Adds SSL server mode for WiFiServerSecure, for plain SSL connections,
ESP8266WebServerSecure, for HTTPS web serving, and SecureHTTPSUpdater for
encrypted OTA updates.
Example code is provided for all new options, as well as a BASH script for
generating their own, self-signed certificates.
Both ESP8266WebServerSecure and SecureHTTPSUpdater are important for secure
password-based authentication. HTTP Basic Authentication, the only supported
model presently, sends the username and password in *cleartext* and therefore
should *never* be used in any un-SSL encrypted channel unless you don't mind
sharing your login and password with anyone else on the internet. Even if the
ESP8266 is not safety critical, this cleartext broadcast could expose you should
you reuse this password elsewhere on your network or the internet.
* lib/Ticker: add bool active()
Makes it easier to self detach, and check if a timer is still operating.
Signed-off-by: Karl Palsson <karlp@tweak.net.au>
* Code cleanup Ticker.cpp
* Make HTTP server test data easier to examine
* Add HTTP server parameter tests containing & and =
* Fix URL parameter decoding in web server
The parameters string needs to be first split on & and =, and URL
decoding on parts done after that. Otherwise URL encoded & and = within
parameter names and values cause incorrect splitting.
axTLS does not correctly implement max_fragment_length extension. This
causes servers which understand this extension (currently GnuTLS- and
WolfSSL-based) to reject the client hello.
Until this is fixed in axTLS, remove the call to enable this extension
from WiFiClientSecure.
Fixes https://github.com/esp8266/Arduino/issues/3932.
* WiFiClientSecure: use _timeout setting when connecting
This timeout value can be customized via a call to setTimeout function.
Closes https://github.com/esp8266/Arduino/issues/3944.
* WiFiClientSecure: increase default connection timeout to 15 sec
* WiFiClientSecure: don't decrypt when testing for 'connected'
* WiFiClientSecure: don't trash unread decrypted data when writing
When application requests to write data, check if there is any unread
decrypted data left. If there is, don't write immediately, but save the
data to be written. When all decrypted data has been consumed by the
application, send out the saved outgoing data.
Fixes https://github.com/esp8266/Arduino/issues/2256.
* Added constant time strings comparison to avoid possible time-based attacks
* Fixed data types
* Fixed indentation
* Moved string comnparison in constant time to String class; modified function body to assure constant time comparison despite compiler optimizations
* Removed wrong code
* Fixed error and prevented compiler optimization to delete u1 local variable
* Avoid timing attacks on string comparison
* Minor
* changed counter names, removed else
