY_UNSET          3

Alternatively, Would it make sense to ship lwip with security enabled by
default and simply replace  the current MBEDTLS_SSL_VERIFY_OPTIONAL with
MBEDTLS_SSL_VERIFY_REQUIRED in apps/altcp_tls/altcp_tls_mbedtls?

Happy to submit a patch if it makes sense.


Cesare

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls_mbedtls, Cesare Garlati <=
- Re: [lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls_mbedtls, Indan Zupancic, 2020/06/23

Prev by Date: Re: [lwip-users] LWIP problems
Next by Date: Re: [lwip-users] LWIP problems
Previous by thread: [lwip-users] LWIP problems
Next by thread: Re: [lwip-users] BEDTLS_SSL_VERIFY_REQUIRED in altcp_tls_mbedtls
Index(es):
- Date
- Thread