Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to disable tls verification #647

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support to disable tls verification #647

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions adapters/httpapi_compact.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ typedef struct HTTP_HANDLE_DATA_TAG
unsigned int is_connected : 1;
unsigned int send_completed : 1;
bool tls_renegotiation;
bool tls_verification;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't used anywhere (only set) - please remove.

} HTTP_HANDLE_DATA;

/*the following function does the same as sscanf(pos2, "%d", &sec)*/
Expand Down Expand Up @@ -1446,6 +1447,12 @@ HTTPAPI_RESULT HTTPAPI_SetOption(HTTP_HANDLE handle, const char* optionName, con
http_instance->tls_renegotiation = tls_renegotiation;
result = HTTPAPI_OK;
}
else if (strcmp(OPTION_DISABLE_TLS_VERIFICATION, optionName) == 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't used anywhere (only set) - please remove.

{
bool tls_verification = *(bool*)value;
http_instance->tls_verification = tls_verification;
result = HTTPAPI_OK;
}
else
{
/*Codes_SRS_HTTPAPI_COMPACT_21_063: [ If the HTTP do not support the optionName, the HTTPAPI_SetOption shall return HTTPAPI_INVALID_ARG. ]*/
Expand Down
14 changes: 14 additions & 0 deletions adapters/tlsio_mbedtls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1028,6 +1028,20 @@ int tlsio_mbedtls_setoption(CONCRETE_IO_HANDLE tls_io, const char *optionName, c
mbedtls_ssl_conf_renegotiation(&tls_io_instance->config, set_renegotiation ? 1 : 0);
result = 0;
}
}
else if (strcmp(optionName, OPTION_DISABLE_TLS_VERIFICATION) == 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change the option name to: OPTION_DISABLE_TLS_REMOTE_CERTIFICATE_VALIDATION

{
if (value == NULL)
{
LogError("Invalid value set for tls verification");
result = MU_FAILURE;
}
else
{
bool set_verification = *((bool*)(value));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add LogInfo() message if disabling TLS verification.

mbedtls_ssl_conf_authmode(&tls_io_instance->config, set_verification ? MBEDTLS_SSL_VERIFY_NONE: MBEDTLS_SSL_VERIFY_REQUIRED);
result = 0 ;
}
}
else
{
Expand Down