arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-21 10:26:06 +03:00
Code

Use root cert, not fingerprint for api.github.com (#7490)

Browse Source 
In the HTTPS example we were using a fingerprint which changes almost
daily as the github.com certificates are regenerated.  Replace this with
a trust anchor based on the ultimate root CA that github.com uses to
sign their certificates.  Assuming they don't change CAs, this
certificate should be good until 2030+

Fixes #7489
This commit is contained in:
Earle F. Philhower, III 2020-07-28 12:11:00 -07:00 committed by GitHub
parent 355b291614
commit 63b41bcfab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino
View File

@ -7,11 +7,6 @@
esp8266/Arduino project continuous integration esp8266/Arduino project continuous integration
build. build.
Limitations:
only RSA certificates
no support of Perfect Forward Secrecy (PFS)
TLSv1.2 is supported since version 2.4.0-rc1
Created by Ivan Grokhotkov, 2015. Created by Ivan Grokhotkov, 2015.
This example is in public domain. This example is in public domain.
*/ */
@ -30,14 +25,38 @@ const char* password = STAPSK;
const char* host = "api.github.com"; const char* host = "api.github.com";
const int httpsPort = 443; const int httpsPort = 443;
// Use web browser to view and copy // DigiCert High Assurance EV Root CA
// SHA1 fingerprint of the certificate const char trustRoot[] PROGMEM = R"EOF(
const char fingerprint[] PROGMEM = "5F F1 60 31 09 04 3E F2 90 D2 B0 8A 50 38 04 E8 37 9F BC 76"; -----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
)EOF";
X509List cert(trustRoot);
void setup() { void setup() {
Serial.begin(115200); Serial.begin(115200);
Serial.println(); Serial.println();
Serial.print("connecting to "); Serial.print("Connecting to ");
Serial.println(ssid); Serial.println(ssid);
WiFi.mode(WIFI_STA); WiFi.mode(WIFI_STA);
WiFi.begin(ssid, password); WiFi.begin(ssid, password);
@ -50,21 +69,37 @@ void setup() {
Serial.println("IP address: "); Serial.println("IP address: ");
Serial.println(WiFi.localIP()); Serial.println(WiFi.localIP());
// Set time via NTP, as required for x.509 validation
configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
Serial.print("Waiting for NTP time sync: ");
time_t now = time(nullptr);
while (now < 8 * 3600 * 2) {
delay(500);
Serial.print(".");
now = time(nullptr);
}
Serial.println("");
struct tm timeinfo;
gmtime_r(&now, &timeinfo);
Serial.print("Current time: ");
Serial.print(asctime(&timeinfo));
// Use WiFiClientSecure class to create TLS connection // Use WiFiClientSecure class to create TLS connection
WiFiClientSecure client; WiFiClientSecure client;
Serial.print("connecting to "); Serial.print("Connecting to ");
Serial.println(host); Serial.println(host);
Serial.printf("Using fingerprint '%s'\n", fingerprint); Serial.printf("Using certificate: %s\n", trustRoot);
client.setFingerprint(fingerprint); client.setTrustAnchors(&cert);
if (!client.connect(host, httpsPort)) { if (!client.connect(host, httpsPort)) {
Serial.println("connection failed"); Serial.println("Connection failed");
return; return;
} }
String url = "/repos/esp8266/Arduino/commits/master/status"; String url = "/repos/esp8266/Arduino/commits/master/status";
Serial.print("requesting URL: "); Serial.print("Requesting URL: ");
Serial.println(url); Serial.println(url);
client.print(String("GET ") + url + " HTTP/1.1\r\n" + client.print(String("GET ") + url + " HTTP/1.1\r\n" +
@ -72,11 +107,11 @@ void setup() {
"User-Agent: BuildFailureDetectorESP8266\r\n" + "User-Agent: BuildFailureDetectorESP8266\r\n" +
"Connection: close\r\n\r\n"); "Connection: close\r\n\r\n");
Serial.println("request sent"); Serial.println("Request sent");
while (client.connected()) { while (client.connected()) {
String line = client.readStringUntil('\n'); String line = client.readStringUntil('\n');
if (line == "\r") { if (line == "\r") {
Serial.println("headers received"); Serial.println("Headers received");
break; break;
} }
} }
@ -86,11 +121,11 @@ void setup() {
} else { } else {
Serial.println("esp8266/Arduino CI has failed"); Serial.println("esp8266/Arduino CI has failed");
} }
Serial.println("reply was:"); Serial.println("Reply was:");
Serial.println("=========="); Serial.println("==========");
Serial.println(line); Serial.println(line);
Serial.println("=========="); Serial.println("==========");
Serial.println("closing connection"); Serial.println("Closing connection");
} }
void loop() { void loop() {