Ensure Bearssl fails validation if verifyLater hasn't been set

SmingHub · Jun 5, 2024 · a1e5d23 · a1e5d23
1 parent 498ed27
commit a1e5d23
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/Sming/Components/ssl/BearSsl/BrClientConnection.cpp b/Sming/Components/ssl/BearSsl/BrClientConnection.cpp
@@ -107,7 +107,11 @@ void BrClientConnection::endCert()
 
 bool BrClientConnection::endChain()
 {
-	return context.session.validateCertificate();
+	auto& session = context.session;
+	if(!session.options.verifyLater && session.validators.isEmpty()) {
+		return false;
+	}
+	return session.validateCertificate();
 }
 
 } // namespace Ssl
diff --git a/docs/source/upgrading/5.1-5.2.rst b/docs/source/upgrading/5.1-5.2.rst
@@ -63,3 +63,15 @@ Esp32 IDF
 
 RP2040
     The installer has been updated to use the latest toolchain (Oct 23), gcc 13.2.
+
+
+**Bearssl client certificate validation**
+
+Using ENABLE_SSL=Bearssl in a client application, no verification on the server certificate is performed.
+This is a potential security issue.
+
+Attempting the same thing with Axtls results in an ``X509_VFY_ERROR_NO_TRUSTED_CERT`` error.
+Applications must explicitly call :cpp:func:`HttpRequest::onSslInit` and set the ``verifyLater`` flag.
+This extra step ensures that security checks are not unintentionally bypassed.
+
+The same behaviour is now presented when using Bearssl, and will now fail with ``X509_NOT_TRUSTED``.