Use root cert, not fingerprint for api.github.com (#7490)

In the HTTPS example we were using a fingerprint which changes almost daily as the github.com certificates are regenerated. Replace this with a trust anchor based on the ultimate root CA that github.com uses to sign their certificates. Assuming they don't change CAs, this certificate should be good until 2030+ Fixes #7489
2025-04-19 23:22:16 +03:00 · 2020-07-28 12:11:00 -07:00 · 2020-07-28 12:11:00 -07:00 · 63b41bcfab
commit 63b41bcfab
parent 355b291614
1 changed files with 53 additions and 18 deletions
--- a/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino
+++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino
@ -7,11 +7,6 @@
    esp8266/Arduino project continuous integration
    build.

-    Limitations:
-      only RSA certificates
-      no support of Perfect Forward Secrecy (PFS)
-      TLSv1.2 is supported since version 2.4.0-rc1
-
    Created by Ivan Grokhotkov, 2015.
    This example is in public domain.
 */
@ -30,14 +25,38 @@ const char* password = STAPSK;
 const char* host = "api.github.com";
 const int httpsPort = 443;

-// Use web browser to view and copy
-// SHA1 fingerprint of the certificate
-const char fingerprint[] PROGMEM = "5F F1 60 31 09 04 3E F2 90 D2 B0 8A 50 38 04 E8 37 9F BC 76";
+// DigiCert High Assurance EV Root CA
+const char trustRoot[] PROGMEM = R"EOF(
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
+-----END CERTIFICATE-----
+)EOF";
+X509List cert(trustRoot);

 void setup() {
  Serial.begin(115200);
  Serial.println();
-  Serial.print("connecting to ");
+  Serial.print("Connecting to ");
  Serial.println(ssid);
  WiFi.mode(WIFI_STA);
  WiFi.begin(ssid, password);
@ -50,21 +69,37 @@ void setup() {
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());

+  // Set time via NTP, as required for x.509 validation
+  configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
+
+  Serial.print("Waiting for NTP time sync: ");
+  time_t now = time(nullptr);
+  while (now < 8 * 3600 * 2) {
+    delay(500);
+    Serial.print(".");
+    now = time(nullptr);
+  }
+  Serial.println("");
+  struct tm timeinfo;
+  gmtime_r(&now, &timeinfo);
+  Serial.print("Current time: ");
+  Serial.print(asctime(&timeinfo));
+
  // Use WiFiClientSecure class to create TLS connection
  WiFiClientSecure client;
-  Serial.print("connecting to ");
+  Serial.print("Connecting to ");
  Serial.println(host);

-  Serial.printf("Using fingerprint '%s'\n", fingerprint);
-  client.setFingerprint(fingerprint);
+  Serial.printf("Using certificate: %s\n", trustRoot);
+  client.setTrustAnchors(&cert);

  if (!client.connect(host, httpsPort)) {
-    Serial.println("connection failed");
+    Serial.println("Connection failed");
    return;
  }

  String url = "/repos/esp8266/Arduino/commits/master/status";
-  Serial.print("requesting URL: ");
+  Serial.print("Requesting URL: ");
  Serial.println(url);

  client.print(String("GET ") + url + " HTTP/1.1\r\n" +
@ -72,11 +107,11 @@ void setup() {
               "User-Agent: BuildFailureDetectorESP8266\r\n" +
               "Connection: close\r\n\r\n");

-  Serial.println("request sent");
+  Serial.println("Request sent");
  while (client.connected()) {
    String line = client.readStringUntil('\n');
    if (line == "\r") {
-      Serial.println("headers received");
+      Serial.println("Headers received");
      break;
    }
  }
@ -86,11 +121,11 @@ void setup() {
  } else {
    Serial.println("esp8266/Arduino CI has failed");
  }
-  Serial.println("reply was:");
+  Serial.println("Reply was:");
  Serial.println("==========");
  Serial.println(line);
  Serial.println("==========");
-  Serial.println("closing connection");
+  Serial.println("Closing connection");
 }

 void loop() {