From f52f26f5663047695e64dd80ad4de2dcb751e48c Mon Sep 17 00:00:00 2001 From: s-hadinger <49731213+s-hadinger@users.noreply.github.com> Date: Sat, 16 Jan 2021 18:07:01 +0100 Subject: [PATCH] Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint (#10584) Co-authored-by: Stephan Hadinger --- CHANGELOG.md | 1 + tasmota/WiFiClientSecureLightBearSSL.cpp | 4 ++++ tasmota/my_user_config.h | 3 +++ 3 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 743b0fcaa..44b5e00c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file. - ESP8266 Support for 2MB and up linker files with 1MB and up LittleFS - ESP32 support for TLS MQTT using BearSSL (same as ESP8266) - Support for 24/26/32/34 bit RFID Wiegand interface (D0/D1) by Sigurd Leuther (#3647) +- Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint ### Breaking Changed - ESP32 switch from default SPIFFS to default LittleFS file system loosing current (zigbee) files diff --git a/tasmota/WiFiClientSecureLightBearSSL.cpp b/tasmota/WiFiClientSecureLightBearSSL.cpp index 6d7ed37b4..60534c369 100755 --- a/tasmota/WiFiClientSecureLightBearSSL.cpp +++ b/tasmota/WiFiClientSecureLightBearSSL.cpp @@ -804,6 +804,7 @@ extern "C" { return 0; } +#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT // No match under new algorithm, do some basic checking on the key. // // RSA keys normally have an e value of 65537, which is three bytes long. @@ -838,6 +839,9 @@ extern "C" { pubkeyfingerprint_pubkey_fingerprint(xc, false); return 0; +#else // USE_TLS_OLD_FINGERPRINT_COMPAT + return 1; // no match, error +#endif // USE_TLS_OLD_FINGERPRINT_COMPAT } else { // Default (no validation at all) or no errors in prior checks = success. return 0; diff --git a/tasmota/my_user_config.h b/tasmota/my_user_config.h index f62d2a6b7..8f3fa5a89 100644 --- a/tasmota/my_user_config.h +++ b/tasmota/my_user_config.h @@ -401,6 +401,9 @@ // #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem) // Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp' // Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT +// #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one. + // Any valid fingerprint with the old algo will be automatically updated to the new algo. + // Enable this if you want to disable the old algo check, which should be more secure // for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini` // -- Telegram Protocol ---------------------------