From 0841d2bc751dc4c4f43617852f8ed504a339ca77 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Thu, 31 Dec 2020 13:42:15 +0530 Subject: [PATCH] esp_tls: Add warning if the CA chain provided contains one/more invalid cert --- components/esp-tls/esp_tls_mbedtls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index bfd8e27da0..e89e84d6f0 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -275,6 +275,11 @@ static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret); return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED; } + if (ret > 0) { + /* This will happen if the CA chain contains one or more invalid certs, going ahead as the hadshake + * may still succeed if the other certificates in the CA chain are enough for the authentication */ + ESP_LOGW(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret); + } mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL); return ESP_OK;