Adds SSL server mode for WiFiServerSecure, for plain SSL connections,
ESP8266WebServerSecure, for HTTPS web serving, and SecureHTTPSUpdater for
encrypted OTA updates.
Example code is provided for all new options, as well as a BASH script for
generating their own, self-signed certificates.
Both ESP8266WebServerSecure and SecureHTTPSUpdater are important for secure
password-based authentication. HTTP Basic Authentication, the only supported
model presently, sends the username and password in *cleartext* and therefore
should *never* be used in any un-SSL encrypted channel unless you don't mind
sharing your login and password with anyone else on the internet. Even if the
ESP8266 is not safety critical, this cleartext broadcast could expose you should
you reuse this password elsewhere on your network or the internet.
axTLS does not correctly implement max_fragment_length extension. This
causes servers which understand this extension (currently GnuTLS- and
WolfSSL-based) to reject the client hello.
Until this is fixed in axTLS, remove the call to enable this extension
from WiFiClientSecure.
Fixes https://github.com/esp8266/Arduino/issues/3932.
* WiFiClientSecure: use _timeout setting when connecting
This timeout value can be customized via a call to setTimeout function.
Closes https://github.com/esp8266/Arduino/issues/3944.
* WiFiClientSecure: increase default connection timeout to 15 sec
* WiFiClientSecure: don't decrypt when testing for 'connected'
* WiFiClientSecure: don't trash unread decrypted data when writing
When application requests to write data, check if there is any unread
decrypted data left. If there is, don't write immediately, but save the
data to be written. When all decrypted data has been consumed by the
application, send out the saved outgoing data.
Fixes https://github.com/esp8266/Arduino/issues/2256.
Mainly useful for testing WiFiClientSecure in local environments.
If allowSelfSignedCerts is called before verifyCertChain, then the
certificate chain will be verified, but the final certificate may be
self-signed.
The ax_port_malloc, ax_port_calloc, ax_port_realloc, and ax_port_free
functions in WiFiClientSecure are not actually used by the AXTLS library.
It's directly using the library routines, and these function are never
used. Remove these dead bits of code to make the axtls operation clearer.
When WiFiClientSecure::connect was called, it would first tear down and
existing and set up new TCP session, then tear down existing TLS session
(using ssl_free), and then set up a new one. This caused TLS close-
notify alert to be sent to the new TCP session, preventing new session
from being established. This change postpones setting IO ctx to the new
TCP connection, fixing this issue.
Ref https://github.com/esp8266/Arduino/issues/3330
WiFiClient write timeouts introduced in #3257 applied to the whole write
operation, which could take long time if data size was large. This
change makes the timeout happen per chunk. Timeout now happens if no
data has been delivered within a given interval.
Some websites have certificates with uppercase letters in CN. This change
makes _verifyDN function accept such certificates by converting all names
to lower case before comparing them.
Resolves#2978
Previously, _write_some function would be called each time TCP stack
notifies the application that some data was delivered (via the `sent`
callback). In turn, _write_some would obtain more data to be sent from
the DataSource. In case of a DataSource backed by a Stream, this would
read from a stream. Some libraries (such as SD) may call `yield` and
other blocking operations from Stream read function, which can not be
used in TCP stack callbacks.
This change moves the data sending loop back into the Arduino task, with
a negligible loss of performance. TCP callback now wakes the main task
via `esp_schedule`, which performs stream read and provides more data
to the TCP stack.
Possible future optimization would be to buffer Stream data ahead of
time. That way, buffered data could be sent immediately from the TCP
callback. On the other hand, this optimization would need extra TCP_MSS
of temporary storage, per connection.
Fixes#2399.
