SSL examples: updates (#8643)

Simplify SSL+ethernet example, reuse/include WiFi example
2025-07-27 18:02:17 +03:00 · 2022-07-27 23:47:10 +02:00
parent e2a36ed6c2
commit 646bdfc060
7 changed files with 107 additions and 297 deletions
--- a/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino
+++ b/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino
@ -11,185 +11,9 @@

 Wiznet5500lwIP eth(/*SS*/ 16);  // <== adapt to your hardware

-#include <WiFiClientSecure.h>
-#include <StackThunk.h>
-#include <time.h>
-#include "certs.h"
-
-const char *path = "/";
-
-// Set time via NTP, as required for x.509 validation
-void setClock() {
-  configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
-
-  Serial.print("Waiting for NTP time sync: ");
-  time_t now = time(nullptr);
-  while (now < 8 * 3600 * 2) {
-    delay(500);
-    Serial.print(".");
-    now = time(nullptr);
-  }
-  Serial.println("");
-  struct tm timeinfo;
-  gmtime_r(&now, &timeinfo);
-  Serial.print("Current time: ");
-  Serial.print(asctime(&timeinfo));
-}
-
-// Try and connect using a WiFiClientBearSSL to specified host:port and dump HTTP response
-void fetchURL(BearSSL::WiFiClientSecure *client, const char *host, const uint16_t port, const char *path) {
-  if (!path) {
-    path = "/";
-  }
-
-  ESP.resetFreeContStack();
-  uint32_t freeStackStart = ESP.getFreeContStack();
-  Serial.printf("Trying: %s:443...", host);
-  client->connect(host, port);
-  if (!client->connected()) {
-    Serial.printf("*** Can't connect. ***\n-------\n");
-    return;
-  }
-  Serial.printf("Connected!\n-------\n");
-  client->write("GET ");
-  client->write(path);
-  client->write(" HTTP/1.0\r\nHost: ");
-  client->write(host);
-  client->write("\r\nUser-Agent: ESP8266\r\n");
-  client->write("\r\n");
-  uint32_t to = millis() + 5000;
-  if (client->connected()) {
-    do {
-      char tmp[32];
-      memset(tmp, 0, 32);
-      int rlen = client->read((uint8_t *)tmp, sizeof(tmp) - 1);
-      yield();
-      if (rlen < 0) {
-        break;
-      }
-      // Only print out first line up to \r, then abort connection
-      char *nl = strchr(tmp, '\r');
-      if (nl) {
-        *nl = 0;
-        Serial.print(tmp);
-        break;
-      }
-      Serial.print(tmp);
-    } while (millis() < to);
-  }
-  client->stop();
-  uint32_t freeStackEnd = ESP.getFreeContStack();
-  Serial.printf("\nCONT stack used: %d\n", freeStackStart - freeStackEnd);
-  Serial.printf("BSSL stack used: %d\n-------\n\n", stack_thunk_get_max_usage());
-}
-
-void fetchNoConfig() {
-  Serial.printf(R"EOF(
-If there are no CAs or insecure options specified, BearSSL will not connect.
-Expect the following call to fail as none have been configured.
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-}
-
-void fetchInsecure() {
-  Serial.printf(R"EOF(
-This is absolutely *insecure*, but you can tell BearSSL not to check the
-certificate of the server.  In this mode it will accept ANY certificate,
-which is subject to man-in-the-middle (MITM) attacks.
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  client.setInsecure();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-}
-
-void fetchFingerprint() {
-  Serial.printf(R"EOF(
-The SHA-1 fingerprint of an X.509 certificate can be used to validate it
-instead of the while certificate.  This is not nearly as secure as real
-X.509 validation, but is better than nothing.  Also be aware that these
-fingerprints will change if anything changes in the certificate chain
-(i.e. re-generating the certificate for a new end date, any updates to
-the root authorities, etc.).
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  client.setFingerprint(fingerprint_sni_cloudflaressl_com);
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-}
-
-void fetchSelfSigned() {
-  Serial.printf(R"EOF(
-It is also possible to accept *any* self-signed certificate.  This is
-absolutely insecure as anyone can make a self-signed certificate.
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  Serial.printf("First, try and connect to a badssl.com self-signed website (will fail):\n");
-  fetchURL(&client, "self-signed.badssl.com", 443, "/");
-  Serial.printf("Now we'll enable self-signed certs (will pass)\n");
-  client.allowSelfSignedCerts();
-  fetchURL(&client, "self-signed.badssl.com", 443, "/");
-}
-
-void fetchKnownKey() {
-  Serial.printf(R"EOF(
-The server certificate can be completely ignored and its public key
-hardcoded in your application. This should be secure as the public key
-needs to be paired with the private key of the site, which is obviously
-private and not shared.  A MITM without the private key would not be
-able to establish communications.
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  BearSSL::PublicKey key(pubkey_sni_cloudflaressl_com);
-  client.setKnownKey(&key);
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-}
-
-void fetchCertAuthority() {
-  Serial.printf(R"EOF(
-A specific certification authority can be passed in and used to validate
-a chain of certificates from a given server.  These will be validated
-using BearSSL's rules, which do NOT include certificate revocation lists.
-A specific server's certificate, or your own self-signed root certificate
-can also be used.  ESP8266 time needs to be valid for checks to pass as
-BearSSL does verify the notValidBefore/After fields.
-)EOF");
-
-  BearSSL::WiFiClientSecure client;
-  BearSSL::X509List cert(cert_Cloudflare_Inc_ECC_CA_3);
-  client.setTrustAnchors(&cert);
-  Serial.printf("Try validating without setting the time (should fail)\n");
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-
-  Serial.printf("Try again after setting NTP time (should pass)\n");
-  setClock();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-}
-
-void fetchFaster() {
-  Serial.printf(R"EOF(
-The ciphers used to set up the SSL connection can be configured to
-only support faster but less secure ciphers.  If you care about security
-you won't want to do this.  If you need to maximize battery life, these
-may make sense
-)EOF");
-  BearSSL::WiFiClientSecure client;
-  client.setInsecure();
-  uint32_t now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-  uint32_t delta = millis() - now;
-  client.setInsecure();
-  client.setCiphersLessSecure();
-  now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-  uint32_t delta2 = millis() - now;
-  std::vector<uint16_t> myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA };
-  client.setInsecure();
-  client.setCiphers(myCustomList);
-  now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
-  uint32_t delta3 = millis() - now;
-  Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3);
-}
+#define setup forgetMe
+#include <../../libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino>
+#undef setup

 void setup() {
  Serial.begin(115200);
@ -198,7 +22,7 @@ void setup() {

  Serial.println("\nEthernet\n");

-  // 1. Currently when no default is set, esp8266-Arduino uses the first
+  // 1. Currently when no default route is set, esp8266-Arduino uses the first
  //    DHCP client interface receiving a valid address and gateway to
  //    become the new lwIP default interface.
  // 2. Otherwise - when using static addresses - lwIP for every packets by
@ -231,8 +55,3 @@ void setup() {
  fetchCertAuthority();
  fetchFaster();
 }
-
-
-void loop() {
-  // Nothing to do here
-}