Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(websocket): Expanded example to demonstrate the transfer over TLS (IDFGH-11681) #506

Merged
merged 1 commit into from
Feb 23, 2024

Conversation

gabsuren
Copy link
Contributor

@gabsuren gabsuren commented Feb 7, 2024

No description provided.

@gabsuren gabsuren changed the title feat(websocket): Expanded example to demonstrate the transfer over TLS feat(websocket): Expanded example to demonstrate the transfer over TLS (IDFGH-11681) Feb 7, 2024
@gabsuren gabsuren force-pushed the websocket_ssl_example branch 2 times, most recently from 9d6c01b to a4ae7d9 Compare February 12, 2024 09:17
@gabsuren gabsuren force-pushed the websocket_ssl_example branch 4 times, most recently from 58744a8 to b7a49bc Compare February 12, 2024 11:46
@gabsuren gabsuren marked this pull request as ready for review February 12, 2024 11:46
@gabsuren gabsuren force-pushed the websocket_ssl_example branch 5 times, most recently from 1236708 to 3ea75a0 Compare February 12, 2024 12:28
@david-cermak
Copy link
Collaborator

As mentioned in the comments, I'd suggest using server side verification (always), optionally adding client side verification (mutual authentication).

I think for user's perspective it would be useful to see these two additional configs:

  1. TLS with server side verification only (using some public ws server if available)
  2. Mutual authentication -- with self signed certificates

@gabsuren gabsuren force-pushed the websocket_ssl_example branch from 3ea75a0 to 40fe2e1 Compare February 13, 2024 09:43
@gabsuren
Copy link
Contributor Author

@david-cermak thank you for the review.
I've updated the example with the following changes:

  1. The server now always checks the client's certificates ssl_context.verify_mode = ssl.CERT_REQUIRED.
  2. Both client and server now perform mutual authentication using self-signed certificates.
  3. The client bypasses server certificate verification by enabling CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY=y. But, it uses public and private keys, allowing the server to authenticate the client's identity through its certificates

Please let me know if this adjustment looks ok for you

@gabsuren gabsuren force-pushed the websocket_ssl_example branch 6 times, most recently from d5b1695 to 1717b1b Compare February 14, 2024 09:16
@gabsuren gabsuren force-pushed the websocket_ssl_example branch 13 times, most recently from 5b87169 to 3128d99 Compare February 21, 2024 08:27
@gabsuren gabsuren force-pushed the websocket_ssl_example branch 3 times, most recently from 2195dd1 to d7674f1 Compare February 22, 2024 11:07
Copy link
Collaborator

@david-cermak david-cermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise

@gabsuren gabsuren force-pushed the websocket_ssl_example branch 2 times, most recently from 2488889 to 565569e Compare February 23, 2024 07:59
@gabsuren gabsuren force-pushed the websocket_ssl_example branch from 565569e to 0d0630e Compare February 23, 2024 08:08
@gabsuren gabsuren merged commit 9b7c875 into espressif:master Feb 23, 2024
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants