jeans/Tasmota
jeans/Tasmota
1
0
Fork 0
mirror of https://github.com/arendst/Tasmota.git synced 2025-07-25 19:56:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added `USE_MQTT_TLS_DROP_OLD_FINGERPRINT` compile time option to drop old (less secure) TLS fingerprint (#10584)

Browse Source 
Co-authored-by: Stephan Hadinger <stephan.hadinger@gmail.com>
This commit is contained in:
s-hadinger 2021-01-16 18:07:01 +01:00 committed by GitHub
parent 8f0fb3ef35
commit f52f26f566
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
- ESP8266 Support for 2MB and up linker files with 1MB and up LittleFS - ESP8266 Support for 2MB and up linker files with 1MB and up LittleFS
- ESP32 support for TLS MQTT using BearSSL (same as ESP8266) - ESP32 support for TLS MQTT using BearSSL (same as ESP8266)
- Support for 24/26/32/34 bit RFID Wiegand interface (D0/D1) by Sigurd Leuther (#3647) - Support for 24/26/32/34 bit RFID Wiegand interface (D0/D1) by Sigurd Leuther (#3647)
- Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint
### Breaking Changed ### Breaking Changed
- ESP32 switch from default SPIFFS to default LittleFS file system loosing current (zigbee) files - ESP32 switch from default SPIFFS to default LittleFS file system loosing current (zigbee) files

4
tasmota/WiFiClientSecureLightBearSSL.cpp
View File

@ -804,6 +804,7 @@ extern "C" {
return 0; return 0;
} }
#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT
// No match under new algorithm, do some basic checking on the key. // No match under new algorithm, do some basic checking on the key.
// //
// RSA keys normally have an e value of 65537, which is three bytes long. // RSA keys normally have an e value of 65537, which is three bytes long.
@ -838,6 +839,9 @@ extern "C" {
pubkeyfingerprint_pubkey_fingerprint(xc, false); pubkeyfingerprint_pubkey_fingerprint(xc, false);
return 0; return 0;
#else // USE_TLS_OLD_FINGERPRINT_COMPAT
return 1; // no match, error
#endif // USE_TLS_OLD_FINGERPRINT_COMPAT
} else { } else {
// Default (no validation at all) or no errors in prior checks = success. // Default (no validation at all) or no errors in prior checks = success.
return 0; return 0;

3
tasmota/my_user_config.h
View File

@ -401,6 +401,9 @@
// #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem) // #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem)
// Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp' // Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp'
// Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT // Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT
// #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one.
// Any valid fingerprint with the old algo will be automatically updated to the new algo.
// Enable this if you want to disable the old algo check, which should be more secure
// for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini` // for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini`
// -- Telegram Protocol --------------------------- // -- Telegram Protocol ---------------------------